The document introduces exploitation and provides an overview of key concepts for understanding exploitation, including CPU registers, stack memory, and function flow. Specifically, it discusses (1) what exploitation is and its goals of getting actions to perform, (2) important study points like CPU registers and understanding the stack, and (3) how the stack stores information for functions and passes arguments between them.

1. Introduction to Exploitation
th!nkh@ck-hackartist

2. Outline
• What is exploitation
• Study Points
• CPU Registers & Instructions
• Flow of Function
• Managing Memory

3. What is exploitation?
• The kind of exploitation is various
For software, hardware, system and etc.
• What is the goal of the exploitation?
The exploitation is getting actions you want it to do.
• What is needed?
Skill of computer languages
Knowledge of Operating System
Understanding architecture.

4. Study Points
• We will focus on :
CPU registers,
Understanding stack of computer,
A glance about assembly and C
• Why we study those
Most of exploitations come from memory corruption.

5. CPU Registers & Instructions
• Cores of CPU
CPU consists of registers, instructions.
• What does the different architecture of CPU means?
It means that they have the different instructions each others.
• Are you hard to get assembly?
Do not afraid to face it. Because assembly was made for us
with human friendly representation of opcodes.
• Special instructions
EBP, ESP, EIP

6. CPU Registers & Instructions
• 16 bits data registers can be accessed to high and low
half bits by AL&AH, BL&BH and etc.
16 Bits 32 Bits 64 Bits Description
AX EAX RAX Accumulator
BX EBX RBX Base Index
CX ECX RCX Counter
DX EDX RDX Data
BP EBP RBP Base Pointer
SP ESP RSP Stack Pointer
IP EIP RIP Instruction Pointer
SI ESI RSI Source Index Pointer
DI EDI RDI Destination Index Pointer

7. Composition of a Function
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
Name
Parameters
Body
Return type

8. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

9. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

10. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

11. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

12. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

13. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

14. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

15. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

16. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

17. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

18. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

19. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

20. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

21. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

22. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

23. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

24. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);
func2(buffer);

25. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

26. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

27. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

28. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}
func1(argv[1]);

29. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

30. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

31. Variation of Stack memory
void func2(char *x) {
printf(“You entered: %sn", x);
}
void func1(char *str) {
char buffer[16];
strcpy(buffer, str);
func2(buffer);
}
int main(int argc, char *argv[]) {
if (argc > 1)
func1(argv[1]);
else printf(“No arguments!n");
}

32. What is Stack?
• Stack is one of data structure.
LIFO - Last In First Out
• Imagine reading book and stacking
them. After reading them, we simply
take over the top of books. In the
circumstances, it is difficult to get a
book in middle of the tower.

33. Managing Memory
• One of role of Operating System is managing memory. In order
to manage memory, the memory is segmented into several
parts. The way memory is segmented is depends on OS.
However, main memory is existed and important in all OS.
• Main memory is represented to “logical” structure and consists
of several stack frames.
• Stack frame is a significantly important part. The stack frame is
represented by two pointers:
Base pointer(EBP or RBP) indicates start of current stack frame.
Stack pointer(ESP or RSP) indicates end of current stack frame.

34. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP

35. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP

36. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP

37. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP

38. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP
ESP

39. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBPESP

40. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP ESP

41. Back to Previous Position
Empty memory
Top of memory
Start of memory
Newer stack frame
EBP ESP?

42. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

43. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBPESP

44. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

45. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

46. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

47. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

48. Back to Previous Position
Empty memory
Saved EBP
Top of memory
Start of memory
Newer stack frame
EBP
ESP

49. x86 calling conventions
• There are three types for calling function.
stdcall : The default call type of WinAPI32. A callee is
responsible for cleaning stack frame for arguments.
cdecl : The default call type of C. A caller is
responsible for cleaning stack frame.
• There are many call types.

50. Difference between them
push <arg2>
push <arg1>
call <callee>
push ebp
mov ebp esp
push <local variables>
pop ebp
ret <args size>
push <arg2>
push <arg1>
call <callee>
push ebp
mov ebp esp
push <local variables>
pop ebp
ret 0
add esp <args size>
Caller
Callee
Caller
cdecl stdcall

51. Thank you for listening.