0xV3n0m

Announcement

Welcome To My Personal Blog

1.16 Pointers

A quick reminder of what Pointers are: it is a variable that stores an address in memory (Memory Address) Not the value itself

1.16.1 Returning values

Pointers are often used to return values from functions (remember the case of scanf() that we talked about before)

For example, when a function needs to return two values.

This is an example using Global Variables

1
#include <stdio.h> // include the standard I/O header (this line includes the necessary library for input/output functions like printf)
2

3
void f1 (int x, int y, int *sum, int *product) // function definition that takes two integers and two pointers to integers
4
{
5
    *sum = x + y; // dereference the sum pointer and assign the sum of x and y to it
6
    *product = x * y; // dereference the product pointer and assign the product of x and y to it
7
};
8

9
int sum, product; // declare global variables sum and product
10

11
void main() // main function (note: should be int main() for standard compliance)
12
{
13
    f1(123, 456, &sum, &product); // call f1 with 123, 456, and addresses of global sum and product
14
    printf("sum=%d, product=%d\\n", sum, product); // print the values of sum and product
15
};

This code comes out in this form after compilation:

1
Listing 1.103: Optimizing MSVC 2010 (/Ob0) ; this is the assembly listing label
2

3
COMM _product:DWORD ; declare common storage for _product as DWORD
4
COMM _sum:DWORD ; declare common storage for _sum as DWORD
5
$SG2803 DB 'sum=%d, product=%d', 0aH, 00H ; define the format string for printf
6

7
_x$ = 8        ; size = 4 ; parameter offset for x
8
_y$ = 12       ; size = 4 ; parameter offset for y
9
_sum$ = 16     ; size = 4 ; parameter offset for sum pointer
10
_product$ = 20 ; size = 4 ; parameter offset for product pointer
11

12
_f1 PROC ; start of f1 procedure
13
    mov ecx, DWORD PTR _y$[esp-4] ; move y value to ECX
14
    mov eax, DWORD PTR _x$[esp-4] ; move x value to EAX
15
    lea edx, DWORD PTR [eax+ecx] ; load effective address of sum (EAX + ECX) to EDX
16
    imul eax, ecx ; multiply EAX by ECX (product)
17
    mov ecx, DWORD PTR _product$[esp-4] ; move product pointer to ECX
18
    push esi ; push ESI to stack
19
    mov esi, DWORD PTR _sum$[esp] ; move sum pointer to ESI
20
    mov DWORD PTR [esi], edx ; store sum at address pointed by ESI
21
    mov DWORD PTR [ecx], eax ; store product at address pointed by ECX
22
    pop esi ; pop ESI from stack
23
    ret 0 ; return from function
24
_f1 ENDP ; end of f1 procedure
25

26
_main PROC ; start of main procedure
27
    push OFFSET _product ; push address of _product
28
    push OFFSET _sum ; push address of _sum
29
    push 456 ; 000001c8H ; push 456
30
    push 123 ; 0000007bH ; push 123
31
    call _f1 ; call f1
32
    mov eax, DWORD PTR _product ; move _product value to EAX
33
    mov ecx, DWORD PTR _sum ; move _sum value to ECX
34
    push eax ; push product
35
    push ecx ; push sum
36
    push OFFSET $SG2803 ; push format string address
37
    call DWORD PTR __imp__printf ; call printf
38
    add esp, 28 ; add 28 to ESP (stack cleanup)
39
    xor eax, eax ; set EAX to 0
40
    ret 0 ; return 0
41
_main ENDP ; end of main procedure

He saw it at that time on OllyDbg, we will do it on x32dbg as usual

First, of course, after we write the C code and compile it, we run it on x32dbg and open the Main Function and stop until the call teeest.3B36F2

Of course, at first, the addresses of the global variables are sent to the function f1() we can press Follow in dump

On an element in the stack and then we will see the place reserved in the data segment for these two variables

We will find here that these variables are zeroed because the data that is not initialized is zeroed before execution starts

We start pressing F7 and this will enter us inside f1

The Stack will be in this form

Which is this

1
x = 123 (0x7B) ; value of x
2
y = 456 (0x1C8) ; value of y
3
sum = address ; address of sum
4
product = address ; address of product

After we reach the end of f1 and then return to main again after that these values are placed in the registers

And then sent to printf() via the stack

Local variables example

Let's modify our example a bit:

Listing 1.104: Now the sum and product variables are local

1
void main() // main function
2
{
3
    int sum, product; // now these variables are local inside this function (declare local variables sum and product)
4
    f1(123, 456, &sum, &product); // call f1 with addresses of local sum and product
5
    printf("sum=%d, product=%d\\n", sum, product); // print sum and product
6
};

The f1() code will not change. Only the main() code will change:

Listing 1.105: Optimizing MSVC 2010 (/Ob0)

1
_product$ = -8 ; size = 4 ; offset for local product
2
_sum$     = -4 ; size = 4 ; offset for local sum
3
_main PROC ; start of main
4
; Line 10
5
    sub esp, 8 ; allocate 8 bytes on stack for locals
6
; Line 13
7
    lea eax, DWORD PTR _product$[esp+8] ; load address of product
8
    push eax ; push product address
9
    lea ecx, DWORD PTR _sum$[esp+12] ; load address of sum
10
    push ecx ; push sum address
11
    push 456 ; 000001c8H ; push 456
12
    push 123 ; 0000007bH ; push 123
13
    call _f1 ; call f1
14
; Line 14
15
    mov edx, DWORD PTR _product$[esp+24] ; move product value to EDX
16
    mov eax, DWORD PTR _sum$[esp+24] ; move sum value to EAX
17
    push edx ; push product
18
    push eax ; push sum
19
    push OFFSET $SG2803 ; push format string
20
    call DWORD PTR __imp__printf ; call printf
21
; Line 15
22
    xor eax, eax ; set EAX to 0
23
    add esp, 36 ; stack cleanup
24
    ret 0 ; return

We will try this on x32dbg too

Of course the C code will be like this

1
#include <stdio.h> // include stdio.h
2

3
void f1(int a, int b, int* sum, int* product) // function f1
4
{
5
    *sum = a + b; // assign sum
6
    *product = a * b; // assign product
7
}
8

9
int main() // main function
10
{
11
    int sum; // local sum
12
    int product; // local product
13

14
    f1(123, 456, &sum, &product); // call f1
15

16
    printf("sum=%d, product=%d\\n", sum, product); // print
17
    return 0; // return 0
18
}

And we start to see the Main

We will notice at first in main

1
push ebp ; push EBP
2
mov ebp, esp ; move ESP to EBP
3
sub esp, 8 ; subtract 8 from ESP (allocate for locals)

Which means that 8 bytes are reserved, sum will take 4 bytes and product will take 4 bytes

And if we come to the Stack window, we will find the real addresses of the local variables

And when we do DUMP for one of them, it will show garbage like this because f1() hasn't started yet

We start going to call teeest.6936f2, press F7 to enter F1()

And we keep pressing F8 to run it all and at the end we return to do DUMP again and we will find the DUMP in this form

1
002EF854 = 00000243  ; 579 (sum value)
2
002EF858 = 0000DB18  ; 56088 (product value)

The summary (Conclusion)

The function f1() can return pointers to any place in memory, existing anywhere.

And this is basically the use and importance of pointers.

And by the way, references in C++ work in exactly the same way.

1.16.2 Swap input values

This code will do what is required:

1
#include <memory.h> // include memory.h for strdup
2
#include <stdio.h> // include stdio.h for printf
3

4
void swap_bytes (unsigned char* first, unsigned char* second) // function to swap two bytes using pointers
5
{
6
    unsigned char tmp1; // temporary variable 1
7
    unsigned char tmp2; // temporary variable 2
8
    tmp1 = *first; // store value at first pointer in tmp1
9
    tmp2 = *second; // store value at second pointer in tmp2
10
    *first = tmp2; // assign tmp2 to location pointed by first
11
    *second = tmp1; // assign tmp1 to location pointed by second
12
};
13

14
int main() // main function
15
{
16
    // copy the string to the heap, so we can modify it
17
    char *s = strdup("string"); // duplicate string and assign pointer to s
18
    // swap the second and third characters
19
    swap_bytes(s + 1, s + 2); // call swap_bytes with pointers to second and third chars
20
    printf("%s\\n", s); // print the modified string
21
};

As we see, the bytes are loaded into the least 8 bits of the registers ECX and EBX using the MOVZX instruction

(And this means that the higher parts of these registers are zeroed), and then the bytes are written again but after they are swapped.

Listing 1.106: Optimizing GCC 5.4

1
swap_bytes: ; start of swap_bytes
2
    push ebx ; push EBX
3
    mov edx, DWORD PTR [esp+8] ; move first pointer to EDX
4
    mov eax, DWORD PTR [esp+12] ; move second pointer to EAX
5
    movzx ecx, BYTE PTR [edx] ; move byte from EDX with zero extend to ECX
6
    movzx ebx, BYTE PTR [eax] ; move byte from EAX with zero extend to EBX
7
    mov BYTE PTR [edx], bl ; move low byte of EBX to address in EDX
8
    mov BYTE PTR [eax], cl ; move low byte of ECX to address in EAX
9
    pop ebx ; pop EBX
10
    ret ; return