OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Franklin DeMatto (franklin.listsqDefense.com)
Date: Tue Sep 04 2001 - 19:47:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I am working on a x86/win32 shellcode, using intel mneumonics and nasm, and
    have some basic questions:

    1) If I want to do a far call, I normally call a pointer to the func.
            example:
            call FUNC
            FUNC: dd 0x74348712

    However, I think it can be done directly using a far call to an immediate
    offset, something like 9a ?? ?? 12 87 34 74
    I think the ?? ?? has to do with something called AR byte.

    But I can't find, or figure out, exactly how to do this. NASM keeps on
    telling me something like "far calls aren't reloctable" and refuses to
    assemble it. Is there a way to get NASM to do it anyway? If not, I can
    enter the opcodes by hand - what should they be?

    2) If I have a string, and I need to append a null afterwards, what is the
    best way?
    eg:
            ebx is 0
            ebp points to beginning of string
            string is 26h bytes long
            I would normally do:
                    mov [ebp+27h], ebx
            this yields opcode:
                    89 9D 27 00 00 00, which is obviously not good
            I could do:
                    add ebp 0xffffffd8
                    mov [ebp], ebx
                    sub ebp 0xffffffd8
            but this is kind of long
    is there a shorter way to do it, especially since I only need to move one
    byte? ( I don't even need to move it, just make a 0,
    so I could use not or xor or something...)

    3) many times, I need to add or subtract by less than 0x7f. I would
    normally just use add/sub byte xx, but this won't carry, right?
    in other words, if eax == 0xffffff01, and I try sub byte 3, I'll get
    eax==0xfffffffe, which is not what I want
    so I am forced to use sub/add dword, which is much longer.
    likewise, sometimes I want to mov location, byte. But since location is
    specified by dword, I need to do mov location, dword,
    even if I only need a byte.
    my question is: is there a shorter way to do all this, or am I forced to
    use dwords, even though I'm only using bytes??

    also, since I push paramters to the win32 calls, I normally sub from esp so
    as to not overwrite the code itself. However, if I understood correctly,
    the excellent lsd-pl paper said that this is not neccessary. Is that
    correct? How is this? Any elaboration would be appreciated.

    Thanks,
    Franklin

    Franklin DeMatto
    Senior Security Analyst, qDefense Penetration Testing
    http://qDefense.com
    qDefense: Making Security Accessible