Difference between revisions of "The Stack"

From SkullSecurity
Jump to navigation Jump to search
Line 26: Line 26:
<table border='1' cellpadding='0' cellspacing='0'>
<table border='1' cellpadding='0' cellspacing='0'>
     <tr>
     <tr>
         <td align='left'  width='75'>esp</td>
         <td align='left'  width='75'>'''esp'''</td>
         <td align='center' width='50'>?</td>
         <td align='center' width='50'>?</td>
     </tr>
     </tr>
Line 35: Line 35:
     <tr>
     <tr>
         <td align='left'>esp - 8</td>
         <td align='left'>esp - 8</td>
        <td align='center'>?</td>
    </tr>
    <tr>
        <td align='left'>esp - 12</td>
        <td align='center'>?</td>
    </tr>
    <tr>
        <td align='left'>esp - 16</td>
        <td align='center'>?</td>
    </tr>
</table>
Note that the same 5 32-bit stack values are shown in all these examples, with the stack pointer at the left moved. The stack goes much further up and down, but that isn't shown here.
Here are the three pushes:
push 3
<table border='1' cellpadding='0' cellspacing='0'>
    <tr>
        <td align='left'  width='75'>esp + 4</td>
        <td align='center' width='50'>?</td>
    </tr>
    <tr>
        <td align='left'>'''esp'''</td>
        <td align='center'>3</td>
    </tr>
    <tr>
        <td align='left'>esp - 4</td>
         <td align='center'>?</td>
         <td align='center'>?</td>
     </tr>
     </tr>
     <tr>
     <tr>
         <td align='left'>esp - 8</td>
         <td align='left'>esp - 8</td>
        <td align='center'>?</td>
    </tr>
    <tr>
        <td align='left'>esp - 12</td>
        <td align='center'>?</td>
    </tr>
</table>
push 2
<table border='1' cellpadding='0' cellspacing='0'>
    <tr>
        <td align='left'  width='75'>esp + 8</td>
        <td align='center' width='50'>?</td>
    </tr>
    <tr>
        <td align='left'>esp + 4</td>
        <td align='center'>3</td>
    </tr>
    <tr>
        <td align='left'>'''esp'''</td>
        <td align='center'>2</td>
    </tr>
    <tr>
        <td align='left'>esp - 4</td>
         <td align='center'>?</td>
         <td align='center'>?</td>
     </tr>
     </tr>
Line 46: Line 97:
     </tr>
     </tr>
</table>
</table>
Note that the same 5 32-bit stack values are shown in all these examples, with the stack pointer at the left moved.
 
push 1
<table border='1' cellpadding='0' cellspacing='0'>
    <tr>
        <td align='left'  width='75'>esp + 12</td>
        <td align='center' width='50'>?</td>
    </tr>
    <tr>
        <td align='left'>esp + 8</td>
        <td align='center'>3</td>
    </tr>
    <tr>
        <td align='left'>esp + 4</td>
        <td align='center'>2</td>
    </tr>
    <tr>
        <td align='left'>'''esp'''</td>
        <td align='center'>1</td>
    </tr>
    <tr>
        <td align='left'>esp - 4</td>
        <td align='center'>?</td>
    </tr>
</table>
 
Now all three values are on the stack, and esp is pointing at the 4. The function is called, and returns, leaving the stack the way it started. Now the final instruction runs:
 
add esp, 0Ch
 
<table border='1' cellpadding='0' cellspacing='0'>
    <tr>
        <td align='left'  width='75'>'''esp'''</td>
        <td align='center' width='50'>?</td>
    </tr>
    <tr>
        <td align='left'>esp + 4</td>
        <td align='center'>3</td>
    </tr>
    <tr>
        <td align='left'>esp + 8</td>
        <td align='center'>2</td>
    </tr>
    <tr>
        <td align='left'>esp - 12</td>
        <td align='center'>1</td>
    </tr>
    <tr>
        <td align='left'>esp - 16</td>
        <td align='center'>?</td>
    </tr>
</table>
 
Note that the 3, 2, and 1 are still on the stack. However, they're below the stack pointer, which means that they are considered free memory and will be overwritten.


== call and ret Revisited ==
== call and ret Revisited ==

Revision as of 16:25, 13 March 2007

Assembly Language Tutorial
Please choose a tutorial page:

The stack is, at best, a difficult concept to understand. However, understanding the stack is essential to reverse engineering code.

The stack register, esp, is basically a register that points to an arbitrary location in memory called "the stack". The stack is just a really big section of memory where temporary data can be stored and retrieved. When a function is called, some stack space is allocated to the function, and when a function returns the stack should be in the same state it started in.

The stack always grows downwards, towards lower values. The esp register always points to the lowest value on the stack. Anything below esp is considered free memory that can be overwritten.

The stack stores function parameters, local variables, and the return address of every function.

Function Parameters

When a function is called, its parameters are typically stored on the stack before making the call. Here is an example of a function call in C:

func(1, 2, 3); 

And here is the equivalent call in assembly:

push 3
push 2
push 1
call func
add esp, 0Ch

The parameters are put on the stack, then the function is called. The function has to know it's getting 3 parameters, which is why function parameters have to be declared in C.

After the function returns, the stack pointer is still 12 bytes ahead of where it started. In order to restore the stack to where it used to be, 12 (0x0c) has to be added to the stack pointer. The three pushes, of 4 bytes each, mean that a total of 12 was subtracted from the stack.

Here is what the initial stack looked like (with ?'s representing unknown stack values):

esp ?
esp - 4 ?
esp - 8 ?
esp - 12 ?
esp - 16 ?

Note that the same 5 32-bit stack values are shown in all these examples, with the stack pointer at the left moved. The stack goes much further up and down, but that isn't shown here.

Here are the three pushes:

push 3
esp + 4 ?
esp 3
esp - 4 ?
esp - 8 ?
esp - 12 ?
push 2
esp + 8 ?
esp + 4 3
esp 2
esp - 4 ?
esp - 8 ?
push 1
esp + 12 ?
esp + 8 3
esp + 4 2
esp 1
esp - 4 ?

Now all three values are on the stack, and esp is pointing at the 4. The function is called, and returns, leaving the stack the way it started. Now the final instruction runs:

add esp, 0Ch
esp ?
esp + 4 3
esp + 8 2
esp - 12 1
esp - 16 ?

Note that the 3, 2, and 1 are still on the stack. However, they're below the stack pointer, which means that they are considered free memory and will be overwritten.

call and ret Revisited

Local Variables

Frame Pointer

Balance

Questions

Feel free to edit this section and post questions, I'll do my best to answer them. But you may need to contact me to let me know that a question exists.