Our two arguments
are a few bytes after ebp. Let??™s do the math and see exactly how many bytes are
between the variables and then reconstruct the entire stack frame. If you??™re following
Gray Hat Hacking: The Ethical Hacker??™s Handbook
252
along, step past the function prolog where the correct values are popped off the stack
before trying to match up the numbers. We??™ll go through the assembly momentarily.
For now, just press P three times to get past the prolog and then display the registers. (pr
disables and enables the register display along the way.)
0:000> pr
meet!greeting+0x1:
00401021 8bec mov ebp,esp
0:000> p
meet!greeting+0x3:
00401023 81ec90010000 sub esp,0x190
0:000> pr
eax=00320e15 ebx=7ffdf000 ecx=00320e18 edx=00320e00 esi=00000000 edi=00085f38
eip=00401029 esp=0012fd3c ebp=0012fecc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206
meet!greeting+0x9:
00401029 8b450c mov eax,[ebp+0xc] ss:0023:0012fed8=00320e18
All right, let??™s build up a picture of the stack, starting from the top of this stack frame
(esp). At esp (0x0012fd3c for us; it might be different for you),we find the function variable
name, which then goes on for the next 400 (0x190) bytes.
Pages:
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468