I am reading Smashing The Stack For Fun And Profit.
When the author uses x86 assembly codes to illustrate the execve() behavior, he says:
0x80002bc <__execve>: pushl %ebp
0x80002bd <__execve+1>: movl %esp,%ebp
0x80002bf <__execve+3>: pushl %ebx
The procedure prelude.
0x80002c0 <__execve+4>: movl $0xb,%eax
Copy 0xb (11 decimal) onto the stack. This is the index into the
syscall table. 11 is execve.
0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
Copy the address of "/bin/sh" into EBX.
0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
Copy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
Copy the address of the null pointer into %edx.
0x80002ce <__execve+18>: int $0x80
Change into kernel mode.
------------------------------------------------------------------------------
So as we can see there is not much to the execve() system call. All we need
to do is:
a) Have the null terminated string "/bin/sh" somewhere in memory.
b) Have the address of the string "/bin/sh" somewhere in memory
followed by a null long word.
c) Copy 0xb into the EAX register.
d) Copy the address of the address of the string "/bin/sh" into the
EBX register.
e) Copy the address of the string "/bin/sh" into the ECX register.
f) Copy the address of the null long word into the EDX register.
g) Execute the int $0x80 instruction.
He says, copy the address of the address of the string into EBX register and copy the address of the string into ECX register.
However, the assembly codes movl 0x8(%ebp),%ebx and movl 0xc(%ebp),%ecx suggest that the address of the string is copied to EBX and the address of the address is copied to ECX. This seems to be the opposite of the authors' summary.
Is there anything I understand wrongly?
The author is saying that the execve() system needs the address of the string address. This is because the execve() system uses the string address address to find the program's argument table.
The program argument table is a list of strings that are passed to the program when it starts. The execve() system uses the string address address to find the program's argument table.
So the author is correct in saying that you need to copy the address from the string address to the ECX record.
However, your explanation is also correct. What you're seeing is that memory addresses are copied, not the data itself that those addresses point to.
The execve() system needs the string address to load the executable program. The execve() system also needs the address of the argument table to pass arguments to the program.
So the author is correct that you need to copy the string address to the EBX record.
In short, both explanations are correct. The author's explanation is more accurate, but can be a little confusing. Your explanation is simpler, but may not be as accurate.
Here's a simpler explanation:
The execve() system needs the string address to load the executable program. The execve() system also needs the address of the argument table to pass arguments to the program. Therefore, you need to copy the string address to the EBX register and the argument table address to the ECX register.
I hope this helps!