Data Representation | Program Representation | |||||
string int x[3] char x 0x9cd0f0ad 01101011 |
Objects Arrays Primitive types Addresses bits |
Java code C++ code C code x86 code IBCM hexadecimal |
High-level language Low-level language Assembly language Machine code |
|
|
Directives
|
|
|
Incorrect: (why?)
|
|
Memory:
|
C/C++ code:
|
Assembly code:
|
This is just before the call
opcode is invoked.
↑ | value of edx | |||
To higher addresses | copy of var z | |||
(to 0xffffffff) | 123 | |||
value of eax (var x) | ← esp | |||
To lower addresses | ||||
(to 0x00000000) | ||||
↓ |
This is just after the call
opcode is invoked.
↑ | value of edx | |||
To higher addresses | copy of var z | |||
(to 0xffffffff) | 123 | |||
value of eax (var x) | ||||
return address | ← esp | |||
To lower addresses | ||||
(to 0x00000000) | ||||
↓ |
THEN, perform body of the function
This is just after the caller invokes the call
opcode.
↑ | value of edx | ↖ ebp | ||
To higher addresses | copy of var z | |||
(to 0xffffffff) | 123 | |||
value of eax (var x) | ||||
return address | ← esp | |||
To lower addresses | ||||
(to 0x00000000) | ||||
↓ |
This is just after the callee invokes the push ebp
opcode.
↑ | value of edx | ↖ ebp | ||
To higher addresses | copy of var z | |||
(to 0xffffffff) | 123 | |||
value of eax (var x) | ||||
return address | ||||
ebp backup | ← esp | |||
To lower addresses | ||||
(to 0x00000000) | ||||
↓ |
This is after the myFunc()
prologue is completed.
↑ | value of edx | |||
To higher addresses | copy of var z | [ebp+16] | ||
(to 0xffffffff) | 123 | [ebp+12] | ||
value of eax (var x) | [ebp+8] | |||
return address | ||||
ebp backup | ← ebp | |||
To lower addresses | local variable | [ebp-4] | ||
(to 0x00000000) | saved value of ebx | |||
↓ | saved value of esi | ← esp |
|
|
|
void security_hole() {
char buffer[12];
scanf ("%s", buffer); // how C handles input
}
The stack looks like (with sizes in parenthesis):
esi (4) | edi (4) | buffer (12) | ebp (4) | ret addr (4) |
|
Click the center of the target
Close window