Experimental report on analysis of overflow vulnerability of assembly language and reverse engineering stack

Assembly language and reverse engineering Reverse analysis of stack overflow vulnerability Experimental report

Experimental environment ：windows xp professional   VC6.0   OllyDBG

• Experimental phenomena

c Language Source code ：#include<stdio.h>

#include<stdlib.h>

#include<string.h>

#define PASSWORD "1234567"

int verify_password(char *password){

int authentication;

char buffer[8];

authentication=strcmp(password,PASSWORD);

strcpy(buffer,password);

return authentication;

}

main(){

int valid_flag=0;

char password[1024];

while(1){

printf("please input pssword: ");

scanf("%s",password);

valid_flag=verify_password(password);

if(valid_flag){

printf("incorrect password!\n\n");

}

else{

printf("congratulations");

break;

}

}

system("pause");

}

Normal condition ： If the password entered is 1234567（ has define Of PASSWORD） The output congratulations, On the contrary, output incorrect password!.

Stack overflow ： Enter some specific strings in the , Such as ”12345678” Still output when congratulations. As shown below ：

 

• experimental analysis

take StackOverFlow.cpp stay OD Open in Analytical assembly language ：

main Assembly language corresponding to function ：

 

verify_password Assembly language corresponding to function ：

 

 

Process analysis ：

 

 

 

by main Function to create stack space

 

loop ： take eax The assignment is 1, Operation and operation , Yi Zhi will never jump , Corresponding while（1）, Do not control the end of the cycle .

Print ：00427064 Store words to print .

 

 

Input ： Will input password Save to ebp-404.

 

 

Call function ： Save the input result to the data register , And then call the address base note. 00401005 Of verify_password function .

 

preservation main Function of the environment ： Push the register before calling the function onto the stack , So that it can be restored after returning to the main function main Function environment .

 

Create variables

 

Compare ： First define the PASSWORD Push , Then enter the password Push , Compare .

 

take strcmp The return value of eax.

 

First the ebp+8（passward） Push , then buffer（ebp-c） Address to edx, The final will be password Assign a value to

buffer.

 

The return value of the function （ebp-4） Deposit to eax in , Restore environment variables , Return the original function .

 

Store the return value at the bottom of the stack , Compare 0 And return values , Print if equal incorrect password!, Print if not equal congratulations.

Situation classification ：

1. Input is 123456 when ：

 

because 123456 Than 1234567 Small ebp-4 Deposit FFFFFFFF,ebp-12 Stored 123456 Of ASCII Code and a truncated character 00.

Compare FFFFFFFF And 0 Unequal , Print incorrect password!. It's normal .

2. Input is 1234567 when ：

 

1234567 And 1234567 equal therefore ebp-4 by 0,ebp-12 Deposit 1234567 Of ASCII Code and a stage character 00.

Compare 0 And 0 equal , Print congratulations, Normal frivolity .

3. Input is 12345678 when ：

 

 

 

12345678 Greater than 1234567, So back 01, There is ebp-4 in , stay strcpy The bottom of the front stack is shown in the figure .

When strcpy After execution , stay ebp-12 Store 12345678 Of ASCII The code occupies eight digits , There is also a truncated character 00, Because there is no reserved space , So it's stored in ebp-4 The place of , here ebp-4 by 0. When back to main When comparing functions ,0 And 0 equal , Print congratulations, A stack overflow occurred .

3、 ... and 、 The experimental conclusion

From the above experiment , The main reason for stack overflow is that the input character is too long , Causes the truncated character to occupy the null of the return value between , Caused data error .