08 - The Stack

แชร์
ฝัง
  • เผยแพร่เมื่อ 23 ธ.ค. 2024

ความคิดเห็น • 39

  • @rbt-0007
    @rbt-0007 ปีที่แล้ว +6

    Wow. I am at a lost for words. This is hands down the BEST video on assembly I have seen. THANK YOU!

    • @jstrosch
      @jstrosch  ปีที่แล้ว +1

      Wow, thanks! I appreciate the feedback.

  • @ZettaiKatsu2013
    @ZettaiKatsu2013 6 หลายเดือนก่อน +1

    Thanks for the lesson. Whenever you need to overwrite a register but you also need this erased value, just write it on the stack. We push EIP because we need to go the actual body of the Foo function before doing the add. At 13:00 "return addy" means the "old value" of EIP

  • @Timo-Epis
    @Timo-Epis 3 หลายเดือนก่อน +2

    "if this is to confusion..." Your tutorial was excelent!!!

    • @jstrosch
      @jstrosch  3 หลายเดือนก่อน +1

      Thank you! 🙏

  • @OlivierDubois
    @OlivierDubois 10 หลายเดือนก่อน +1

    Nice and clear introduction! Just one thing starting around 6:55, you mentioned [ebp+4] as a way to reference a variable on the stack, and then draw it below ebp. But as the stack grows downward, I would assume [esp+4] to be in the stack. I believe [ebp+4] would be in the red zone (above the current stack frame).

    • @jstrosch
      @jstrosch  10 หลายเดือนก่อน +1

      Hi! It's quite possible that I misspoke in the moment - you are correct, local variables are going to typically be at a negative offset from EBP while arguments will be at a positive offset! Thanks for catching that.

  • @mejer_9668
    @mejer_9668 ปีที่แล้ว +5

    Great video and sooo helpful for my upcoming exam in malware analysis. Thx for taking your time to make this video. Saved me a headache

    • @jstrosch
      @jstrosch  ปีที่แล้ว +1

      Glad it helped!

  • @Nex-ky9uy
    @Nex-ky9uy 8 หลายเดือนก่อน +1

    Thank you fir the amazing tutorial. Sorry if this is a stupid question but I would like to know how these registers would work in a real life program if we would want to disassemble and crack it.

    • @jstrosch
      @jstrosch  8 หลายเดือนก่อน +1

      The registers and memory would be used by the CPU during execution - so disassembling gives us the instructions that will be executed. Memory will change, which often leads us to debug a program while reversing. It's a bit of a long answer, I'd suggest trying this playlist out to help get a more practical viewpoint: th-cam.com/play/PLHJns8WZXCdu6kPwPpBhA0mfdB4ZuWy6M.html.

    • @Nex-ky9uy
      @Nex-ky9uy 8 หลายเดือนก่อน +1

      @@jstrosch thank you a lot for the answer and the link ❤️

  • @4007_AayushThapa
    @4007_AayushThapa 7 หลายเดือนก่อน

    I understand almost everything but I am still unable to know how the old value of SBP will be restored to its previous value before the function call ( Is it like the SBP contains its own stack data structure so that every time a function is called the old value of the SBP will be pushed onto the SBP stack data structure). And also, the return address will be the part of the calling function stack frame or called function stack frame and the pushed old SBP value as well?

  • @SuperMatchaLatte
    @SuperMatchaLatte 2 ปีที่แล้ว +2

    Thank you for a great video!
    Would you mind to explain how stack would look like when multiple parameters are passed when procedure/ function is called?

    • @jstrosch
      @jstrosch  ปีที่แล้ว +1

      It will depend on the architecture (32 or 64 bit) and the calling convention. This video should help explain the primary conventions used in 32-bit programs: Understanding Calling Conventions - Ghidra Reversing Tutorials
      th-cam.com/video/FPIr4fGI8lw/w-d-xo.html. I use Ghidra, but the analysis of the code would be the same as if you were looking at it in IDA Pro. If someone is using assembly, they can essentially craft their own calling convention - in which case they could use any combination of registers/stack. If the stack is being used for multiple parameters/arguments, then you’ll see additional PUSHes (or possibly MOVs into stack space) before the function call. Inside the function, it is common to use EBP to setup a stack frame, or base reference to reference arguments and locals. Inside the function then you’ll see relative positive offsets from EBP, such as EBP+8. The stack grows from higher to lower addresses, so inside a function positive offsets are needed to reference “lower” regions of the stack and thus the arguments. The stack will remain 4 byte aligned, even with values less than 4 bytes - so all of the offsets will be in multiple of 4s - i.e. +8, +Ch, +10h, etc. Let me know if this helps!

  • @s8x.
    @s8x. 7 หลายเดือนก่อน

    for the epilogue, shouldnt the stack pointer mov to the base pointer instead? so it would be mov esp, ebp

    • @jstrosch
      @jstrosch  3 หลายเดือนก่อน

      Yes, that is typically the command used to move ESP back to the base, then POP and RET. Did I say that wrong in the video? Thanks for catching if so!

  • @ДимитърЦонев-г9у
    @ДимитърЦонев-г9у 5 หลายเดือนก่อน

    If at the end we increment ESP and it goes over the stored eax in the stack, what happens to eax as eax is no longer in the frame between the base of the stack and the top of the stack? Aren't we losing this data this way?

    • @jstrosch
      @jstrosch  3 หลายเดือนก่อน

      I don't recall exactly what I covered in the video - data left on the stack after a function unwinds/returns is lost, in a way. For example, if stack space is used to store data (i.e. as locals) during function execution, then a function reaches the epilogue to begin to return that data simply stays on the stack. It is no longer referenced and will be overwritten at some point from another function during it's stack usage. Depending on the sensitivity of the data, it may be worth while to zero out the local variables before moving on. If the data is needed, it needs to be stored or returned for the rest of the program to use. Does this help answer your question?

  • @HASANAROUR-p9u
    @HASANAROUR-p9u ปีที่แล้ว +1

    Thank you very much

    • @jstrosch
      @jstrosch  ปีที่แล้ว

      You are welcome

  • @chrishob7318
    @chrishob7318 ปีที่แล้ว +1

    best explanation yet

    • @jstrosch
      @jstrosch  ปีที่แล้ว

      Glad you think so!

  • @s8x.
    @s8x. 7 หลายเดือนก่อน +1

    finally a good explanation. thank you

    • @jstrosch
      @jstrosch  6 หลายเดือนก่อน

      Thank you :)

  • @Neptune0x
    @Neptune0x 3 หลายเดือนก่อน +1

    really good video thanks🎉

    • @jstrosch
      @jstrosch  3 หลายเดือนก่อน

      Thanks - really glad to hear these "old" videos are still getting some use!

  • @Dragos-b6z
    @Dragos-b6z หลายเดือนก่อน +1

    i cant believe i finally understood stack

    • @jstrosch
      @jstrosch  หลายเดือนก่อน

      Hey - that's great to hear!

  • @rexseppe7084
    @rexseppe7084 2 ปีที่แล้ว

    Thank you!

    • @jstrosch
      @jstrosch  2 ปีที่แล้ว

      You're welcome!

  • @ralnou
    @ralnou ปีที่แล้ว

    Thanks very much!

    • @jstrosch
      @jstrosch  ปีที่แล้ว

      You're welcome!

  • @lokivaleti
    @lokivaleti ปีที่แล้ว +1

    nice explaination

    • @jstrosch
      @jstrosch  ปีที่แล้ว

      Thanks and welcome 🙏

  • @babaibrahimapam9765
    @babaibrahimapam9765 ปีที่แล้ว

    thanks a lot

    • @jstrosch
      @jstrosch  ปีที่แล้ว

      You are most welcome

  • @sika22220
    @sika22220 2 ปีที่แล้ว +1

    Thanks Sir it was really helpful

    • @jstrosch
      @jstrosch  2 ปีที่แล้ว

      Glad to hear that