Closed rbran closed 4 months ago
Are you interested in some nasty byte-codes, like this?
; nasm -g -f win32 strange_offset.s && x86_64-w64-mingw32-cc -g -no-pie -m32 -o strange_offset.exe strange_offset.obj ; nasm -g -f elf strange_offset.s && gcc -g -no-pie -m32 -o strange_offset strange_offset.o section .text global main extern printf extern exit main: mov EAX, 0x02eb11b0 cmp EAX, 0x02eb11b0 fake_jmp dw 0xfa74 push EAX push reveal_key call printf finish: ; exit the program push 0 call exit section .data reveal_key db 'The key is "%x"', 0
This will print
The key is "2eb1111"
👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)
I assume this is overlapping instructions?
👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)
I tried with "x86_64-w64-mingw32", but I could not link it to libc correctly, I don't have real windows development environment ready. Sorry
I assume this is overlapping instructions?
Yes, this is a variation of the polyglot technique. I know 3 variations of this:
This example
Executing the same Address in different cpu modes, eg: Thumb/ARM, 32/64bits, BE/LE.
Eg: manipulating how the IT
instruction in ARM Thumb2 mode modify subsequent instructions, so it's possible to jump inside the block skipping the IT
instruction and avoid the conditional being added to the instructions.
👉 👈 could you build this for me and provide the pdb/map file? i dont have the mingw build system setup on my system. Would be very grateful :)
I got some time to solve my problem with mingw, here the code and compilation:
.section .data
reveal_key:
.asciz "The key is \"%x\"\n"
.section .text
.globl entry
.extern printf
.extern exit
entry:
mov $0x02eb11b0, %EAX
cmp $0x02eb11b0, %EAX
fake_jmp: .short 0xfa74
push $0
mov %RAX, %RDX
mov $reveal_key, %ECX
call printf
mov $0, %ECX
call exit
Compiled with x86_64-w64-mingw32-gcc -no-pie -o strange_offset.exe strange_offset.s -nostdlib -lmsvcrt -Wl,--image-base -Wl,0x10000000 -Wl,--entry=entry -g
Here a "oneliner" to create this binary file:
echo "H4sICDas32UAA3N0cmFuZ2Vfb2Zmc2V0LmV4ZQDtWV9sFEUY/3a3xdLCcUVSSIhhqVQboscB/YeGpEAbISm0aY+EmpBh727ubrndvcvutrQ+EY0mJj4QE1+NJvhmIjE+gC8YnsUHX0xMjD4ZEn3wyQdMrPNv/84WEIQauC+5nZnf/Ga+75v5dmZu9vSbV0ADgC7yW1sDuA5cJuH+cpn8cnu+zsFXm2/vva7M3N5bapie3nZbddew9YrhOC1fL2PdXXJ009GnZhd0u1XFha1be/eJPuamAarv9cLY5z9j2AXQJtgf8BL0qerLoJLCJkHMi1/8qXK7qXQzMpFr3JnpD4D6pQDoEGsVZcJyIgtQ5H6tK2RgtjzA2EjNSL+77lFf8PGKT9ILgUHUna4kRyfVharhGyC80gVvU5JHTPymYHLiZQoUBa8ng+diq1URPk0KXq/EO35ghOdpVzAneFsyeAePsPwwCGcoL5fBO3yQ5XfQR1vw8hm8kVEIVDJnKG97Bm90nOUH6eOK4O3I4I1NsPwAfXwieAMyD54RuX6t/zf1KH34dy/Cyfdv3SBRlb/zAqm6Qevv9JHHlUjWhnp1CoSpkKC/dLkj/28pNbDexKs6WbcHh1YGe+/foiNPkwwXo7xf5PtUlpwT+IXig+GfaXjFJBvatq62azp+jYFF/rO95YrrF6qW9ej2d+QRJc+38e3rzHtHnm55BUCcnMXhMM9PYUMbZVBHnqjQ/2HdoLDJVxgSD4B+4Idj5fKGGNeRxy5KP+R39ivbt2m53bmh3PPdG21QR56ozAB9/3tgP0kVRfkrt5UmdCVQGLCHLQqqskfdprLY4AGyWQ3WCa1PWbx04Oji4iKpV5SN8aIjDyue7xpOHaNWreZhv+DBAd9uwxtnzurHFvRDhcNHNtrAjjxWYdMtBUFHnhUp1EwLA783/XsNoK7UjCaWeSWR0v8KGlAOumi36XURXfL5BTQSHFrSlGGQLqaJNEX6HOPskOqprIq0h3HozW/yIjy4KwehXVOGmFUJjrgnD21W+jN1vSvSXsYZyOR8JNJuxgku05NyVaSbGWdQqg9sLgY2Q/wmn49qoewlXj2CsFv8feOW8C9ERifTyMhwGhk7FyFC+8RDaW9L2k9K2ouS9gsRImKsAOvHWMMxbApFXtT8xpLT5B8lkl5MBl5knDYkv7I43MJDEPTM4lDL4sijGh954ddr9/DrP7Z5ZCK0uWc9zujc/TnjfsjpkzjY8d3gHVQgiPYv6CPPSxz5TnAi5CfgX2p4q+DmbyLRz++ilRYiPTF/ObJT/BWl3xE48qKStmdcHFIjzqzCLYyQBmulx5C3Ff4eR8jHkvZrEnJLQr6XkF+U9Phoatqe3Wq61asJBKGqZSG+jkatjgpOhMyr6fExJF2XSBKsABx5R01b+ClJ/ATnphrFIUe+VaPo5ciPkhe/SsifEtKjpfvZqaX92i8MifmuRSsAR05q0ddqjpxPcBDCThUFe1HAaWrxyKSyyrTnY/18GFsCOHJV471GnC8lzk3Jix8k5I5AuHZ+Mx7tBZxzV+O5qNVAV7qfAkGCtZcjr3dBak7PxzZLFewuur7g8lIdGeyQ5wVF06m1wqpy2cXLQckyHRzkydEwDrMyoWLDQk28+u/6CjvINojWIITmz54pnTo9jeYWps9OzaL56ZnZE2jm1EKJzCl5P8jqRZiG67MimirNzoe1DWxUiZby2Ah98s8MqIpryKBU3/JiLU/ZRh0fNzxM8gRqe+xDuGCIF7HSICZWfOyanm+SOtrOM9+iB2XKqzRRpWXbpp9R4WIPu8uY1djGxZaLvKWyt+r52EbL2PXMlsMdoCauWHGXGGJmIDyuESIbdbx2/QGbPjOVMI2MTztuMu+4Lalqh6ps0yGmt7yEzSYdOlQmY8d7xxWfVhmWWXdssnnw8T1WCnu595RmThgJKXogEBMedHQiPttsHIIabnhFKsdcSzZOzDkZHwLR7TzlhWmTsaCvazCLqaGgXkYqEsGYHPV4PHDb/FjDKDZQEKnhDDC1fMjjmq2WUcUuqllG3ZMcIo3DycuOO14nd0sdFvv2g0RW4Apfcv8BYcoD5U0kAAA=" | base64 -d | gzip -d -c > strange_offset.exe
Thank you! just pushed it. FYI we dont include overlapping instructions in our well behaved function descriptions. I.E we wont rewrite this function if we detect overlapping, but this is a good test for us to have anyways! Ill add it to our internal unit tests :)
Are you interested in some nasty byte-codes, like this?
This will print
The key is "2eb1111"