I try to write my first CTF program which should be exploitable to Buffer-Overflow. In order to do that, I did the next simple steps:
main functionis_authorized(char of size 1) and password(array of size 128)So main look like this:
int main()
{
char is_authorized = 't';
char password[128] = { 0 };
return 0;
}
In theory, the variables should be one after another on the stack, but what really happens very strangely, is that I have more three weird bytes between this two local variables.
Here is a snapshot of the memory when I debugged this program
0x0019FE70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...........................................
0x0019FE9B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...........................................
0x0019FEC6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc ..........................................ü
0x0019FEF1 fe 19 74 14 ff 19 00 63 23 41 00 01 00 00 00 70 4b 94 00 60 4e 94 00 01 00 00 00 70 4b 94 00 60 4e 94 00 70 ff 19 00 b7 21 41 00 þ.t.ÿ..c#A.....pK”.`N”.....pK”.`N”.pÿ..·!A.
As you can see in the snapshot, there are more three bytes - fc fe 19 on the stack between the variable, hence I cant complete the buffer overflow.
What are these weird bytes? The only thought I have in mind is the protection mechanism, but I disabled this, then what else it could be?
EDIT: For what it worth, here is the disassembly:
int main()
{
004116D0 push ebp
004116D1 mov ebp,esp
004116D3 sub esp,0C4h
004116D9 push ebx
004116DA push esi
004116DB push edi
004116DC mov ecx,offset _CC196ACA_main@c (041B000h)
004116E1 call @__CheckForDebuggerJustMyCode@4 (04111FEh)
char is_authorized = 't';
004116E6 mov byte ptr [is_authorized],74h
char password[128];
return 0;
004116EA xor eax,eax
}
004116EC pop edi
004116ED pop esi
004116EE pop ebx
}
004116EF mov esp,ebp
004116F1 pop ebp
004116F2 ret
the variables should be one after another on the stack
No, there is no such rule. Compiler should do anything, as long as side effects stay. A good compiler with optimizations should remove both variables from your code.
What are these weird bytes? The only thought I have in mind is the protection mechanism, but I disabled this, then what else it could be?
Padding between variables allocated on stack. Your non-optimizing compiler allocates stack variables aligned to an address divisible by 4. Hence 3 bytes padding between the next char variable. The values of the bytes are most probably left-over garbage left on stack by program initialization routines.