modifying a return address of a function

This is a discussion on modifying a return address of a function within the C Programming forums, part of the General Programming Boards category; Using linux (Centos 5), gcc version 4.12 Code: ------------------------------------------------------------------------------ void function(int a, int b, int c) { char buffer1[5]; char ...

  1. #1
    Registered User
    Join Date
    Sep 2008
    Posts
    1

    modifying a return address of a function

    Using linux (Centos 5), gcc version 4.12
    Code:
    ------------------------------------------------------------------------------
    void function(int a, int b, int c) {
       char buffer1[5];
       char buffer2[10];
       int *ret;
    
       ret = buffer1 + 12;
       (*ret) += 8;
    }
    
    void main() {
      int x;
    
      x = 0;
      function(1,2,3);
      x = 1;
      printf("%d\n",x);
    }
    What im trying to do is after the call to function(1,2,3), i want to skip the x=1 assignement and keep x=0. So in my function i want to modify the return address so that when i return im skipping the x=1 assignment.
    gdb: disassemble main:
    0x080483a2 <main+0>: lea 0x4(%esp),%ecx
    0x080483a6 <main+4>: and $0xfffffff0,%esp
    0x080483a9 <main+7>: pushl 0xfffffffc(%ecx)
    0x080483ac <main+10>: push %ebp
    0x080483ad <main+11>: mov %esp,%ebp
    0x080483af <main+13>: push %ecx
    0x080483b0 <main+14>: sub $0x24,%esp
    0x080483b3 <main+17>: movl $0x0,0xfffffff8(%ebp)
    0x080483ba <main+24>: movl $0x3,0x8(%esp)
    0x080483c2 <main+32>: movl $0x2,0x4(%esp)
    0x080483ca <main+40>: movl $0x1,(%esp)
    0x080483d1 <main+47>: call 0x8048384 <function>
    0x080483d6 <main+52>: movl $0x1,0xfffffff8(%ebp)
    0x080483dd <main+59>: mov 0xfffffff8(%ebp),%eax
    0x080483e0 <main+62>: mov %eax,0x4(%esp)
    0x080483e4 <main+66>: movl $0x80484d0,(%esp)
    0x080483eb <main+73>: call 0x8048298 <printf@plt>
    0x080483f0 <main+78>: mov $0x0,%eax
    0x080483f5 <main+83>: add $0x24,%esp
    0x080483f8 <main+86>: pop %ecx
    0x080483f9 <main+87>: pop %ebp
    0x080483fa <main+88>: lea 0xfffffffc(%ecx),%esp
    0x080483fd <main+91>: ret
    0x080483fe <main+92>: nop
    0x080483ff <main+93>: nop

    disassemble function:
    0x08048384 <function+0>: push %ebp
    0x08048385 <function+1>: mov %esp,%ebp
    0x08048387 <function+3>: sub $0x20,%esp
    0x0804838a <function+6>: lea 0xfffffff7(%ebp),%eax
    0x0804838d <function+9>: add $0xc,%eax
    0x08048390 <function+12>: mov %eax,0xfffffffc(%ebp)
    0x08048393 <function+15>: mov 0xfffffffc(%ebp),%eax
    0x08048396 <function+18>: mov (%eax),%eax
    0x08048398 <function+20>: lea 0x8(%eax),%edx
    0x0804839b <function+23>: mov 0xfffffffc(%ebp),%eax
    0x0804839e <function+26>: mov %edx,(%eax)
    0x080483a0 <function+28>: leave
    0x080483a1 <function+29>: ret

    I would appreciate the steps that you used to modify the return address. This is not a hw or a project and i have spent time trying to do this but not getting a valid result.

  2. #2
    and the hat of sweating
    Join Date
    Aug 2007
    Location
    Toronto, ON
    Posts
    3,545
    Code:
    void function(int a, int b, int c)
    Huh? You aren't returning anything.
    "I am probably the laziest programmer on the planet, a fact with which anyone who has ever seen my code will agree." - esbo, 11/15/2008

    "the internet is a scary place to be thats why i dont use it much." - billet, 03/17/2010

  3. #3
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Changing the return address in a function is VERY compiler dependant, and of course, for a simple function, the compiler may even inline the function, at which point you have no return address to modify [instead, the code will modify some random element on the stack somewhere].

    As to the address you are modifying, how do you know where the return address is. Have you disassembled the code to figure out where the return address is. If the local variables are in order, buffer+12 may well be somewhere inside buffer2 for all I know. ret = &a, ret += 2 may work better.

    cpjust, the original post refers to "return address" as in "where we return to", not "returning an address" as in "returning a pointer".

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  4. #4
    and the hat of wrongness Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    32,673
    Of course the next step is to learn how to do the same with a buffer overflow attack, and before you know it, another kiddie hacker is born.

    I simply don't see this knowledge going anywhere which is useful.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.
    I support http://www.ukip.org/ as the first necessary step to a free Europe.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 8
    Last Post: 03-10-2008, 11:57 AM
  2. doubt in c parser coding
    By akshara.sinha in forum C Programming
    Replies: 4
    Last Post: 12-23-2007, 12:49 PM
  3. Game Pointer Trouble?
    By Drahcir in forum C Programming
    Replies: 8
    Last Post: 02-04-2006, 01:53 AM
  4. c++ linking problem for x11
    By kron in forum Linux Programming
    Replies: 1
    Last Post: 11-19-2004, 09:18 AM
  5. Request for comments
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 15
    Last Post: 01-02-2004, 09:33 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21