Assuming we got the following memory dump:

0x80004a3 <main+19>:    call   0x8000470 <function>
0x80004a8 <main+24>:    addl   $0xc,%esp
0x80004ab <main+27>:    movl   $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>:    movl   0xfffffffc(%ebp),%eax

So when the call of <function> is finished, i.e. the function returns,
the next Instruction is at 0x80004a8 (which the IP pointed at).

If we want to manipulate the stack (old linux x32 machine as test environment) and increase the RET Adress + 8 byte
we can jump past the command at 0x80004ab to 0x80004b2.

I know the inc for RET Adress is 8 bytes,
however i cant figure out how to calculate that up from the given memory dump.

I d be thankful for help.

Edited by katjaschmidt: n/a

7 Years
Discussion Span
Last Post by katjaschmidt

Why do you want to do this? That is, manipulate the
return address on the stack?

If you use a hardwired value like +8, you may need to
change it when you alter the assembly source.

In 32-bit assembly, CALL pushes a 32-bit return address on the
stack for a near CALL, the return address is the current value
of IP after the CALL instruction was pulled in and points to
the instruction after the CALL.

Add 10 to the return address on the stack and when the
RET is executed, IP will point to 80004b2,
do a memory dump of the stack just to be sure.
Because CALL will push the value
80004a8, and 80004a8 + A = 80004b2.
Ten is merely a static value, so you could try pointer arithmetic
with labels, using the difference.

If the offset points to a four byte instruction for instance,
adding 4 to the offset will point to the next instruction.

0x80004a3 : call 0x8000470 <function> 5 bytes
0x80004a8 : addl $0xc,%esp 3 bytes
0x80004ab : movl $0x1,0xfffffffc(%ebp) 7 bytes
0x80004b2 : movl 0xfffffffc(%ebp),%eax

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.