堆栈函数返回地址的修改 堆栈溢出

这里的代码只是将返回地址改为跳过对x的赋值，如果想进一步的修改，可以将你想要跳转的函数的地址赋给这个堆栈单元

//下面是版本信息。

//C:/>gcc -v
//Reading specs from /usr/lib/gcc/i686-pc-cygwin/3.4.4/specs
//Configured with: /gcc/gcc-3.4.4/gcc-3.4.4-1/configure --verbose --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc --libdir=/usr/lib --libex
//ecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-languages=c,ada,c++,d,f77,java,objc --enable-nls --without-include
//d-gettext --enable-version-specific-runtime-libs --without-x --enable-libgcj --disable-java-awt --with-system-zlib --enable-interpreter --di
//sable-libgcj-debug --enable-threads=posix --enable-java-gc=boehm --disable-win32-registry --enable-sjlj-exceptions --enable-hash-synchroniza
//tion --enable-libstdcxx-debug : (reconfigured)
//Thread model: posix
//gcc version 3.4.4 (cygming special) (gdc 0.12, using dmd 0.125)
//
//C:/>gdb -v
//GNU gdb 6.3.50_2004-12-28-cvs (cygwin-special)
//Copyright 2004 Free Software Foundation, Inc.
//GDB is free software, covered by the GNU General Public License, and you are
//welcome to change it and/or distribute copies of it under certain conditions.
//Type "show copying" to see the conditions.
//There is absolutely no warranty for GDB.  Type "show warranty" for details.
//This GDB was configured as "i686-pc-cygwin".
//
//C:/>uname
//CYGWIN_NT-5.1
//
//C:/>uname -a
//CYGWIN_NT-5.1 徐盎 1.5.18(0.132/4/2) 2005-07-02 20:30 i686 unknown unknown Cygwin

void function(void)
{
 char buffer[5];
 int* ret;
 printf("%08x/n",buffer);
 ret=buffer+28;//指向function函数的返回地址
 (*ret)+=7;//跳过指令x=1;
}

void main()
{
 int x;
 x=0;
 function();
 x=1;
 printf("%08x/n",&x);
 printf("%d/n",x);
 return;
}