-1

I started reading "Hacking, The Art of Exploitation" and I am confused about some things regarding memory examination.

When I disassemble main, I get an output of all memories where the individual assembly instructions are, right? Each instruction does not necessarily need to append the memory address by one, that is why I might have <main+1> and then <main +3> right after. In the following picture the first 20 instructions for the program are shown. screenshot How many bytes of information does each information contain?

Now I get confused, when using i r eip, I get the location of this register, which is 0x8048384 (so is it stored as the first instruction of main?) screenshot. The value next to it, is the value it holds, here I wonder, it stores 0x00fc45c7, however this instruction is not in the output above? I thought it should point to the memory which consists the next instruction for the program.

Now comes the biggest confusion, I can observe the memory where $eip is stored and observe multiple units at once, which can be seen on here: screenshot However on this screenshot using x/2x you can see that there are two values stored in the memory and both of 4 bytes in size? Then using x/12 there are suddenly 4 words in 0x8048384 and other 4 words 0x8048394?

I just don't seem to understand how the values stored in the memory address differ based on the units I use. I also thought each memory address should contain only a byte of information?

schroeder
  • 123,438
  • 55
  • 284
  • 319
jprossv
  • 1

1 Answers1

0

What you're seeing is the main() prologue that is setting up the stack. It's usually identifyable from the following sequence of opcodes:

    push ebp
    mov ebp, esp
    sub esp, N

There is a number of things that occurs both before main is called and after it returns. Understanding function prologue and epilogue behavior as well as stack frames will be important for exploiting memory corruption later on in the book.

For your inspection of the executing address in main ($eip) the bytes are already loaded in memory, they are not changing, you are changing what you're asking gdb to display. With x/2<unit> <address> you're asking gdb to display two starting at , with x/12 you're asking for the next 12 units. Typically memory writes usually occur on a heap allocated memory segment or the stack ($esp), not in the executing segment. You can also view the machine code bytes of main() using disas /r and then compare to x/20xb $eip. Hopefully that makes it more clear.

wireghoul
  • 5,745
  • 2
  • 17
  • 26