For example, at this point we will restart the program with CTRL-F2 and
then press F9 to continue to the breakpoint. You should now see OllyDbg has halted on
the function call we are interested in (strcpy).
Now that we have a breakpoint set on the vulnerable function call (strcpy), we can
continue by stepping over the strcpy function (press F8). As the registers change, you will
see them turn red. Since we just executed the strcpy function call, you should see many
of the registers turn red. Continue stepping through the program until you get to line
0x00401057, which is the RETN from the greeting function. You will notice that the
debugger realizes the function is about to return and provides you with useful information.
For example, since the saved eip has been overwritten with four As, the debugger
indicates that the function is about to return to 0x41414141. Also notice how the function
epilog has copied the address of esp into ebp and then popped four As into that
location (0x0012FF64 on the stack).
Gray Hat Hacking: The Ethical Hacker??™s Handbook
256
As expected, when you press F8 one more time, the program will fire an exception. This is
called a first chance exception, as the debugger and program are given a chance to handle
the exception before the program crashes.
Pages:
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474