localvars ========= void localvars() { volatile int n; char buf[8]; volatile int x; n = 2; x = 0xdeadbeef; strcpy(buf, "Carnegiem;"); // 'm' = 0x6d, ';' = 0x3b // n = 15213 (0x3b6d) buf[8] = 0x6c; // n = 15212 buf[-4] = 0xa8; // x = 0xdeadbea8 } Dump of assembler code for function localvars: 0x80483f0 : push %ebp 0x80483f1 : mov %esp,%ebp 0x80483f3 : sub $0x18,%esp 0x80483f6 : movl $0x2,0xfffffffc(%ebp) 0x80483fd : movl $0xdeadbeef,0xfffffff0(%ebp) 0x8048404 : add $0xfffffff8,%esp 0x8048407 : push $0x80484f8 0x804840c : lea 0xfffffff4(%ebp),%eax 0x804840f : push %eax 0x8048410 : call 0x8048308 0x8048415 : add $0x10,%esp 0x8048418 : movb $0x6c,0xfffffffc(%ebp) 0x804841c : mov $0xfffffffc,%eax 0x8048421 : lea 0xfffffff4(%ebp),%edx 0x8048424 : movb $0xa8,(%eax,%edx,1) 0x8048428 : mov %ebp,%esp 0x804842a : pop %ebp 0x804842b : ret End of assembler dump. bufoverflow =========== int bufoverflow(char* string, int n) { char buf[8]; strcpy(buf, string); return n; } Dump of assembler code for function bufoverflow: 0x8048414 : push %ebp 0x8048415 : mov %esp,%ebp 0x8048417 : sub $0x18,%esp 0x804841a : mov 0x8(%ebp),%eax 0x804841d : add $0xfffffff8,%esp 0x8048420 : push %eax 0x8048421 : lea 0xfffffff0(%ebp),%eax 0x8048424 : push %eax 0x8048425 : call 0x804833c 0x804842a : mov 0xc(%ebp),%eax 0x804842d : mov %ebp,%esp 0x804842f : pop %ebp 0x8048430 : ret 0x8048431 : lea 0x0(%esi),%esi End of assembler dump. int exploit(int n) { return (n>=0 ? n : -n) << 2; } exploit.s: ---------- movl 8(%ebp),%eax testl %eax,%eax jge .L1 negl %eax .L1: sall $2,%eax .long 0x00000000 unix> gcc -c exploit.s unix> objdump -d exploit.o 00000000 <.text>: 0: 8b 45 08 mov 0x8(%ebp),%eax 3: 85 c0 test %eax,%eax 5: 7d 02 jge 0x9 7: f7 d8 neg %eax 9: c1 e0 02 shl $0x2,%eax c: 00 00 add %al,(%eax) unix> cat > exploit.txt 8b 45 08 85 c0 7d 02 f7 d8 c1 e0 02 unix> sendstring < exploit.txt > exploit.raw unix> od -t x1 exploit.raw 0000000 8b 45 08 85 c0 7d 02 f7 d8 c1 e0 02 0a