1.20. ARRAYS
Trace until the function end:
Figure 1.91:OllyDbg:EIPhas been restored, but OllyDbg can’t disassemble at 0x15Now please keep your eyes on the registers.
EIPis0x15 now. It is not a legal address for code—at least for win32 code! Wegot theresomehow against
our will. It is also interesting that theEBPregister contain 0x14,ECXandEDXcontain 0x1D.
Let’s study stack layout a bit more.
After the control flow has been passed tomain(), the value in theEBPregister was saved on the stack.
Then, 84 bytes were allocated for the array and theivariable. That’s(20+1)*sizeof(int). ESPnow
points to the_ivariable in the local stack and after the execution of the nextPUSH something,something
is appearing next to_i.
That’s the stack layout while the control is inmain():
ESP 4 bytes allocated forivariable
ESP+4 80 bytes allocated fora[20]array
ESP+84 savedEBPvalue
ESP+88 return addressa[19]=somethingstatement writes the lastintin the bounds of the array (in bounds so far!).
a[20]=somethingstatement writessomethingto the place where the value ofEBPis saved.
Please take a look at the register state at the moment of the crash. In our case, 20 has been written in the
20th element. At the function end, the function epilogue restores the originalEBPvalue. (20 in decimal