H3r3tic:

Here's the C code (from the Phrack 49 article)

#include"stdio.h"
void function(int a, int b, int c) {
char buffer1[8];
char buffer2[10];
int *ret;

ret = (int*)buffer1+12;
(*ret) += 8;

}

int main() {
int x;
x = 0;
function(1,2,3);

x=1;
printf("%d\n",x);
return 0;
}

Here's the dump for the main function:

Dump of assembler code for function main:
0x08048346 <main+0>: push %ebp
0x08048347 <main+1>: mov %esp,%ebp
0x08048349 <main+3>: sub $0x8,%esp
0x0804834c <main+6>: and $0xfffffff0,%esp
0x0804834f <main+9>: mov $0x0,%eax
0x08048354 <main+14>: sub %eax,%esp
0x08048356 <main+16>: movl $0x0,0xfffffffc(%ebp)
0x0804835d <main+23>: sub $0x4,%esp
0x08048360 <main+26>: push $0x3
0x08048362 <main+28>: push $0x2
0x08048364 <main+30>: push $0x1
0x08048366 <main+32>: call 0x8048328 <function>
0x0804836b <main+37>: add $0x10,%esp
0x0804836e <main+40>: movl $0x1,0xfffffffc(%ebp)
0x08048375 <main+47>: sub $0x8,%esp
0x08048378 <main+50>: pushl 0xfffffffc(%ebp)
0x0804837b <main+53>: push $0x804843c
0x08048380 <main+58>: call 0x8048268 <printf>
0x08048385 <main+63>: add $0x10,%esp
0x08048388 <main+66>: mov $0x0,%eax
0x0804838d <main+71>: leave
0x0804838e <main+72>: ret

and here's the dump for the function "function"

Dump of assembler code for function function:
0x08048328 <function+0>: push %ebp
0x08048329 <function+1>: mov %esp,%ebp
0x0804832b <function+3>: sub $0x38,%esp
0x0804832e <function+6>: lea 0xfffffff0(%ebp),%eax
0x08048331 <function+9>: add $0x30,%eax
0x08048334 <function+12>: mov %eax,0xffffffd4(%ebp)
0x08048337 <function+15>: mov 0xffffffd4(%ebp),%edx
0x0804833a <function+18>: mov 0xffffffd4(%ebp),%eax
0x0804833d <function+21>: mov (%eax),%eax
0x0804833f <function+23>: add $0x8,%eax
0x08048342 <function+26>: mov %eax,(%edx)
0x08048344 <function+28>: leave
0x08048345 <function+29>: ret
End of assembler dump.

Actually you are right, that is exactly what I am trying to do (basically trying to skip the x=1 instruction), but it doesn't seem to work. Even tried adding 8 (and 10) to words from buffer1 to buffer+80 hoping that it'd atleast garble the IP and hence do a core dump, but to no avail. (code pasted below

Meanwhile found about a bug in GCC 3.2 (h**p://gcc.gnu.org/bugzilla/show_bug.cgi?id=9624) which results in GCC allocating more buffer space than is required. Even after compensating for bigger buffer allocation the program produces nothing but "1". But even than the core dump should've happened in the scenario mentioned in the previous paragraph.

If you need any more info do let me know!

Regards,
esprain

==========================================
Now this should surely crash. shouldn't it? but it doesn't!

void function(int a, int b, int c) {
char buffer1[8];
// char buffer2[10];
int *ret;

ret = (int*)buffer1;
(*ret) += 20;
ret = (int*)buffer1+4;
(*ret) += 20;
ret = (int*)buffer1+8;
(*ret) += 20;
ret = (int*)buffer1+12;
(*ret) += 20;
ret = (int*)buffer1+16;
(*ret) += 20;
ret = (int*)buffer1+20;
(*ret) += 20;
ret = (int*)buffer1+24;
(*ret) += 20;
ret = (int*)buffer1+28;
(*ret) += 20;
ret = (int*)buffer1+32;
(*ret) += 20;
ret = (int*)buffer1+36;
(*ret) += 20;
ret = (int*)buffer1+40;
(*ret) += 20;
ret = (int*)buffer1+44;
(*ret) += 20;
ret = (int*)buffer1+48;
(*ret) += 20;
ret = (int*)buffer1+52;
(*ret) += 20;
ret = (int*)buffer1+56;
(*ret) += 20;
ret = (int*)buffer1+60;
(*ret) += 20;
ret = (int*)buffer1+64;
(*ret) += 20;
ret = (int*)buffer1+68;
(*ret) += 20;
ret = (int*)buffer1+72;
(*ret) += 20;
ret = (int*)buffer1+76;
(*ret) += 20;
ret = (int*)buffer1+80;
(*ret) += 20;

}

int main() {
int x;
x = 0;
function(1,2,3);
x=1;
printf("%d\n",x);
return 0;
}