solution

Given this program prints the stack:

simple-stack-trace.c

——————–

#include

#include

/*

* simple stack frame trace program

*/

#define DEPTH 6

#define TRACE_DEPTH 100

int g(int d) {

int i = d ;

int * ip = &i ;

ip += d ;

for ( ; i>=0; i– ) {

printf(“%p 0x%08xn”, ip, *ip) ;

ip -= 1 ;

}

printf(“donen”) ;

return 0 ;

}

int f(int n) {

int i = n ; // force non-register parameter passing

printf(“downwards: %dn”,n) ;

if ( n ) f(n-1) ;

else g(TRACE_DEPTH) ;

printf(“upwards: %dn”,n) ;

return 0 ;

}

int main(int argc, char * argv[]) {

f(DEPTH) ;

return 0 ;

}

————–

given the output from simple-stack-trace.c

the goal is to "stack-hop". Standard calls push stack frames onto the stack as
calls are made, and pop them off as the functions return. All this information 
is on the stack, so it is possible (with a bit of ingenuity) to manipulate this
information using pointers.

--> In particular, we can arrange that we return not to the called, but to some other
--> function by replacing a return address with a starting address of that function.
examine the output of the program simple-stack-trace.c, and thereby 
understand what location you need to overwrite with the alternate address.
Here are some things to look for:
- The local variables are on the stack, and then are the number 5, 4, 3, 2, 1 and 0.
 You can look for these numbers.
- The base pointers are on the stack, and they are adresses on the stack forming a
 chain. You can look for values that are slightly larger than the address where the
 value is located, and going there, seeing if that number is also a stack address.
- The return addresses will be just above each base pointer and will be equal. Look
 for a repeated number, at a consistent number of locations above the base number.
 
How do you get your stack address? Use & on any local variable. Local variables are
automatic. That means they are on the stack. 
How do you move around the stack? With any luck stack elements are integer sized, so 
using an positive index on the pointer will point your to things higher (deeper) on 
the stack.

 Add one line to file stack-hopping.c to accomplish the trick.
- Look at sample-answer.txt for what a stack hop looks like.
- The Makefile has targets to organize your work.

———–

the file to edit:

stack-hopping.c

#include

—————————————

the output should match:

sample-answer.txt

./stack-hopping
downwards: 6
downwards: 5
downwards: 4
downwards: 3
downwards: 2
downwards: 1
downwards: 0
upwards: 0
upwards: 1
upwards: 2
stack hopped!
make: *** [stack-hop] Segmentation fault: 11

————

makefile :

__________________

P= simple-stack-trace

Q= stack-hopping

RED= 33[0;31m

GREEN= 33[0;32m

NC= 33[0m

all:

@echo “t1. ${GREEN}make stack-trace${NC}”

@echo “t2. examine the ${GREEN}run.out${NC} file”

@echo “t3. complete the ${GREEN}stack-hopping.c${NC} program”

@echo “t4. ${RED}make stack-hop${NC} to hop the stack”

make clean

stack-trace: $P

./$P > run.out

stack-hop: $Q

./$Q

$P: $P.c

cc -o $@ $<

$Q: $Q.c

cc -o $@ -fno-stack-protector $<

clean:

-rm $P $Q run.out