Null Free Shellcode - Register Offset of 10 bytes

Question

I need to enter bytes into a python script. I need to do an offset of 10 bytes from the register %ebx in assembly:

89 43 0a
mov $eax,0xa(%ebx)

I should mention that when I run this script, I dump these bytes (and others) into a file. The contents of the file then become shellcode that I am using to inject onto a stack. The problem with this is that when the C function strcpy sees the 0x0a, it stops copying it, thinking that it is a null terminator.

I understand why this is happening, but how do I get my shellcode to be interpreted as an offset of 10 bytes without using 0x0a (the null terminator value)? If I changed the value 0a to 08 for example, this works as I want (if the offset were only 8 bytes, of course).

The python script looks like this:

print "\x89\x43\x0a"

Answer 1

It's trivial to do it, just split it up into two parts neither of which is 0 or 10 :)

Such as:

add $5, %ebx
mov %eax, 5(%ebx)
sub $5, %ebx # optional: restore ebx