Using linux (Centos 5), gcc version 4.12
What im trying to do is after the call to function(1,2,3), i want to skip the x=1 assignement and keep x=0. So in my function i want to modify the return address so that when i return im skipping the x=1 assignment.Code:------------------------------------------------------------------------------ void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); }
gdb: disassemble main:
0x080483a2 <main+0>: lea 0x4(%esp),%ecx
0x080483a6 <main+4>: and $0xfffffff0,%esp
0x080483a9 <main+7>: pushl 0xfffffffc(%ecx)
0x080483ac <main+10>: push %ebp
0x080483ad <main+11>: mov %esp,%ebp
0x080483af <main+13>: push %ecx
0x080483b0 <main+14>: sub $0x24,%esp
0x080483b3 <main+17>: movl $0x0,0xfffffff8(%ebp)
0x080483ba <main+24>: movl $0x3,0x8(%esp)
0x080483c2 <main+32>: movl $0x2,0x4(%esp)
0x080483ca <main+40>: movl $0x1,(%esp)
0x080483d1 <main+47>: call 0x8048384 <function>
0x080483d6 <main+52>: movl $0x1,0xfffffff8(%ebp)
0x080483dd <main+59>: mov 0xfffffff8(%ebp),%eax
0x080483e0 <main+62>: mov %eax,0x4(%esp)
0x080483e4 <main+66>: movl $0x80484d0,(%esp)
0x080483eb <main+73>: call 0x8048298 <printf@plt>
0x080483f0 <main+78>: mov $0x0,%eax
0x080483f5 <main+83>: add $0x24,%esp
0x080483f8 <main+86>: pop %ecx
0x080483f9 <main+87>: pop %ebp
0x080483fa <main+88>: lea 0xfffffffc(%ecx),%esp
0x080483fd <main+91>: ret
0x080483fe <main+92>: nop
0x080483ff <main+93>: nop
disassemble function:
0x08048384 <function+0>: push %ebp
0x08048385 <function+1>: mov %esp,%ebp
0x08048387 <function+3>: sub $0x20,%esp
0x0804838a <function+6>: lea 0xfffffff7(%ebp),%eax
0x0804838d <function+9>: add $0xc,%eax
0x08048390 <function+12>: mov %eax,0xfffffffc(%ebp)
0x08048393 <function+15>: mov 0xfffffffc(%ebp),%eax
0x08048396 <function+18>: mov (%eax),%eax
0x08048398 <function+20>: lea 0x8(%eax),%edx
0x0804839b <function+23>: mov 0xfffffffc(%ebp),%eax
0x0804839e <function+26>: mov %edx,(%eax)
0x080483a0 <function+28>: leave
0x080483a1 <function+29>: ret
I would appreciate the steps that you used to modify the return address. This is not a hw or a project and i have spent time trying to do this but not getting a valid result.