-1

I bought this book recently titled: Hacking: The Art of Exploitation (2nd Edition) and it's been bugging me so much lately. Anyway, with one of the examples, firstprog.c :

#include <stdio.h>
int main() {
int i;
for(i=0; i < 10; i++) {
// Loop 10 times.
printf("Hello, world!\n"); // put the string to the output. }
return 0; // Tell OS the program exited without errors. }

It has you compile it with gcc (obviously :3 ), then use objdump (for this I just used gobjdump, couldn't find objdump for OS X) pipe the output to grep with main.: as the regex and show the first 20 lines. Then debug with gdb and break at main. Here's my main issue: all of the memory addresses are different!! For example, eip in the book is: 0x804837a. But with my computer with rip it's: 0x100000ee8 I was thinking it was just because I'm using a 64 bit OS, yet when I booted with the 32 bit version of Darwin, I got the same result. If anyone knows what this issue is, I'd greatly appreciate it. If it's something really stupid give me a break, I just turned 14 :)

Ethan Heilman
  • 16,347
  • 11
  • 61
  • 88
jaykru
  • 35
  • 2

2 Answers2

4

As I'm sure you're studying reverse engineering, you should also look up what ASLR is. That is the main reason why your program's offset is different from the one from the book. It basically randomizes where your program will be located in the memory so that you can't create an exploit that hardcodes the address to shell code. This makes creating exploit a lot harder.

MarioVilas
  • 912
  • 10
  • 16
JosephH
  • 8,465
  • 4
  • 34
  • 62
  • Wow! That's pretty sweet, I never knew about that, thanks! – jaykru Nov 13 '11 at 05:12
  • gdb has an option to disable ASLR, I still wouldn't have the same addresses though, correct? – jaykru Nov 13 '11 at 05:19
  • I don't think you can disable ASLR using gdb. refer to http://stackoverflow.com/questions/6325537/disabling-aslr-in-mac-os-x-snow-leopard If ASLR is disabled, it would still be different if the version of the OS used in the book is different from yours. – JosephH Nov 13 '11 at 05:22
  • 1
    I found the option when I was trying to set the disassembly flavor to intel, "set disable-aslr on", there's actually a link to an article about it on that question: http://reverse.put.as/2011/08/11/how-gdb-disables-aslr-in-mac-os-x-lion/ – jaykru Nov 13 '11 at 05:27
3

The addresses you get will almost always be different than the addresses they show in the book. Heck, the addresses will likely change between different runs on your same system.

Michael Price
  • 8,088
  • 1
  • 17
  • 24