Questions tagged [stack]
Part of a process memory that stores all the automatic variables and the call-stack of the functions currently called by the process.
93 questions
1
vote
1
answer
385
views
Ghidra 11.0 - What does Function > Analyze Stack option do?
Greetings ladies & gentlemen,
I am but a novice at both Ghidra and Reverse Engineering in general. Forgive me if you think this question is dumb or obvious to answer :)
While attempting to solve a ...
0
votes
2
answers
385
views
Cutter shows addresses relative to stack but not rbp. How to change it?
Look at the first image:
Here what I get is var void *buf @ stack - 0x28.
But I'm watching a tutorial there his Cutter shows like this:
var void *buf @ rbp - 0x20. How can I change cutter to appear ...
- 123
1
vote
3
answers
214
views
Why does this piece of code modify itself?
I'm reading the famous "Smash the stack and profit" paper, and to reiterate, the whole point of the idea is to put some binary code in a buffer, overflows it to rewrite the return address (...
3
votes
0
answers
90
views
Contents of EAX in IDA Free?
I am doing Level 2 of TryHackMe's REloaded reverse engineering challenges.
In the screen shot below, you can see I have found the string I want by hovering my mouse over EAX, however a good chunk is ...
- 195
4
votes
1
answer
175
views
💻 This code does not crash on ARM (qemu). Why?
I found a couple of interesting integer underflows leading to memcpy() wild copies in a TLV parser process of some random IoT firmware. It is 32-bit ARMv7.
I'm able to emulate the userspace process ...
- 61
2
votes
1
answer
90
views
why some functions push data before the prologue
i am a newbie in the world of RE ,
i start to explorer a main entry of a classic game from 90's
and i start to see something confuse me as a newbie
this main entry function start with pushing stuff to ...
- 23
2
votes
1
answer
73
views
Can ESP point to a global variable
This 3 lines of code are used by some encoders to get EIP into ECX register:
fldz
fnstenv [esp-C]
pop ecx
The 2 first instructions push some datas on stack and we get one of this into ECX on the last ...
- 787
3
votes
0
answers
172
views
How to leak buffer address on the stack?
I am new to buffer overflows and I was trying to overwrite the saved RIP to point to a buffer containing a shellcode. The buffer is located onto the stack so its address is randomized. How can I leak ...
- 51
3
votes
0
answers
55
views
Find location to override PC by stack frame with stackoverflow
I have stackoverflow in MIPS arch (without ASLR/canary)
In Ida I see that the buffer that has the overflow located in SP+200
In the beginning if function I can see the stack size because I see the ...
- 291
3
votes
1
answer
544
views
Reverse-engineering a 90s CNC machine (FORTH like) firmware
Here's an undertaking I'm currently in, and would absolutely love someone to assist more directly. I'll list the subjects that I would greatly appreciate more knowledge within. Know anything about one ...
1
vote
0
answers
2k
views
How can i get the address of a function in memory?
I am currently completing a CTF exercise where i must attempt to overwrite a function pointer on the stack through a buffer overflow here is the code:
#include <err.h>
#include <stdio.h>
#...
0
votes
0
answers
93
views
stack explanation from https://revers.engineering/applied-re-the-stack/
I've been reading [1] (By Daax Rynd) to get an understanding the stack and at around the 12th page, I'm a bit stumped by how the value 60 from sub rsp, 60 was arrived at.
[Note, all code and quotes ...
- 135
3
votes
1
answer
911
views
How to resolve illegal instruction for this ARM stack exploitation?
Summary
I am trying to write a stack overflow exploit for ARM Cortex-A72 running
Raspberry Pi OS (32-bit). Because of my choice of OS, I am restricted to
the ARMv7 (32-bit) instruction set.
I have ...
- 131
1
vote
1
answer
48
views
Why struct allocation with new operator in local function makes additional space on stack?
I decided to ask the question on this forum because I can not figure out why struct allocation makes the additional 16 bytes space on local function stack(third line at the second snippet).
Here is ...
1
vote
0
answers
353
views
Call stack in Windbg address with no modules associated
I've been working on figuring out the stack from a minidump [1]; but have put that on hold as I had other things to figure out. Coming back to this problem, I figured I'd go back and use Windbg to ...
- 135
1
vote
1
answer
548
views
Understanding buffer overflow in Arm
Let's say I have a function (vuln) that has a local buffer with size of 0x20 bytes. In the beginning of this function, there is push r4-r7,lr.
Is that correct, that the stack looks like:
Buffer: (0x20)...
- 11
2
votes
1
answer
366
views
What is the structure of the Stack in a minidump?
I'm currently using Python3.9 in Linux to obtain the necessary information from a minidump file. I used WinDBG on my windows system to check whether the information I got was right.
While [1], [2] ...
- 135
2
votes
1
answer
210
views
Radare2 does not reload payload correctly
I'm new to Radare2 so i'm trying to learn it by doing some basic buffer overflows. My problem is that, when i try to load some payloads, the stack seems to fake them in some differents ways...
For ...
- 23
0
votes
1
answer
208
views
troublesome stack frame setup
I have a function with the first few instructions defined as follows:
sub rsp, 0x80
lea rbp, [rsp + 0x20]
mov qword [rbp + 0x58], rsi
mov qword [rbp + 0x50], rbx
mov qword [rbp + 0x70], rcx
mov ...
- 111
1
vote
1
answer
345
views
does mov DWORD PTR 32[rsp], 5 means mov DWORD PTR [rsp+32], 5?
I am learning about windows x64 calling convention, where the first four arguments are passed to registers and left arguments are passed through the stack. To see it, I checked the assembly of the ...
- 45
0
votes
1
answer
121
views
Do Stack frames grow upwards?
I am currently learning RE and I came upon this piece of code which made me question whether stack frames grow upward:
0x080483f4 <main+0>: push ebp
0x080483f5 <main+1>: mov ...
- 103
1
vote
1
answer
221
views
Analyze stack with IDAPython
In Ida pseudo-code when I press at stack's variable I can see the place of this variable in stack.
char buffer[XXX]; // [sp+YYh]
How can I get that information (buffer size and place of this buffer ...
- 43
2
votes
0
answers
35
views
Creating stack variables when they are addressed by non-SP register
So, I have ARM code which uses R7 as the register to access the stack variables:
In the first basic block IDA successfully identified R7 as stack pointer and created the variables. But then, after ...
- 1,870
5
votes
1
answer
222
views
IDA stack depth differences when branching
I'm decompiling some Direct3D code that makes a lot of indirect calls to __stdcall functions.
For example:
call dword ptr [edx+0xC8h]
which is really:
pD3DDevice->SetRenderState();
IDA doesn't ...
- 53
1
vote
2
answers
456
views
What is the state of the stack in the entry function?
I have an ELF binary and in the entry function the first two instructions are:
XOR EBP, EBP
POP ESI
I'm curious what the state of the stack is at the start of the entry function in ELF and PE ...
- 13
0
votes
2
answers
932
views
ASM Debuggers that visualize the stack (beginner friendly)
(Cross-posted from Stack Overflow)
Are there any debuggers that constantly show a visual of the stack and where everything is within it? For example, taking some random image:
I use gdb for most ...
- 103
1
vote
1
answer
569
views
How to calculate value inside stack segment (SS)
I have an assembly row which the following information:
EBP = 006FFB50
SS = 002B
When I looked on this row:
mov eax,dword ptr ss:[ebp+8]
I assumed that EBP + 8 = 006FFB50 + 8 = 006FFB58.
But ...
- 583
2
votes
2
answers
416
views
ASLR in Linux Vs Windows
I am quite new in binary exploitation. I am doing a lot of beginners exercise here. I am confused about ASLR. I tried some binary exploitation thing in Linux. It was recommended that I should stop ...
- 143
3
votes
1
answer
292
views
reason of padding in exploit
I was doing vulnserver bufferflow exploit. I saw a tutorial where the he makes a payload to exploit the server.
Take a look at the exploit:
#!/usr/bin/python
import socket
target_ip = "10.0.2.4&...
- 143
4
votes
1
answer
1k
views
Ghidra Decompiler Optimized Strings
Looking at a large x86 binary, I'm seeing lots of instances where strings are assembled on the stack as quadwords like so:
If I try to set the type of puStack40 to char[38], I get the following output ...
- 406
5
votes
1
answer
345
views
Where do mouse/keyboard GUI inputs get queued or stored?
Where do mouse-clicks in a program's GUI window/menus (Windows OS) get stored in memory? Is there some sort of input/GUI "queue" similar to Windows messages queuing?
I'm wondering if it'd be possible ...
- 179
1
vote
1
answer
131
views
Why does this x64 stack have other bytes and seems to be in reverse order?
I wrote the following small C program and you can also see the stack in the screenshot. My question is twofold:
How come there are entire rows of other data between the 3 stack strings?
Why is my ...
- 1,890
0
votes
0
answers
352
views
exploiting a binary using ret2libc
I ran into this binary at a CTF :
https://github.com/auehc/AUCTF-2020/tree/master/Pwn/House%20of%20Madness
I first tried to exploit it and get a shell using ret2libc technique, however I didn't ...
- 1
0
votes
1
answer
278
views
x86 main preamble makes stack aligned on 32-bytes boundaries
For the record, I've read all stackexchange relevant answers on the topic (here and here) plus other articles to fully grasp the concepts of memory alignment and CPU natural boundaries.
But for some ...
- 151
1
vote
0
answers
79
views
How large are privileges of linux kernel module?
I know that kernel modules are practically part of the kernel since it gets loaded inside it. But I am not sure if it really gets all privileges the system has. Can it read/write code inside the ...
- 55
3
votes
1
answer
343
views
Why EIP is being overwritten before local buffer ends?
I am doing a simple buffer overflow exercise, here is the source:
//vuln.c
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
char buf[256];
strcpy(buf,argv[...
- 33
0
votes
0
answers
132
views
Bufferoverflow Stack
I want to do a buffer overflow exploit in the stack. For this i read in data via the "gets"-function.
void ExploitMe()
{
char buffer[256];
gets(buffer);
}
I compile this file with
gcc test.c -...
- 49
3
votes
1
answer
480
views
ELF x86 - Why is return address pushed twice?
I reverse an ELF x86, and I would like to understand why the return address is pushed again on the stack? It should be already present there.
main:
lea ecx, [esp+0x4 {argc}]
and esp, 0xfffffff0
...
- 193
1
vote
1
answer
451
views
Find out if address store in heap or stack
While dynamic debugging with ida and gdb-server on binary file running on linux , I saw address that store some value.
How can I know if this address allocated in stack or in heap?
- 533
1
vote
1
answer
443
views
radare2 shows main function arguments argv as pointer to char on the stack, not as pointer to pointer to char
Well, I've been digging around process command line arguments as well as environment variables a bit these last days, especially looking up the way main function arguments were pushed onto the stack.
...
- 151
2
votes
1
answer
985
views
How to examine/edit stack memory contents using radare2 in debug mode?
How can i examine/edit stack contents using radare2, just like gdb ?
Is there a way to examine memory using $rbp or $rsp register like below.
x $rbp-10 <--- something like this which can dump from ...
- 151
4
votes
1
answer
11k
views
How to print the value of register with Radare 2
I am trying to solve this ELF - Ptrace challenge. I use Radare 2. This is the commands I execute to print the assembly code.
radare2 ch3.bin
[0x080482f0]> aaa
[[anal.jmptbl] Missing cjmp bb in ...
- 231
0
votes
1
answer
109
views
What is a good resource to learn about how the call stack works while programming in C?
Sorry if this is a duplicate and please point me in the right direction if so. I have a strong foundation in C programming and I know how memory is allocated on the stack for variables/arrays/...
user4466
2
votes
1
answer
1k
views
Why stack canary can be brute-force one byte at a time?
I am reading brute-forcing stack canary. But I am confused why the server can be brute-forced one byte at a time on a crashable-server and what does mean this fork-and-accept ?
- 21
1
vote
2
answers
866
views
How to identify if buffer allocate on stack or heap?
When I looking on Ida with static analyze I see that buffer pass to function/ function fill data in buffer.
How can I know if this buffer allocate in stack/ heap?
- 533
-2
votes
1
answer
2k
views
Why dont use memcpy? [closed]
Why using memcpy can cause to stack overFlow?
memcpy get the number of bytes to copy, so what is the problem , and how memcpy_s fix it?
- 533
1
vote
1
answer
334
views
Changing local variable in caller from callee in C? [closed]
I'm implementing a function which is going to perform some time-consuming task, and I'd like to hack the benchmarking part a bit by changing the variable indicating the CPU time my function has ...
- 121
3
votes
2
answers
313
views
Remote Debugging Linux Binaries - Stack Address Changes?
Do stack addresses change every time we remotely debug a Linux binary using linux_server and IDA Pro?
I am using IDA Pro and remote debug a linux binary which is running on a Linux machine and I am ...
- 775
3
votes
2
answers
1k
views
How to execute a specific shellcode with a non executable stack without using format string? (without ASLR and stack cookie)
First off we don't have ASLR and stack cookie, and assume we can't create our own files on this system
So I'm trying to execute a shellcode in this code, this is what i have done so far:
i have ...
- 155
2
votes
1
answer
2k
views
Is the value of EBP before the main function important?
So before we come to the main function, it looks we are in a function with a name __libc_start_main
and before we come to our main function we obviously push EBP value in the stack ( the value of EBP ...
- 207