/*
 * smash.c
 *
 * Mike Smith
 *
 * h4cked by Jason Gao '10
 * re-h4cked by David J. Malan '99
 *
 * This program is a verbose version of our unsafe eco.c.
 * 
 * If you run the program with the following perl-formated input, it
 * will return to the function gotcha instead of main.
 *
 * "1234" . "\xb8\xf5\xff\xbf" . "\x94\x87\x04\x08";
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define MAX_BUF_SIZE 4


void
gotcha()
{
    printf("\nGotcha!\n");

    exit(1);  /* required because we destroy the caller's base pointer */
}


void
echo_arg(const char s[])
{
    char buf[MAX_BUF_SIZE];

    /* Another cheap and dirty trick: This printf call says that there
     * are parameters on the stack, but there aren't.  What happens is
     * we interpret the other locations on the stack as the parameters
     * to printf.  The result is that we get to see what is on the
     * stack of the caller of printf. */
    printf("\nContents of echo_arg's stack BEFORE strcpy:\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- initial contents of buf\n"
	   "0x%08x -- contents of EBP in main\n"
	   "0x%08x -- return address for call to echo_arg\n"
	   "0x%08x -- address of string passed to echo_arg\n");

    strcpy(buf, s);

    printf("\nContents of echo_arg's stack AFTER strcpy:\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- garbage\n"
	   "0x%08x -- final contents of buf\n"
	   "0x%08x -- contents of EBP in main\n"
	   "0x%08x -- return address for call to echo_arg\n"
	   "0x%08x -- address of string passed to echo_arg\n\n");

    printf("%s ", buf);
}


int
main(int argc, char * argv[])
{
    int i;
    printf("Start address of main is 0x%08x\n",
	   (unsigned int)main);
    printf("Start address of gotcha is 0x%08x\n",
	   (unsigned int)gotcha);

    for (i = 1; i < argc; i++) {
	    echo_arg(argv[i]);
    }
    printf("\n");

    return 0;
}