Assembly language learning (debugging a program that is overflow)
Recently, study debugging, Download WinBG used a mist, and had to start learning assembly. Here is my learning process.
From Microsoft, Download Windbg, it seems to be a nice tool (I haven't worn, master a few commands), there is Download Symbol.
I spent one morning, I looked with the compilation, I know what is a general register, what time register, what is LEA, what is STOS, etc.
Next, from the start menu, run Windbg, select Open Executable ... Open the program you want to debug. The next picture red circle represents a compilation mode, otherwise the source code file will also be opened, and the details of such words can be seen very clear.
The middle is a command window, and the upper right is the call stack, the lower right part variable.
Use Windbg to debug, the first step is of course the endpoint, you need to use the BP command. Enter BP Winmain Enter, BP Foo Enter.
You can use the BL command to see if there is a good setting. After the setting is complete, enter the G Enter, the program starts running until the breakpoint.
The program is interrupted in the entrance of WinMain. Use F10 single-step debugging,
There is a PUSH EAX before calling foo, which is the parameter into the stack, I passed a string to Foo.
Then follow the F11 trace into the function.
The return address of the PUSH EBP function is incorporated (I don't know if it is correct)?
SUB ESP, 0x4c gives the current function allocation space (why allocate 0x4c)?
Mov ECX, 0x13 Why is only the 0x13 byte of space?
MOV EAX, [EBP 0x8] EBP 0x8 is a string address that passes to the foo.
Lea ECX, [EBP-0XC] [EBP-0xC] is the first address of the buf.
Next, we use DD / C 1 ESP to see the stack content
0012FEDC stores the function returns the following address. (Why is the value of the value in the Call Stacks window)
With D EBP-0XC, the saved address is 0012FECC. This address STRCPY function is to copy the destination address of the string.
After performing Strcpy, let's take a look at the stack content, DD / C 1 ESP.
Halo.
Save the return address of the function in the stack, actually changed so that hackers can perform the process he wants to perform by changing this address, of course, exploring the cache overflows this job is not easy.
Below is the original code:
#include "stdafx.h"
Void foo (const char * input)
{
Char BUF [10];
// Pass the user input straight to secure code public Enemy # 1.
STRCPY (BUF, INPUT);
}
Void Bar (Void)
{
:: MessageBox (Null, "Hacked", "Hello", MB_OK;
}
Int apientry Winmain (Hinstance Hinstance,
Hinstance Hprevinstance,
LPSTR LPCMDLINE,
INT ncmdshow)
{
// Todo: Place Code Here.
Foo (lpcmdline);
Return 0;
}
The return address of the PUSH EBP function is incorporated into the stack (I understand is correct)? SUB ESP, 0x4c gives the current function allocation space (why allocate 0x4c)?
MOV ECX, 0x13 why only initializes the 0x13 byte of space "0012FEDC stored function returns the following address. (Why is the value of the value in the Call Stacks window?
I have some questions, I hope the master is told. Thank you.
