Graphics Programs Reference
In-Depth Information
(gdb) c
Continuing.
Breakpoint 2, check_authentication (password=0xbffff9b7 'A' <repeats 30 times>) at
auth_overflow2.c:9
9 strcpy(password_buffer, password);
(gdb) i r esp
esp 0xbffff7a0 0xbffff7a0
(gdb) x/32xw $esp
0xbffff7a0: 0x00000000
0x08049744 0xbffff7b8 0x080482d9
0xbffff7b0:
0xb7f9f729 0xb7fd6ff4 0xbffff7e8
0x00000000
0xbffff7c0:
0xb7fd6ff4 0xbffff880 0xbffff7e8 0xb7fd6ff4
0xbffff7d0:
0xb7ff47b0 0x08048510 0xbffff7e8 0x080484bb
0xbffff7e0:
0xbffff9b7
0x08048510 0xbffff848 0xb7eafebc
0xbffff7f0: 0x00000002 0xbffff874 0xbffff880 0xb8001898
0xbffff800: 0x00000000 0x00000001 0x00000001 0x00000000
0xbffff810: 0xb7fd6ff4 0xb8000ce0 0x00000000 0xbffff848
(gdb) p 0xbffff7e0 - 0xbffff7a0
$1 = 64
(gdb) x/s password_buffer
0xbffff7c0: "?o??\200????????o???G??\020\205\004\b?????\204\004\b????\020\205\004\
bH???????\002"
(gdb) x/x &auth_flag
0xbffff7bc: 0x00000000
(
gdb)
Continuing to the second breakpoint in
check_authentication()
, a stack
frame (shown in bold) is pushed onto the stack when the function is called.
Since the stack grows upward toward lower memory addresses, the stack
pointer is now 64 bytes less at
0xbffff7a0
. The size and structure of a stack
frame can vary greatly, depending on the function and certain compiler
optimizations. For example, the first 24 bytes of this stack frame are just
padding put there by the compiler. The local stack variables,
auth_flag
and
password_buffer
, are shown at their respective memory locations in the stack
frame. The
auth_flag
(
) is shown at
0xbffff7bc
, and the 16 bytes of the
password buffer (
) are shown at
0xbffff7c0
.
The stack frame contains more than just the local variables and pad-
ding. Elements of the
check_authentication()
stack frame are shown below.
First, the memory saved for the local variables is shown in italic. This starts
at the
auth_flag
variable at
0xbffff7bc
and continues through the end of the
16-byte
password_buffer
variable. The next few values on the stack are just
padding the compiler threw in, plus something called the
saved frame pointer
.
If the program is compiled with the flag
-fomit-frame-pointer
for optimiza-
tion, the frame pointer won't be used in the stack frame. At
the value
0x080484bb
is the return address of the stack frame, and at
the address
0xbffffe9b7
is a pointer to a string containing 30
A
s. This must be the argu-
ment to the
check_authentication()
function.
(gdb) x/32xw $esp
0xbffff7a0: 0x00000000
0x08049744 0xbffff7b8 0x080482d9
0xbffff7b0:
0xb7f9f729 0xb7fd6ff4 0xbffff7e8
0x00000000
0xbffff7c0:
0xb7fd6ff4 0xbffff880 0xbffff7e8 0xb7fd6ff4
