Character Hex value | Character Hex value Character Hex value 'A' 0x41 'J' Ox4a 'S' 0x53 'B' 0x42 'K' 0x4b "T" 0x54 0x43 'L' Ox4c 'U' 0x55 0x44 'M' 0x4d 'V' 0x56 0x45 'N' Ox4e 'W' 0x57 0x46 '0' Ox4f 'X' 0x58 0x47 'P' 0x50 'Y' 0x59 0x48 'Q' 0x51 'Z' Ox5a 'T' 0x49 'R' 0x52 '\0' 0x00 Now consider what happens on a Linux/x86 machine when callfoo calls foo with the input string "ZYXWVUTSRQPONMLKJIHGFEDCBA". A. On the left draw the state of the stack just before the execution of the instruction at address Ox40053a; make sure to show the frames for callfoo and foo and the exact return address, in Hex at the bottom of the callfoo frame. Then, on the right, draw the state of the stack just after the instruction got executed; make sure to show where the string "ZYXWVUTSRQPONMLKJIHGFEDCBA" is placed and what part, if any, of the above return address has been overwritten. B. Immediately after the ret instruction at address 0x400543 executes, what is the value of the program counter register %rip? (That is the register that contains the address of the next instruction to be executed.) %rip = 0x_ The next problem concerns the following C code: /copy input string x to buf */ void foo (char *x) { char buf [8]; strcpy((char *) buf, x); } void callfoo() { } foo("ZYXWVUTSRQPONMLKJIHGFEDCBA"); Here is the corresponding machine code on a Linux/x86 machine: 0000000000400530 : 400530: 48 83 ec 18 sub $0x18,%rsp 400534: 48 89 fe mov %rdi, %rsi 400537: 48 89 e7 mov %rsp,%rdi 40053a: e8 di fe ff ff callq 400410 40053f: 48 83 c4 18 add $0x18,%rsp 400543: c3 retq 400544: 0000000000400544 : 48 83 ec 08 sub $0x8,%rsp 400548: bf 00 06 40 00 mov $0x400600,%edi 40054d: e8 de ff ff ff callq 400530 400552: 48 83 c4 08 add $0x8,%rsp 400556: c3 This problem tests your understanding of the program stack. Here are some notes to help you work the problem: ⚫ strcpy(char *dst, char *src) copies the string at address src (including the terminating '\0' character) to address dst. It does not check the size of the destination buffer. • You will need to know the hex values of the following characters:

Transcribed Image Text:

Character Hex value | Character Hex value Character Hex value 'A' 0x41 'J' Ox4a 'S' 0x53 'B' 0x42 'K' 0x4b "T" 0x54 0x43 'L' Ox4c 'U' 0x55 0x44 'M' 0x4d 'V' 0x56 0x45 'N' Ox4e 'W' 0x57 0x46 '0' Ox4f 'X' 0x58 0x47 'P' 0x50 'Y' 0x59 0x48 'Q' 0x51 'Z' Ox5a 'T' 0x49 'R' 0x52 '\0' 0x00 Now consider what happens on a Linux/x86 machine when callfoo calls foo with the input string "ZYXWVUTSRQPONMLKJIHGFEDCBA". A. On the left draw the state of the stack just before the execution of the instruction at address Ox40053a; make sure to show the frames for callfoo and foo and the exact return address, in Hex at the bottom of the callfoo frame. Then, on the right, draw the state of the stack just after the instruction got executed; make sure to show where the string "ZYXWVUTSRQPONMLKJIHGFEDCBA" is placed and what part, if any, of the above return address has been overwritten. B. Immediately after the ret instruction at address 0x400543 executes, what is the value of the program counter register %rip? (That is the register that contains the address of the next instruction to be executed.) %rip = 0x_

Transcribed Image Text:

The next problem concerns the following C code: /copy input string x to buf */ void foo (char *x) { char buf [8]; strcpy((char *) buf, x); } void callfoo() { } foo("ZYXWVUTSRQPONMLKJIHGFEDCBA"); Here is the corresponding machine code on a Linux/x86 machine: 0000000000400530 <foo>: 400530: 48 83 ec 18 sub $0x18,%rsp 400534: 48 89 fe mov %rdi, %rsi 400537: 48 89 e7 mov %rsp,%rdi 40053a: e8 di fe ff ff callq 400410 <strcpy@plt> 40053f: 48 83 c4 18 add $0x18,%rsp 400543: c3 retq 400544: 0000000000400544 <callfoo>: 48 83 ec 08 sub $0x8,%rsp 400548: bf 00 06 40 00 mov $0x400600,%edi 40054d: e8 de ff ff ff callq 400530 <foo> 400552: 48 83 c4 08 add $0x8,%rsp 400556: c3 This problem tests your understanding of the program stack. Here are some notes to help you work the problem: ⚫ strcpy(char *dst, char *src) copies the string at address src (including the terminating '\0' character) to address dst. It does not check the size of the destination buffer. • You will need to know the hex values of the following characters: