I happen to come across an on-line exploit development class recently. It is/was a class hosted by the Community┬áCity College of San Francisco, but due to some logistical issues the professor is hosting as a ‘pirate class’ — available to everyone for free.

 

After the first couple weeks, I’m having a blast in it. It covers some basic ASM (for 32bit Intel processors) and basic C and teaches the GDB 101 stuff.

 

I’m starting to dust off many old cobwebs from an ex-developer from decades ago.

 

Wow, has it really been that long?

 

It took me longer than I wanted, but I was eventually able to remember how to read stack memory.

 

For example, when debugging, it’s helpful to know the memory address where the stack starts, ends and the memory address of the next instruction (the eip register).

Above, you’ll see the output from GDB when you ask it to print the register information. You’ll notice things like eax, ecx, edx and ebx, all general purpose registers that are being used.

For this post, however, take a look at esp and ebp. Esp is the pointer to the current stack frame. And esb is the base pointer. The way I think of it (and I hope I’m not wrong about it) is that the stack memory begins at esp and ends at ebp.

To display the memory of the stack, we can tell gdb to to print (arbitrarily) thirty hexadecimal 32-bit WORDs — starting at at the start of the frame:

What we see above is that the memory is printed started from 0xffffd5f0, which happens be the same as $esp when we looked at ‘info reg’. To make a Each line starts another ‘bank’ (in my head) of memory. The first row lists the four memory address: 0xffffd5f0, 0xffffd5f4, 0xffffd5f8 and 0xffffd5fc.

Following along to $ebp, the memory referenced at location 0xffffd638 would be “0xffffd648”.