void f() {
        char a[4];
        int *b;
        b = a + 0x8;
        (*b) += 0x8;
}

main() {
        int x;
        x = 0;
        f();
        x = 1;
        printf("%d\n", x);
}

If you take a look at the disassembly for your main function
and trace it in gdb, you will see why:

0x8048400 in f ()
(gdb)
0x8048401 in f ()
(gdb)
0x804841e in main () // goes to this addres in main
(gdb) disas main
Dump of assembler code for function main:
0x8048404 <main>: push %ebp
0x8048405 <main+1>: mov %esp,%ebp
0x8048407 <main+3>: sub $0x18,%esp
0x804840a <main+6>: movl $0x0,0xfffffffc(%ebp)
0x8048411 <main+13>: call 0x80483e4 <f>
0x8048416 <main+18>: movl $0x1,0xfffffffc(%ebp)

// and as you can see there is no such address in main

0x804841d <main+25>: add $0xfffffff8,%esp
0x8048420 <main+28>: mov 0xfffffffc(%ebp),%eax
0x8048423 <main+31>: push %eax
0x8048424 <main+32>: push $0x8048490
0x8048429 <main+37>: call 0x8048300 <printf>
0x804842e <main+42>: add $0x10,%esp
0x8048431 <main+45>: leave
0x8048432 <main+46>: ret
0x8048433 <main+47>: nop
0x8048434 <main+48>: nop

So in order to do what you want it to do, you have to
make it land on 0x804841d instead. Try it out.

-- 
Nasko Oskov - CS Major                SIGMil CoChair
College of Engineering UIUC           CS31337 TA              
"You think your computer is secure? Think again!!!" 

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SunOS) Comment: For info see http://www.gnupg.org

iD8DBQE8spgastN/CLVMCTARAoSwAJ0UMh+tGWXpqbFGBxAbvB+Rxwi2VwCdHJai sBb9aknErSHzZK26abOewlk= =swjN -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]