Frame Pointer / Program Counter / Array Overflow

Question

I'm working on a practice problem set for C programming, and I've encountered this question. I'm not entirely sure what the question is asking for... given that xDEADBEEF is the halt instruction, but where do we inject deadbeef? why is the FP relevant in this question? thank you!

You’ve been assigned as the lead computer engineer on an interplanetary space mission to Jupiter. After several months in space, the ship’s main computer, a HAL9000, begins to malfunction and starts killing off the crew members. You’re the last crew member left alive and you need to trick the HAL 9000 computer into executing a HALT instruction. The good news is that you know that the machine code for a halt instruction is (in hexadecimal) xDEADBEEF (in decimal, this is -559,038,737). The bad news is that the only program that the HAL 9000 operating system is willing to actually run is chess. Fortunately, we have a detailed printout of the source code for the chess program (an excerpt of all the important parts is given below). Note that the getValues function reads a set of non-zero integers and places each number in sequence in the array x. The original author of the program obviously expected us to just provide two positive numbers, however there’s nothing in the program that would stop us from inputting three or more numbers. We also know that the stack will use memory locations between 8000 and 8999, and that the initial frame pointer value will be 8996.

void getValues(void) {
  int x[2]; // array to hold input values
  int k = 0;
  int n;
  n = readFromKeyboard(); // whatever you type on the keyboard is assigned to n
  while (n != 0) {
    x[k] = nextNumber;
    k = k + 1;
    n = readFromKeyboard();// whatever you type on the keyboard is assigned to n
  }
  /* the rest of this function is not relevant */
}

int main(void) {
  int x;
  getValues();
  /* the rest of main is not relevant */
}

What sequence of numbers should you type on the keyboard to force the computer to execute a halt instruction?

SAMPLE Solution

   One of the first three numbers should be -559038737.  The fourth number must be the address of where 0xdeadbeef was placed into memory.  Typical values for the 4th number are 8992 (0xdeadbeef is the second number) or 8991 (0xdeadbeef is first number).  

Answer 1

Hint: Read about buffer overflow exploits.

Answer 2

What you want to do is overflow the input such that the program will return into a set of instructions you have overwritten at the return address.

The problem lies here:

  int x[2]; // array to hold input values

By passing more than 3 values in, you can overwrite memory that you shouldn't. Explaining the sample example:

1. First input -559,038,737 puts xDEADBEEF in memory
2. Second input -559,038,737, why not.
3. Third number -559,038,737 can't hurt
4. Fourth number 8992 is the address we want the function to return into.

When the function call returns, it will return to the address overwrote the return address on the stack with (8992).

Here are some handy resources, and an excerpt:

The actual buffer-overflow hack work slike this:

1. Find code with overflow potential.

2. Put the code to be executed in the buffer, i.e., on the stack.

3. Point the return address to the same code you have just put on the stack.

Also a good book on the topic is "Hacking: The art of exploitation" if you like messing around with stacks and calling procedures.

In your case, it seems they are looking for you to encode your instructions in integers passed to the input.

An article on buffer overflowing