CHAPTER 18. ARRAYS CHAPTER 18. ARRAYS
Trace until the function end:
Figure 18.6:OllyDbg: EIP was restored, but OllyDbg can’t disassemble at 0x15Now please keep your eyes on the registers.
EIPis 0x15 now. It is not a legal address for code—at least for win32 code! We got there somehow against our will. It is
also interesting that theEBPregister contain 0x14,ECXandEDX—0x1D.
Let’s study stack layout a bit more.
After the control flow was passed tomain(), the value in theEBPregister was saved on the stack. Then, 84 bytes were
allocated for the array and theivariable. That’s(20+1)*sizeof(int).ESPnow points to the_ivariable in the local
stack and after the execution of the nextPUSH something,somethingis appearing next to_i.
That’s the stack layout while the control is inmain():
ESP 4 bytes allocated forivariable
ESP+4 80 bytes allocated fora[20]array
ESP+84 savedEBPvalue
ESP+88 return addressa[19]=somethingstatement writes the lastintin the bounds of the array (in bounds so far!)
a[20]=somethingstatement writessomethingto the place where the value ofEBPis saved.
Please take a look at the register state at the moment of the crash. In our case, 20 was written in the 20th element. At the
function end, the function epilogue restores the originalEBPvalue. (20 in decimal is0x14in hexadecimal). ThenRETgets
executed, which is effectively equivalent toPOP EIPinstruction.
TheRETinstruction takes the return address from the stack (that is the address inCRT), which was calledmain()), and 21
iss stored there (0x15in hexadecimal). The CPU traps at address0x15, but there is no executable code there, so exception
gets raised.