compile ex2.c using: gcc -o ex3 -g -Wall ex3.c -m32 -fno-stack-protector ex2.c Run the program and verify that the value of x is updated as expected. At the unix prompt, type: gdb a.out Type: (gdb) disas main Look at the address of the instruction following the call to . This is the instruction that is supposed to be executed after return from function(), and so the corresponding address is what is going to be stored in the frame for function(). (The instruction corresponds to the assignment "x=1".) Look at the address of the subsequent instruction. We are going to want to increment the stored instruction pointer so that it points to this instruction instead. So the difference between the address of the assignment instruction and the subsequent instruction (which should be 7) is what we will use as the increment for (*ret). Next type: (gdb) break function (gdb) run (gdb) print &buffer1 This runs the program until function() is called, and then prints the value of &buffer1, i.e., the address of buffer1 in memory. Type: (gdb) info frame This give information about the current frame. Things to note: - the eip is equal to the next instruction to be executed (as can be verified by typing "disas function" -- note that the first 3 instructions you will see just set up the frame, and the 4th instruction is the first that actually corresponds to the function itself) - the saved eip will have the value of the next instruction to be executed when control returns to main (as can be verified by typing "disas main") - we are interested in the location of the saved eip (i.e., "eip at xxxxxxxxx"). This is giving us the location in memory where the previous instruction pointer is being stored. Computing the difference between the memory locations of the saved eip and buffer1 (it should be 13) tells us the relative spacing of these two variables. We will use this value to increment buffer1. quit out of gdb. Change the following lines of ex2.c: ret = buffer1 + 13; (*ret) += 7; now compile the program again. When you run it, you will see that the value of x is NOT updated -- we have caused the assignment instruction to be skipped! ex3.c gives a completely analogous example where we decrement the instruction pointer so as to execute a particular instruction twice.