| |
| |
| |
|
Comments:
<0> I have a char array containing machine language in C. Is there an easy way to jump into it ?
<1> http://www.acm.uiuc.edu/sigmil/talks/shellcode/shellcode.html
<1> you just don't google enough
<0> Thanks.
<0> I tried, but I couldn't think of any good terms.
<2> Noobish question: What sort of stuff do you need to know for OS development?
<2> Feel free to laugh now
<3> Dacicus, http://www.osdever.net/tutorials/brunmar/tutorial_01.php?the_id=8
<2> Thanks.
<2> No.
<2> oops
<2> wrong channel
<0> Does Linux have some writable/executable memory separation ?
<4> hi! i don't quite understand the test instruction
<4> what is a logical compare?
<4> like test %dl,%dl always evaluates to false and i don know why
<2> Do you have the Intel docs?
<2> or whatever processor you're programming for?
<4> i386
<4> right after the test is a jne
<4> and it always jumps, rather than ignoring it
<2> hm, well the Intel docs say
<4> it's a simple AND
<2> Computes the bit-wise logical AND of first operand (source 1 operand) and the second operand
<2> (source 2 operand) and sets the SF, ZF, and PF status flags according to the result. The result is
<2> then discarded.
<4> i read that
<4> so how comes PF is never set?
<4> i mean: i compare exact the same values
<4> s/exact/exactly/
<5> hi man hkj
<5> morning
<6> hey b0red
<6> resolved the problem :)
<5> i kinda did too i think
<5> tell me how
<6> the bytecode executed are that present in argv[1] and not in buffer of vuln.c
<5> buffer is placed in argv[1] ?
<5> yeah
<5> i reached this solution too
<5> hmm
<6> good
<5> but there is something weird
<5> buffer[0] = 0xffffff90 and &buffer[0] = 0xbfbfe770
<5> argv[0] = 0x90909090 and &argv[0] = 0xbfbfe7b0
<5> buffer[499] = 0xffffffbf and &buffer[499] = 0xbfbfe963
<5> &buffer[499] > &argv[0]
<5> where it should be the opposite..
<6> wait wait... i go on linux and send my code
<5> ok
<7> b0red, i send you a tar file
<5> hkjf, im behind a firewall.... can u send it to my mail?
<5> or upload it somewhere
<7> sure
<7> sent
<5> brb
<7> b0red, i've posted it here also http://rafb.net/paste/results/FpBBDM12.html
<7> -.-
<8> hkjf, i < strlen(shellcode), this seems weird: shellcode[] isn't a c-string (i.e. null-terminated).
<8> (?)
<8> (line 47 in the pastebin)
<7> 49 line does terminating
<8> I mean: strlen(shellcode) scans the shellcode[] array for a 0x00 byte in order to know the length of the string. But shell code isn't a string.
<8> strlen() is used on strings, ascii strings.
<7> shellcode[] points to a constant that is terminated, i suppose
<7> it should include the '\0' byte
<8> oh
<8> sorry, indeed these are strings.
<7> mElo97, try strlen of #define str "something" for example
<8> I've never seen several lines of strings to initialize an array. Anyway is that okey? since then some null-bytes are inserted in you "shellcode"?
<7> line 18-22?
<8> yes
<7> there aren't null byte, compiler should put null at the end of constant
<8> anything inside double-quotes is implicitly added a null-byte.
<8> anyway i'm gonna verify this ***ertion... :)
<7> mElo97, correct me if i wrong
<8> you're right, a null-byte is appended at the end of the shellcode array, and since it doesn't contain a null-byte inside, strlen(shellcode) works fine.
<8> sorry for the loss of time :) my fault
<7> np ;)
<9> ebx is a register that need to be restore after using it
<9> but to use it do I need to push (and pop) it ?
<0> If that's the method you want to use to preserve it.
<0> If you have another method, you can use that.
<9> what ?
<9> "<0> If that's the method you want to use to preserve it." <=== ???
<0> You need to preserve ebx.
<0> You mentioned one method of preserving it.
<9> ah ok
Return to
#asm
or
Go to some related
logs:
#bash
#lisp
japanese englixh dictionary
#python
linux what does ls -l show
#physics
x226 debugging
drive seek error linux
#linux
#css
|
|