How do I calculate the address of the stored EIP

Question

As the title says, I am trying to obtain the address of the stored EIP in the frame. For this simple program:

func1(int a, int b)
{
        int x = 1;
}

int main(void)
{
        func1(1,2);
}

My gdb disassembly is:

(gdb) disassemble main
Dump of assembler code for function main:
0x08048430 <main+0>:    push   %ebp
0x08048431 <main+1>:    mov    %esp,%ebp
0x08048433 <main+3>:    sub    $0x8,%esp
0x08048436 <main+6>:    add    $0xfffffff8,%esp
0x08048439 <main+9>:    push   $0x2
0x0804843b <main+11>:   push   $0x1
0x0804843d <main+13>:   call   0x8048410 <func1>
0x08048442 <main+18>:   add    $0x10,%esp
0x08048445 <main+21>:   mov    %ebp,%esp
0x08048447 <main+23>:   pop    %ebp
0x08048448 <main+24>:   ret
End of assembler dump.

Stack frame printed from GDB:

(gdb) info frame
Stack level 0, frame at 0xffbfdda0:
 eip = 0x8048416 in func1 (t.c:3); saved eip 0x8048442
 called by frame at 0xffbfddc0
 source language c.
 Arglist at 0xffbfdd98, args: a=1, b=2
 Locals at 0xffbfdd98, Previous frame's sp is 0xffbfdda0
 Saved registers:
  ebp at 0xffbfdd98, eip at 0xffbfdd9c

info frame doesn't provide the address of the saved eip, it just shows the value of the save eip.

I setup a break point on func1, then printed the frame information. The saved EIP has a value of 0x8048442, which corresponds to in the disassembly. I am confused, how do I calculate the address of where EIP(0x8048442) is located?

i have examined the address 0x8048412(0x8048416 - 4), but it doesn't contain the saved EIP address.

Answer 1

You need to examine the area before the arg list. It tells you that: eip at 0xffbfdd9c.

This address is 4 bytes before the arg list - 0xffbfdd98. Remember that the list grows down so "4 bytes before x" means "x+4".

The saved eip 0x8048442 info is about where does the EIP points to, which is in the text section, not in the stack.