•  03-06-2022
  •  | 
  •  

Domanda

I have the following piece of assembly for x86_64 shellcode:

call writer

writestring db "ABCD",0x0d0a

writer:
pop rsi

When this is compiled, objdump -d shows (snipped some for brevity):

  4000a4:   e8 06 00 00 00          callq  4000af <writer>

00000000004000a9 <writestr>:
  4000a9:   42                      rex.X
  4000aa:   42                      rex.X
  4000ab:   42                      rex.X
  4000ac:   42 0a 0d 5e 48 31 d2    rex.X

00000000004000af <writer>:
  4000af:   5e                      pop    %rsi

I would like to remove the three nulls from the back of callq. call near, call far etc. aren't doing it. Can anyone provide a suggestion?

Sorry, I wasn't really clear. I'm using call so that it saves the address of the writestr that I can pop into rsi immediately after. I can't access rip (or can I?) to figure out the offsets by hand.

È stato utile?

Soluzione

You should be able to eliminate the null bytes by using a JMP (or similar) instruction instead. For instance something like :

jmp $+8  

writestring db "BBBB",0x0d, 0x0a

writer:
pop rsi

Produce the following machine code using nasm -f elf64 :

0000000000000000 <writestring-0x2>:
   0:   eb 06                   jmp    8 <writer>

0000000000000002 <writestring>:
   2:   42                      rex.X
   3:   42                      rex.X
   4:   42                      rex.X
   5:   42                      rex.X
   6:   0d                      .byte 0xd
   7:   0a                      .byte 0xa

0000000000000008 <writer>:
   8:   5e                      pop    %rsi

You probably noticed that I didn't setup anything for a RET instruction. But if you need such an instruction you can easily do the procedure prologue yourself.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top