1

So I tried debugging some simple C programs today ;

First one being 

int main(){

 int a ,b ;
 return 0 ;

}

Which when de-compiled gave me 

  push        ebp  
  mov         ebp,esp  
  sub         esp,008h

because I need to have 8 bytes to store a and b in the current stack frame since they are local variable !

But when I try the same with Strings say 

int main() {

    char greeting[12] = "Pwnit2Ownit";
    return 0;
}

Which when de-compiled gave me 

 push        ebp  
  mov         ebp,esp  
  sub         esp,0DCh

0DCh is 220 , But since the string is only 12 bytes long shouldn't the

sub esp,0DCh

be

sub esp,00ch

instead ?

And can anyone share some links on how the strings are stored in the memory and accessed later via assembly [preferebly instruction] , like hows the string greetings stored in memory if it's length is large since we can't store all in the stack itself

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Dhayalan Pro
  • 579
  • 1
  • 5
  • 20
  • 1
    @JoseManuelAbarcaRodríguez This is about C here, not sure the linked question helps... – Daniel Jour May 18 '16 at 20:07
  • 1
    The compiler is being defensive. It allocated an extra 208 bytes for your string, so that when you overrun the buffer, it won't do any real damage. I have a feeling that there's a compiler option to turn that feature off. – user3386109 May 18 '16 at 20:08
  • @JoseManuelAbarcaRodríguez C doesn't have a native String data type actually , thats more related to C++ – Dhayalan Pro May 18 '16 at 20:09
  • @user3386109 Even i was thinking that , but another thought hit me - is that really it ? How do they calculate the extra spaces ? like for a char it allocates cc[204 bytes] Any link to other references or questions Thanks for the info :D – Dhayalan Pro May 18 '16 at 20:11
  • 3
    A quick search for `[c] stack guard` here on SO turned up [this](https://stackoverflow.com/questions/33708568/overflowed-buffer-data-does-not-get-stored-contiguously/33708641#33708641). – user3386109 May 18 '16 at 20:15
  • 1
    What if you don't define anything? Will this stack allocation still be there? Perhaps you are not looking at the right thing... – Eugene Sh. May 18 '16 at 20:17
  • 1
    Yes even if we don't have char var ='a' ; instead we have just char var; sub esp,0cch ; for both declaration and without declaration – Dhayalan Pro May 18 '16 at 20:20
  • @user3386109 Could you say whats the option to turn the buffer overflow option in vs 2015 ? – Dhayalan Pro May 18 '16 at 20:21
  • According to a comment in that thread, it's `/GS`, but I can neither confirm nor deny that. – user3386109 May 18 '16 at 20:26
  • 1
    @user3386109 Cool man , Figured it out :D Did some googling with your input changed some setting's now its only 12bytes are getting allocated :D – Dhayalan Pro May 18 '16 at 20:29
  • 1
    Well that's interesting... Visual Studio by default assumes that every programmer using that tool it is incompetent? – Lundin May 19 '16 at 06:40
  • @lundin Haha no , Buffer overflow was common back in the days when developers has no idea about security , so around 2003 they introduced this to help the developers with no idea on security to avoid these kind of bugs by default :D – Dhayalan Pro May 19 '16 at 08:02

1 Answers1

2

As @user3386109 pointed out , The issue is to prevent overflow the default security check in visual studio is enabled , and it provides extra space in order to prevent overflows , so turning it off , made the compiler allocate only 12 bytes :D

To turn this security measure ( Buffer Security Checks GS) off Project settings -> C/C++ -> Code generation -> security check = disable GS

Some post related to GS

http://preshing.com/20110807/the-cost-of-buffer-security-checks-in-visual-c/

Dhayalan Pro
  • 579
  • 1
  • 5
  • 20
  • Also note that if you'd written `const char *greeting = "a string literal";`, the string literal would be stored in a read-only section of your executable, and the function would only store a pointer to it on the stack. Unless you need to modify a string, just use pointers to them, not arrays. – Peter Cordes May 19 '16 at 07:17