Insert this registry key into your system registry to add a “Open at Command Prompt…” menu item to the Windows Explorer context menu. When right-clicking on a folder, this new menu option will appear allowing you to open a command prompt already set to the selected folder.
cmdprompt.reg (right-click the link and select “Save Link As…”)]]>
The better option is to add facebook.com as an exception. This will limit third-party cookies to just Facebook. Open the “Options” dialog and select the “Privacy” tab then click “Exceptions”.
On the Exceptions dialog, enter “facebook.com” into the text box and click “Allow”.
Once this is done it should get rid of that annoying looping pop-up window.]]>
I ran into an issue the other day where I needed to disable form submission when the enter key was pressed. To fix this you need to add a hander for onKeyPress for the <body>. This will disable any effect by the Enter key for the entire page.
onKeyPress for the <body>. This will disable any effect by the Enter key for the entire page.
<script language="JavaScript">
function disableEnterKey(e)
{
var key;
if(window.event)
key = window.event.keyCode;
else
key = e.which;
return (key != 13);
}
</script>
<body onKeyPress="return disableEnterKey(event)">
If you want to disable form submission for a particular input field, add the onKeyPress handler of the input field:
<input type="text" name="foo" onKeyPress="return disableEnterKey(event)" >
]]>
This script will take as input a directory containing other files and folders and create a CD image that can be burned to CD using any CD writing software. This script requires the Cygwin environment with mkisofs installed. To install, copy mkiso.bat to the <cygwin>/bin directory. Edit the mkiso.reg file to point to the location of mkiso.bat. By default, this is “c:cygwinbinmkiso.bat”. Double click on mkiso.reg to enter the key into the registry. This will add a “Make CD Image…” menu item to the Windows Explorer context menu. When right-clicking on a folder, this new menu option will appear. To create a CD image, create an empty folder. This will be the root folder of the CD. Place whatever files and directory structure is to be on the CD into this folder. When finished, right click on the folder and select “Make CD Image…” Mkisofs.exe from the Cygwin installation will be launched in a command window displaying the progress of the image creation. When done, there will be a CD image with the same name as the target folder in the folder’s parent directory. The mkiso.bat file can be run by itself at a command window by entering: mkiso . Note that this script does not check that the size of the directory contents will actually fit onto a CD. mkiso.reg (right-click the link and select “Save Link As…”) mkiso.bat (right-click the link and select “Save Link As…”)]]>
I was installing MySQL on a Ubuntu VM to do some testing. Being lazy, I was following the directions posted on the How-To Geek blog which was a breeze. Until I actually tried to create my database.
$ mysqladmin create <databasename> error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Oops…
$ sudo !! sudo mysqladmin create <databasename> [sudo] password for testuser: error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Hmmm… oh yeah, password…
$ sudo mysqladmin -u root -p create <databasename> Enter password: error: 'Access denied for user 'root'@'localhost' (using password: YES)'
Ummm…. ok…. So after messing around for a while and Googling a lot, it seems the setup script that is run by Aptitude to create the installation doesn’t actually set the root password correctly. I found I had to do the following:
$ sudo stop mysqld
mysql stop/waiting
$ sudo mysqld_safe --skip-grant-tables &
110613 17:36:18 mysqld_safe Logging to syslog.
110613 17:36:19 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
$ mysql
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> update mysql.user set password=PASSWORD('password') where user='root';
Query OK, 1 row affected (0.01 sec)
Rows matched: 3 Changed: 1 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.01 sec)
mysql> exit
Bye
$ sudo mysqladmin -u root -p shutdown
Enter password:
110613 21:21:49 mysqld_safe mysqld from pid file /var/lib/mysql/Test-ubuntu.pid ended
[1]+ Done sudo mysqld_safe --skip-grant-tables
$ sudo start mysql
mysql start/running, process 22598
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 34
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> exit
Bye
$ mysqladmin -u root -p create test
Enter password:
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 36
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| test |
+--------------------+
3 rows in set (0.00 sec)
mysql>
Woo Hoo! Working now! What a PITA!]]>
I’ve heard the following expression numerous times in various contexts: “Opinions are like assholes, everyone’s got one!”. Sure, we get the point. It does not however make one’s opinion less valid or make any facts on which they are based less true. One could possibly have a misunderstanding of fact and arrive at an invalid conclusion. However, the opinion formed at the time is likely valid based on the current understanding of the facts.
My opinion expressed in this article is based on my understanding of facts, my views on current laws, how they are interpreted (to the best of my understanding) and how I feel they should be interpreted. In no way do I claim to be a lawyer and I certainly don’t offer legal advice. I just hope to offer a somewhat educated point of view that may be helpful in bringing understanding of culture and copyright into the digital age.
I’m open to constructive criticism and alternate points of view which may indeed change my opinion. I’ve been reading through Lawrence Lessig’s Free Culture again. Published in 2004, its arguments are still as relevant today if not more so. Every time I read articles on copyright my own thoughts and opinions get stirring through my head sometimes so much that I have trouble paying attention to what I’m reading. I thought maybe it was time I started to vent a little about the subject.
So, what is culture? What defines culture? Lessig’s Free Culture doesn’t seem to explicitly define what culture is but tries to create a distinction between “commercial” and “non-commercial” culture. Both of which are to be “consumed” in some manner. In my opinion however, “consumables” don’t define culture but rather culture defines what is “consumable”.
This isn’t to say consumables don’t have an influence on cultural evolution but cultural evolution is advanced by the current interests and interactions of the people in a society. I grew up in the ’80s. At least those were my teen years when culture first mattered. I was a “headbanger” defined by the length of my hair, my dress, the music I consumed, mostly influenced by my peers who they (and myself) were influenced by the music we consumed.
The music didn’t define the culture but it certainly had an influence. We would model our own style after our favorite musicians, we listened to the music our friends liked (and parents hated). But that didn’t define culture. We also smoked if our friends smoked, worked on muscle cars, had teenage keggers in the woods, snuck into drive-ins (yes, there were drive-ins), did stupid stunts to try to pick up girls. These were the things that defined our culture. Consumable media, while it had an influence, played only a very small part.
Lessig describes the non-commercial culture as “When old men sat around parks or on street corners telling stories that kids and others consumed”. I really think it is important to note that culture is not “the stories that were consumed” or the “consumption” of stories but rather the socialization of the people involved in a common activity and sharing it with each other.
The story or content is not what defines the culture but merely has the potential to influence. Culture is created all the same if the people are in the park playing baseball or watching/performing magic tricks. I’m not trying to say Lessig is wrong about anything. Like I have the qualifications to even approach being able to do something like that! Lessig is pointing out the precipice on which we are standing where big media is trying hard to control how content is consumed, to control how content is assimilated into culture (while maximizing profits), and the potential impact such control will have on future creativity. I’m just trying to make clear the difference between culture and the consumable content which influences it.
Content I think of as the substance of culture. It is the creative expression that is shared with others. In fact content could not exist without the sharing of culture. I say this from experience where as an aspiring musician I’ve tried to create my own music. I quickly learned I have no artistic talent in my body so my content never left the privacy of my own bedroom. Content is created by the artist first and foremost out of a passion for the art.
Content is influenced by the culture in which the artist exists. It is combined with the artist’s own personality and creativity. It is then consumed as an influence to the next steps in the cultural evolution.
I’m not saying artists need not be compensated for their creativity. Indeed, they could not survive easily without some compensation. Musicians still to this day make a living performing, artists make a living selling in galleries, authors make a living publishing. All are assimilated into culture. Culture is an audience to the musician, it is the patrons to the museum, it is the ambiance brought into a room through a painting, it is the imagination sparked by the words of an author.
Content begets content. While there most certainly are new original works you would be hard pressed to find any that were not influenced in some way by past works. Content evolves (or rather in the past evolved) along side culture. However, with current laws and how they are being changed and influenced by big media, content will never again evolve in the ways of the past.
I think my favorite example of content and cultural evolution is the story of Santa Claus. Santa’s roots can be traced back to Dutch and Scandinavian folklore combined with similar tales from other cultures. I’m not planning to do a full write-up on Santa’s origins however, Wikipedia gives a great background history.
The point I want to make with this is that this content evolved with culture and culture evolved along side this content. Many artists influenced by stories of Santa, or Saint Nickolas, or Father Christmas, or Sinterklaas built on those stories, producing paintings and poems, music and stories which in turn influenced the further evolution of Santa. Current copyright laws (and the perpetual extension of those laws) prevent Mickey Mouse from evolving into anything other than a squeaky mouse.
Big media companies, encourage us at a very young age to take their content, build on it and act out new and exciting stories based on their characters? I was 6 years old when I saw Star Wars for the first time in the theater. I had action figures and ships and play sets from the movie, saw the advertisements on TV that showed other kids, just like me, playing with the Star Wars merchandise making up new stories.
What I didn’t realize then, is that no matter how good or original the story was, or how imaginative it may have been, I could not legally write it down, film it and otherwise publish it for others to share. To be fair, I’m certain that it was never the intent of the media producers to have children all over the world become competitive content producers using their own characters and back story against them.
However, it does demonstrate how content and creativity evolve from existing content. It shows how you do not have to have completely original work to be creative. It shows an understanding, if somewhat subconscious of the original content producers, that creativity and imagination can be built upon past work.
The content creators encourage children to build on their content. I presume they are OK with this because the “right” to imagine is sold to the children through the purchase of the action figures and play sets.
But how far are the children allowed to go with this right to creativity? My brother and I could play with our action figures and make up our stories. I could invite my friends over to play with my action figures. (Should they have purchased their own action figures? Was this illegal?) My parents could watch us play with our action figures.
However, was this performance of our made up story permitted? Were we allowed to perform for an audience? What if we invited our neighbors over and put on a sort of “puppet show” with our action figures. Were we still allowed to perform our story that was based on Star Wars? What if our performance was filmed and posted to YouTube? (I know, YouTube didn’t exist in 1979. But that’s the point of this article.) Where is the line drawn?1
As kids we were never informed that there was potentially even such a line. We were happy making up stories and big media was happy collecting our money. I know these questions really sound absurd, however, now that the Internet is a way of life and content is available like never before, it is so easy to mix and remix content and have it seen by so many people. Why haven’t these seemingly absurd questions ever been asked before? Why are we encouraged to mix and remix content as children only to be told it is dirty and evil now?
1 (Update 2020-09-05) In the nine years since I first wrote this article, YouTube is filled with kid videos playing with action figures, playing in costume, etc… For the most part these seem to be left alone by content creators. (As they should be.) However, none of these activities have been legally challenged and definitively considered covered under Fair Use. For instance, kids playing will likely not worry the Big Media company. However, as production quality increases (think fan films) the content starts to become a concern for the copyright holder.
I was in need of a small, light weight configuration utility for some projects I’ve been working on. Most of the utilities I found were really overkill for what I needed. I created MiniCFG as a quick and dirty solution that seems to work well.
MiniCFG is a small set of functions written in C for parsing configuration files. Configuration data is stored as name/value pairs in a config file, one per line. There are no real restrictions on the format for names or values except that the cannot contain hash ‘#’ characters which are used to indicate comments.
Example
# this is an example configuration file # name/value pairs are delimited by a '=' character name = value # the '=' character can exist within a value line = y = mx + b # names can contain spaces foo bar = what's in a name # comments begin with a hash '#' character another name = another value # comments can follow a value # name/value pairs can override previous definitions name = yet another value # comments and settings may be preceeded by white space something = else # a hash cannot be contained within a name, value or quoted strings quote = "this is not # what you'd expect" # a name without a value is legal and will return null with equal sign = without
There are three functions used to access the configuration data:
struct config* open_config(char* filename);
This opens and parses the configuration file.
int close_config(struct config* cfg);
This function closes the configuration data and cleans up any used resources.
char* load_setting(struct config* cfg, char* name);
This function retrieves the value for a given name or key. If the name does not exist, NULL is returned. MiniCFG is free under the MIT license and can be downloaded here.]]>
A question was asked on stackoverflow.com about how to dynamically instantiate classes given a vector of strings of the class names to instantiate. Take for example:
class Base {};
class Child1 : public Base {};
class Child2 : public Base {};
class Child3 : public Child2 {};
int main (int argc, char* argv [])
{
std::vector<std::string> names = get_names(argv);
Base* p;
for (std::vector<std::string>::iterator i = names.begin(); i != names.end(); i++) {
if (*i == "Child1")
p = new Child1;
if (*i == "Child2")
p =new Child2;
if (*i == "Child3")
p = new Child3;
// do something with p
}
}
So, this works. Except each time you add another class, you have to remember to update this code and rebuild the entire application. The factory design pattern, or factory method pattern (or dynamic constructor) is a mechanism for creating objects without knowing exactly what object needs to be created or how to actually create the object. A class factory provides an interface in which subclasses can implement the necessary functionality to create specific objects. A class factory is an object for creating other objects. As classes are added to the application they resister their creation routines with the class factory which then can instantiate them upon request. A class factory could simplify the above example to something like this:
class Base {};
class Child1 : public Base {};
class Child2 : public Base {};
class Child3 : public Child2 {};
int main (int argc, char* argv [])
{
std::vector<std::string> names = get_names(argv);
Base* p;
for (std::vector<std::string>::iterator i = names.begin(); i != names.end(); i++) {
p = factory.create (*i);
// do something with p
}
}
For now, this glosses over the registration details which we’ll discuss shortly. Let’s start with some classes:
class Base
{
public:
virtual void foo() = 0;
};
class Child1 : public Base
{
public:
virtual void foo();
};
class Child2 : public Base
{
public:
virtual void foo();
};
class Child3 : public Child2
{
public:
virtual void foo();
};
void Child1::foo()
{
std::cout << "Child1\n";
}
void Child2::foo()
{
std::cout << "Child2\n";
}
void Child3::foo()
{
std::cout << "Child3\n";
}
Next, we need some classes to instantiate our classes derived from Base.
class Creator
{
public:
virtual Base* create() = 0;
};
Every time a new class is defined it must also be accompanied by its own specialized Creator derived class that is responsible for instantiating instances of the new class.
class Child1Creator : public Creator
{
public:
virtual Base* create() { return new Child1; }
};
class Child2Creator : public Creator
{
public:
virtual Base* create() { return new Child2; }
};
class Child3Creator : public Creator
{
public:
virtual Base* create() { return new Child3; }
};
Well, how does this help us? Well, it doesn’t really. It creates a butt load more work. However, given that these creator classes differ only in type, this is screaming loudly for templates.
template <class T>
class CreatorImpl : public Creator
{
public:
virtual Base* create() { return new T; }
};
With this template, the developer only needs to instantiate an instance of this class with each new Base derived class. So, these creators are like little machines that stamp out new objects. Now we need a class factory to store our machines.
class Factory
{
public:
Base* create(const std::string& classname);
void registerit(const std::string& classname, Creator* creator);
private:
std::map<std::string, Creator*> table;
};
The class factory registers the creators in a lookup table. The creators must be registered with the class factory before the factory can create instances of a class. The registerit() method maps an instance of a creator to a C++ class name:
void Factory::registerit(const std::string& classname, Creator* creator)
{
table[classname] = creator;
}
The create() method looks up a specific creator based on the given classname to construct the required object. If there is no creator for the class then NULL is returned.
Base* Factory::create(const std::string& classname)
{
std::map<std::string, Creator*>::iterator i;
i = table.find(classname);
if (i != table.end())
return i->second->create();
else
return (Base*)NULL;
}
So now we can simplify our main() example:
int main(int argc, char* argv[])
{
Factory factory;
CreatorImpl<Child1> creator1;
CreatorImpl<Child2> creator2;
CreatorImpl<Child3> creator3;
factory.registerit("Child1", &creator1);
factory.registerit("Child2", &creator2);
factory.registerit("Child3", &creator3);
std::vector<std::string> names = get_names(argv);
Base* p;
for (std::vector<std::string>::iterator i = names.begin(); i != names.end(); i++) {
p = factory.create(*i);
if (p != NULL)
p->foo();
else
std::cout << "Class not found!\n";
}
return 0;
}
Well, the developer still needs to instantiate and register another creator and rebuild the application every time a new class is added. Now we’ll try to get the creators to register themselves with the class factory so the developer does not need to worry about it. We’ll modify the creator’s constructor to do this. The class factory however now has to be global so it can be seen from within the creator’s constructor. Here is the updated code:
class Creator
{
public:
Creator(const std::string& classname);
virtual Base* create() = 0;
};
Factory factory; // factory is global, not in main()
// have the creator's constructor do the registration
Creator::Creator(const std::string& classname)
{
factory.registerit(classname, this);
}
template <class T>
class CreatorImpl : public Creator
{
public:
CreatorImpl(const std::string& classname) : Creator(classname) {}
virtual Base* create() { return new T; }
};
Now the main application can be modified like this:
extern Factory factory;
int main(int argc, char* argv[])
{
// automatically registers with the factory.
CreatorImpl<Child1> creator1("Child1");
CreatorImpl<Child2> creator2("Child2");
CreatorImpl<Child3> creator3("Child3");
std::vector<std::string> names = get_names(argv);
Base* p;
for (std::vector<std::string>::iterator i = names.begin(); i != names.end(); i++) {
p = factory.create(*i);
if (p != NULL)
p->foo();
else
std::cout << "Class not found!\n";
}
return 0;
}
So, the developer still needs to instantiate a creator for every new class. How could we remove the burden of the developer to remember to update main() every time a new class is added? The only real way to do this is to have code executed before entry into main() which can only happen with the initialization of global data. From this point on we are starting to wander into non-standard territory. We are going to count on the fact that an object’s constructor is guaranteed to be called at some point before the object is first accessed. This can be before main() but does not necessarily have to be. We want to give each new class its own creator instantiation without needing to update main(). We can either create a global creator object in the class’s implementation file, or give the class a private static creator member. For this implementation we are going to use the private static member. This presents us with another problem however. There is no way to specify the order in which objects in global scope are created. Bad things will happen if the creator tries to register with the class factory before the class factory has been constructed. To solve this problem, we need to modify the factory class:
class Factory
{
public:
static Base* create(const std::string& classname);
static void register(const std::string& classname, Creator* creator);
private:
static std::map<std::string, Creator*>& get_table();
};
Base* Factory::create(const std::string& classname)
{
std::map<std::string, Creator*>::iterator i;
i = get_table().find(classname);
if (i != get_table().end())
return i->second->create();
else
return (Base*)NULL;
}
void Factory::register(const std::string& classname, Creator* creator)
{
get_table()[classname] = creator;
}
std::map<std::string, Creator*>& Factory::get_table()
{
static std::map<std::string, Creator*> table;
return table;
}
We’ve moved the table member and wrapped it as a static local variable in a member function called get_table(). The register() method will accesses the lookup table through this static function. This guarantees the lookup table will be created before it is accessed. Also, by making all the member functions static, we don’t have to create a global instance of the class factory. We can instead call the factory methods directly. Now we need to update the creator class to reflect these changes:
Creator::Creator(const std::string& classname)
{
Factory::registerit(classname, this);
}
To remove the creator instantiation out of main() we update our class definitions:
class Child1 : public Base
{
private:
static const CreatorImpl<Child1> creator;
public:
virtual void foo();
};
class Child2 : public Base
{
private:
static const CreatorImpl<Child2> creator;
public:
virtual void foo();
};
class Child3 : public Child2
{
private:
static const CreatorImpl<Child3> creator;
public:
virtual void foo();
};
const CreatorImpl<Child1> Child1::creator("Child1");
void Child1::foo()
{
std::cout << "Child1\n";
}
const CreatorImpl<Child2> Child2::creator("Child2");
void Child2::foo()
{
std::cout << "Child2\n";
}
const CreatorImpl<Child3> Child3::creator("Child3");
void Child3::foo()
{
std::cout << "Child3\n";
}
Which really simplifies main():
int main(int argc, char* argv[])
{
std::vector<std::string> names = get_names(argv);
Base* p;
for (std::vector<std::string>::iterator i = names.begin(); i != names.end(); i++) {
p = Factory::create(*i);
if (p != NULL)
p->foo();
else
std::cout << "Class not found!\n";
}
return 0;
}
This is where we hit non-standard territory. If you were to compile and link this as a stand alone application or statically linked library, it probably will not work. This is because the compiler will see that none of the static creators we give each class are directly accessed anywhere in the application. Basically, we define them and count on their constructors to do work for us but never need to explicitly call any methods on them afterwards. The compiler will recognize this and will optimize them away along with the registration code in the constructor calls. There is nothing in the C++ standard that can force constructor generation even if the construction has necessary side effects. There had been some discussions about adding a force keyword but I don’t know if it actually made it into the C++0x standard. Currently the only way to force the constructor to be generated and called is by accessing the object. Since that is abstracted away from the compiler in our factory table, they are all optimized away. The non-standard solution to this is to put the factory and Base derived classes into a dynamically linked library. The idea is that because the compiler does not know what objects from the library will be accessed by an application at run time, it has to generate all the constructors for the global data. When the library is loaded into the process address space, all the creator constructors are executed registering their respective classes. I’ve tested this on Windows and Linux platforms and it works as described. Given that it is non-standard, it is not guaranteed to work everywhere. Finally, we get to abuse the C preprocessor and create some macros for setting up this framework. Setting up the creators manually is monotonous and error prone. The macros allow the developer to define and implement the framework in a way that will cause any errors to be caught at compile time while allowing the framework to be set up with a single line of code. For class definition files we define a REGISTER() macro which will add the private static member:
#define REGISTER(classname) \ private: \ static const CreatorImpl<classname> creator;
We would use the macro like this:
// Child1.h
class Child1 : public Base
{
REGISTER(Child1);
public:
virtual void foo();
};
Which would produce code like this:
// Child1.h
class Child1 : public Base
{
private:
static const CreatorImpl<Child1> creator;
public:
virtual void foo();
};
It is recommended that this macro be placed as the first thing in the class definition. It does not really matter where in the class definition it is placed but it must be understood that C++ lines following the macro will be private. So for instance, if the macro is placed following a bunch of public methods, methods directly following will all of the sudden become private even though you did not specify the private access modifier. If the macro is placed as the very first line in the class definition, because C++ class members are private by default, the macro will not change the expected semantics. For class implementation files we define a REGISTERIMPL() macro which will instantiate the creator:
#define REGISTERIMPL(classname) \ const CreatorImpl<classname> classname::creator(#classname);
We would use the macro like this:
// Child1.cpp
REGISTERIMPL(Child1);
void Child1::foo()
{
std::cout << "Child1\n";
}
The preprocessor substitutes the code for the constructor call, replacing classname with the supplied C++ class name. The “#” symbol tells the preprocessor to substitute the value of classname as a string constant instead of expanding it as code. This would produce code that looks like this:
// Child1.cpp
const CreatorImpl<Child1> Child1::creator("Child1");
void Child1::foo()
{
std::cout << "Child1\n";
}
I implemented this in a utility library that I use in various projects. I’m always looking for ways to improve this. If you see any bugs, typos or have any suggestions, feel free to email me or leave a comment below.
After receiving requests for a working example, I finally threw one together. It can be downloaded here: factorydemo.zip This demo is built using MinGW. To build, type make from the MinGW shell. This will build main.exe and factory.dll. If you do not have MinGW and just want to try it, there are precomiled binaries in the zip archive. An example run of the demo looks like this:
$ main Child1 Child1 $ main Child2 Child2 $ main Child3 Child3 $ main Child4 Class not found!
I also updated the code listings above. It seems some special characters like < and > and others were stripped at some point making the code actually incorrect. They all should be fixed now. If I missed any let me know.]]>
A question was asked on stackoverflow.com about using a buffer overflow to clobber the stack and alter the behavior of a program. It’s been a while since I’ve done anything like this so I thought I might give it a shot. This code is based on code snippets shown in the stackoverflow thread. This is very architecture and compiler dependent. If you are following along you may have to adjust accordingly.
#include <stdio.h>
void foo()
{
int* p;
p = (int*)&p;
p[offset] = new return address;
return;
}
int main(int argc, char* argv[])
{
int x = 0;
foo();
x++;
printf("%dn", x);
return 0;
}
The idea behind this code is to clobber the stack in function foo() so when foo() returns, the x++ is skipped and 0 is printed. We have two things we need to do to make this happen. First, when a function is called, the address of the instruction immediately following the function is pushed on the stack. This is the address control jumps to when the function is finished executing and returns to the caller. It is this address on the stack that we need to change. Second, we need to know where to return to. To find this value, we need to look at the object code that is created by the compiler. If you are trying this at home, your compiler and produced assembly may be different as the produced output can be very version specific. For this example I’m using Cygwin with gcc version 3.4.4. The following is the disassembly of the object code for the main() function:
// _main // 401071: 55 push %ebp // 401072: 89 e5 mov %esp,%ebp // 401074: 83 ec 18 sub $0x18,%esp // ... skip unimportant stuff ... // 40109b: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp) // 4010a2: e8 a9 ff ff ff call 401050 <_foo> // 4010a7: 8d 45 fc lea -0x4(%ebp),%eax // 4010aa: ff 00 incl (%eax) // 4010ac: 8b 45 fc mov -0x4(%ebp),%eax // 4010af: 89 44 24 04 mov %eax,0x4(%esp) // 4010b3: c7 04 24 00 20 40 00 movl $0x402000,(%esp) // 4010ba: e8 a9 00 00 00 call 401168 <_printf> // 4010bf: b8 00 00 00 00 mov $0x0,%eax // 4010c4: c9 leave // 4010c5: c3 ret
This disassembly is produced using the objdump command objdump -d test.exe. Breaking this down we see: Standard preamble stuff. Don’t worry about this. (yet)
// 401071: 55 push %ebp // 401072: 89 e5 mov %esp,%ebp
Allocate space on the stack for our local variables (including x). This also allocates a temporary variable to store the address of our format string constant which we will come back to.
// 401074: 83 ec 18 sub $0x18,%esp
Set x to 0.
// 40109b: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
Call foo().
// 4010a2: e8 a9 ff ff ff call 401050 <_foo>
When this instruction is executed, the address of the next instruction is pushed onto the stack. In this case it is the address of the lea instruction 4010a7. The next block of instructions increment x. This is the block we want to skip.
// 4010a7: 8d 45 fc lea -0x4(%ebp),%eax // 4010aa: ff 00 incl (%eax)
These two instructions take up a total of 5 bytes. 3 for the lea instructions and 2 for the incl instruction. Once we find the return address on the stack, we need to increment it by 5. Our updated foo() looks like this:
void foo()
{
int* p;
p = (int*)&p;
p[offset] += 5;
return;
}
Note, we don’t want to skip these two instructions. They are responsible for putting a copy of x into a parameter already allocated on the stack to be passed to printf().
// 4010ac: 8b 45 fc mov -0x4(%ebp),%eax // 4010af: 89 44 24 04 mov %eax,0x4(%esp)
This instruction copies the address of our format string into the last reserved variable on the stack which is the first parameter to be passed to printf().
// 4010b3: c7 04 24 00 20 40 00 movl $0x402000,(%esp)
Finally, we call printf(), set our return value and exit the application.
// 4010ba: e8 a9 00 00 00 call 401168 <_printf> // 4010bf: b8 00 00 00 00 mov $0x0,%eax // 4010c4: c9 leave // 4010c5: c3 ret
The last thing we need to find is where the return address is stored on the stack. Let’s look at the disassembly of foo().
// 401050: 55 push %ebp // 401051: 89 e5 mov %esp,%ebp // 401053: 83 ec 04 sub $0x4,%esp // 401056: 8d 45 fc lea -0x4(%ebp),%eax // 401059: 89 45 fc mov %eax,-0x4(%ebp) // 40105c: 8b 55 fc mov -0x4(%ebp),%edx // 40105f: 83 c2 08 add $0x8,%edx // 401062: 8b 45 fc mov -0x4(%ebp),%eax // 401065: 83 c0 08 add $0x8,%eax // 401068: 8b 00 mov (%eax),%eax // 40106a: 83 c0 05 add $0x5,%eax // 40106d: 89 02 mov %eax,(%edx) // 40106f: c9 leave // 401070: c3 ret
The first two instructions are the preamble which we’ve seen before with main().
// 401050: 55 push %ebp // 401051: 89 e5 mov %esp,%ebp
This pushes the previous base pointer onto the stack and makes the current stack pointer the current base pointer. We know when this function was called, the return address was pushed. It is now “under” the base pointer we just pushed. Next, storage for our local variable p is allocated on the stack.
// 401053: 83 ec 04 sub $0x4,%esp
Our stack should now look something like this:
// ret addr // old ebp // esp --> p
Next we store the address of p into p so that p is pointing to itself.
// 401056: 8d 45 fc lea -0x4(%ebp),%eax // 401059: 89 45 fc mov %eax,-0x4(%ebp)
Now, with p pointing to itself, let’s have another look at the stack and see how we should offset p to get to the return address. Our stack should now look something like this:
// ret addr <-- p + 8 // old ebp <-- p + 4 // esp --> p <-- p
Note that I am using a 32-bit system so addresses and registers are stored as 4 byte values. Whatever address p is pointing to, we have to add 8 to that address. In foo() I declared p as an int * so we can treat p as an array of integers and access index 2 to clobber the return address:
void foo()
{
int* p;
p = (int*)&p;
p[2] += 5;
return;
}
Running this code produces the following output:
$ ./test.exe
]]>