Open martinclauss opened 4 years ago
Thanks for the bug report! Can you show the specific instructions that are assembled differently, in order to assist us? Also, what specific arm sub-architecture would you specify?
Hello!
Sorry for the delay!
It seems that the THUMB mode bytes are different:
That's what I want:
00000000 <_start>:
0: e28f1001 add r1, pc, #1
4: e12fff11 bx r1
00000008 <THUMB>:
8: a002 add r0, pc, #8 ; (adr r0, 14 <TELNET>)
a: 4049 eors r1, r1
c: 4052 eors r2, r2
e: 7442 strb r2, [r0, #17]
10: 270b movs r7, #11
12: df01 svc 1
00000014 <TELNET>:
14: 7273752f .word 0x7273752f
18: 6e69622f .word 0x6e69622f
1c: 6c65742f .word 0x6c65742f
20: 6474656e .word 0x6474656e
24: 5a .byte 0x5a
25: 00 .byte 0x00
26: 46c0 nop ; (mov r8, r8)
and that's what I get (with .arch armv7-a
set):
00000000 <__start>:
0: e28f1001 add r1, pc, #1
4: e12fff11 bx r1
00000008 <THUMB>:
8: a004 add r0, pc, #16 ; (adr r0, 1c <TELNET>)
a: ea81 0101 eor.w r1, r1, r1
e: ea82 0202 eor.w r2, r2, r2
12: 7442 strb r2, [r0, #17]
14: f04f 070b mov.w r7, #11
18: df01 svc 1
1a: bf00 nop
0000001c <TELNET>:
1c: 7273752f .word 0x7273752f
20: 6e69622f .word 0x6e69622f
24: 6c65742f .word 0x6c65742f
28: 6474656e .word 0x6474656e
2c: 5a .byte 0x5a
2d: 00 .byte 0x00
2e: bf00 nop
Interestingly the "default" (i.e. not using a .arch
directive) results in the bytes I want. The question is whether this would be a good default for most of the pwnlib users...?
Maybe it would be a good idea to add the sub-architecture as a configurable field to the context
? The default could be empty and if someone wants something more specific they can set it explicitly.
What do you think?
This report looks valid, I don't know why the long eor.w / mov.w instructions are introduced by the assembler, if it is the same, I think that the shorter eors / movs should be used. This is mostly a question for arm binutils maintainers, but choosing a sub-arch is an open issue here.
Hello!
I have the following shellcode:
In pwntools I assamble it with:
previously setting:
asm.py
now generates the following file under/tmp
:In https://github.com/Gallopsled/pwntools/blob/dev/pwnlib/asm.py#L303 the construction of the assembly snippet is done. The line
.arch armv7-a
also will be added:When I now
hexdump()
the compiled shellcode or display it withxxd
it will look like this:The actual machine code starts at
0110 8fe2 ...
This shellcode will not work when thrown against a Raspberry PI (for example). What's interesting... if I remove the line
.arch armv7-a
it will compile to a slightly different machine code:This machine code is now working correctly against my target (and it's also NULL-byte free).
Long story short, is it absolutely necessary to keep the
.arch armv7-a
line? Or could this be made optional?Thanks a lot for
pwntools
it's an awesome tool! :)