Hacking - The Art of Exploitation, 2nd Edition

(Romina) #1
Programming 35

(gdb) x/6cb 0x8048484
0x8048484: 72 'H' 101 'e' 108 'l' 108 'l' 111 'o' 32 ' '
(gdb) x/s 0x8048484
0x8048484: "Hello, world!\n"
(gdb)


These commands reveal that the data string "Hello, world!\n" is stored at


memory address 0x8048484. This string is the argument for the printf() func-


tion, which indicates that moving the address of this string to the address


stored in ESP (0x8048484) has something to do with this function. The following


output shows the data string’s address being moved into the address ESP is


pointing to.


(gdb) x/2i $eip
0x8048393 <main+31>: mov DWORD PTR [esp],0x8048484
0x804839a <main+38>: call 0x80482a0 printf@plt
(gdb) x/xw $esp
0xbffff800: 0xb8000ce0
(gdb) nexti
0x0804839a 8 printf("Hello, world!\n");
(gdb) x/xw $esp
0xbffff800: 0x08048484
(gdb)


The next instruction is actually called the printf() function; it prints the


data string. The previous instruction was setting up for the function call, and


the results of the function call can be seen in the output below in bold.


(gdb) x/i $eip
0x804839a <main+38>: call 0x80482a0 printf@plt
(gdb) nexti
Hello, world!
6 for(i=0; i < 10; i++)
(gdb)


Continuing to use GDB to debug, let’s examine the next two instructions.


Once again, they make more sense to look at in a group.


(gdb) x/2i $eip
0x804839f <main+43>: lea eax,[ebp-4]
0x80483a2 <main+46>: inc DWORD PTR [eax]
(gdb)


These two instructions basically just increment the variable i by 1. The


lea instruction is an acronym for Load Effective Address, which will load the

Free download pdf