Assembly Language for Beginners

3.14. VARIADIC FUNCTIONS

die PROC
; save first 4 arguments in Shadow Space
mov QWORD PTR [rsp+8], rcx
mov QWORD PTR [rsp+16], rdx
mov QWORD PTR [rsp+24], r8
mov QWORD PTR [rsp+32], r9
sub rsp, 40
lea rdx, QWORD PTR fmt$[rsp+8] ; pass pointer to the 1st argument
; RCX here is still points to the 1st argument (format-string) of die()
; so vprintf() will take it right from RCX
call vprintf
xor ecx, ecx
call exit
int 3
die ENDP

3.14.3 Pin case.

It’s interesting to note how some functions from PinDBI^15 framework takes number of arguments:

INS_InsertPredicatedCall(

ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,

IARG_INST_PTR,

IARG_MEMORYOP_EA, memOp,

IARG_END);

(pinatrace.cpp)

And this is howINS_InsertPredicatedCall()function is declared:

extern VOID INS_InsertPredicatedCall(INS ins, IPOINT ipoint, AFUNPTR funptr, ...);

(pin_client.PH)

Hence, constants with names starting withIARG_are some kinds of arguments to the function, which are
handled inside ofINS_InsertPredicatedCall(). You can pass as many arguments, as you need. Some
commands has additional argument(s), some are not. Full list of arguments:https://software.intel.
com/sites/landingpage/pintool/docs/58423/Pin/html/groupINSTARGS.html. And it has to be
a way to detect an end of arguments list, so the list must be terminated withIARG_ENDconstant, without
which, the function will (try to) handle random noise in the local stack, treating it as additional arguments.

Also, in [Brian W. Kernighan, Rob Pike,Practice of Programming, (1999)] we can find a nice example of
C/C++ routines very similar topack/unpack^16 in Python.

3.14.4 Format string exploit

It’s a popular mistake, to writeprintf(string)instead ofputs(string)orprintf("%s", string). If
the attacker can put his/her own text intostring, he/she can crash process, or get insight into variables
in the local stack.

Take a look at this:

#include <stdio.h>

int main()
{
char s1="hello";
char s2="world";
char buf[128];

// do something mundane here

strcpy (buf, s1);

strcpy (buf, " ");

strcpy (buf, s2);

(^15) Dynamic Binary Instrumentation
(^16) https://docs.python.org/3/library/struct.html