Reverse Engineering for Beginners

(avery) #1

CHAPTER 7. SCANF() CHAPTER 7. SCANF()


Later this value is copied from the stack to theECXregister and passed toprintf():


Figure 7.4:OllyDbg: preparing the value for passing toprintf()

GCC


Let’s try to compile this code in GCC 4.4.1 under Linux:


main proc near


var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_4 = dword ptr -4


push ebp
mov ebp, esp
and esp, 0FFFFFFF0h
sub esp, 20h
mov [esp+20h+var_20], offset aEnterX ; "Enter X:"
call _puts
mov eax, offset aD ; "%d"
lea edx, [esp+20h+var_4]
mov [esp+20h+var_1C], edx
mov [esp+20h+var_20], eax
call _isoc99_scanf
mov edx, [esp+20h+var4]
mov eax, offset aYouEnteredD
; "You entered %d...\n"
mov [esp+20h+var_1C], edx
mov [esp+20h+var_20], eax
call _printf
mov eax, 0
leave
retn
main endp


GCC replaced theprintf()call with call toputs(). The reason for this was explained in (3.4.3 on page 14).


As in the MSVC example—the arguments are placed on the stack using theMOVinstruction.


By the way


By the way, this simple example is a demonstration of the fact that compiler translates list of expressions in C/C++-block
into sequential list of instructions. There are nothing between expressions in C/C++, and so in resulting machine code, there
are nothing between, control flow slips from one expression to the next one.

Free download pdf