This is particularly useful when you want to determine
exactly how much data it will take to fill a stack allocated buffer and to overwrite a
saved return address. While source code can tell you how much space a programmer
requested for a local array, IDA can show you exactly how that array gets allocated at
runtime, including any compiler-inserted padding. Following initial analysis, IDA positions
the disassembly display at the program entry point as shown in Figure 12-2. This is
a typical function disassembly in IDA. The stack frame of the function is displayed first,
then the disassembly of the function itself.
By convention, IDA names local variables var_XXX, where XXX refers to the variable??™s
negative offset within the stack relative to the stack frame pointer. Function parameters are
named arg_XXX, where XXX refers to the parameter??™s positive offset within the stack relative
to the saved function return address. Note in Figure 12-2 that some of the local variables
are assigned more traditional names. IDA has determined that these particular variables are
used as parameters to known library functions and has assigned names to them based on
names used in API (application program interface) documentation for those functions??™ prototypes.
Pages:
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536