How to find the address of the return address in the c / C ++ stack

Question

How to find the address of the return address in the c / C ++ stack

I read about a function that can rewrite my return address.

void foo(const char* input)
{
    char buf[10];

    //What? No extra arguments supplied to printf?
    //It a cheap trick to view the stack 8-)
    //We'll see this trick again when we look at format strings.
    printf("My stack looks like:\n%p\n%p\n%p\n%p\n%p\n% p\n\n"); //%p ie expect pointers

    //Pass the user input straight to secure code public enemy #1.
    strcpy(buf, input);
    printf("%s\n", buf);

    printf("Now the stack looks like:\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}

It was suggested that it look like this:

Address foo = 00401000

My stack looks like this:
00000000
00000000
7FFDF000
0012FF80
0040108A <- We want to rewrite the return address for foo.
00410EDE

Question:
-. Why did the author arbitrarily choose the second last value as the return address of foo ()?

-. Are values pushed onto the stack from the bottom or top?

besides the function return address, what other values do I see, apparently, on the stack? those. why it is not filled with zeros.

Thank.

+5

c ++ c stack x86 winapi

Dr deo 19 . '10 9:05

1

Alex Budovski · Accepted Answer · 2010-04-19T09:48:42+0000

, , EBP (0012FF80). prev-EBP .

(, , 32- Windows -FPO) ¹.

, :

push ebp      ; back up the previous ebp on the stack
mov ebp, esp  ; set up the new frame pointer

,

call 0x00401000

EIP ( ), :

[ebp+0xc]  ; contains parameter 1, etc
[ebp+0x8]  ; contains parameter 0
[ebp+0x4]  ; contains return address
[ebp]      ; contains prev-EBP

, %p printf 4 , [ebp+0xc] ( %p). EBP, , (0012FF80), - .

, " ", ( "" ).

Re Q2) . , push eax, 4 esp, eax [esp], :

push eax
;  <=>
sub esp, 4
mov [esp], eax

, ?

How to find the address of the return address in the c / C ++ stack

More articles: