See StackExplore.cpp code below. You will need to disable any stack checking as noted at the top of the file.

Here's what you need to do:

1) Compile the code as x86 (you can try x64)

2) Create "hacked.txt" file with input that will be used to cause the Bar function to run.

3) Experiment with changing the inputs, see how long the string needs to be to cause the app to have an access violation

4) Once you know how long the string needs to be, and what characters cause the code flow to change, create input that results in the Bar function running (note - this will happen when you return from main)

If you understand how to use a debugger and see the memory, spend some time looking at the stack between buf and fileBuf - what are these values, what do they do? step through this in assembly, and watch the stack as it runs through the Foo function.

Also, note that you will have to adjust the hacked.txt file for each run, because the addresses of the functions will change. How much do you have to change for this to work?

Deliverables:

Describe your process for creating your hacked.txt file, and show a screen shot of the code executing and running the Bar function.

StackExplore.cpp code

#if defined _WIN32

// Disable warnings because strncpy can be unsafe

#define _CRT_SECURE_NO_WARNINGS 1

#endif

// If compiling on Windows, you will need to change this setting:

// Disable Security Check (/GS-)

// You may also need to disable Control Flow Guard, if that setting is available

// gcc and clang will have similar settings, to know which these are, please RTFM

#include

#include

#include

void Foo(const char* sz)

{

char buf[20];

printf("Address of buf= %p ", &buf);

strncpy(buf, sz, strlen(sz));

printf("Buf= %s", buf);

}

void Bar(const char* sz)

{

printf(" !!!We've been hacked!!!, sz=%s ", sz);

}

int main(int argc, char* argv[])

{

printf("Address of main= %p ", main);

printf("Address of Bar= %p ", Bar);

printf("Address of Foo= %p ", Foo);

printf("Hit enter when the hacked.txt file is ready ");

_getch();

FILE* pf = fopen("hacked.txt", "r");

if (pf == nullptr)

{

printf("Couldn't open file ");

return -1;

}

char fileBuf[128];

size_t cch = fread(fileBuf, sizeof(char), sizeof(fileBuf), pf);

// Terminate string

if (cch >= sizeof(fileBuf) - 1)

cch = sizeof(fileBuf) - 1;

fileBuf[cch] = '\0';

Foo(fileBuf);

fclose(pf);

return 0;

}