Graphics Programs Reference
In-Depth Information
00000029 6F outsd
0000002A 2C20 sub al,0x20
0000002C 776F ja 0x9d
0000002E 726C jc 0x9c
00000030 64210A and [fs:edx],ecx
00000033 0D db 0x0D
r
eader@hacking:~/booksrc $
These remaining null bytes can be eliminated with an understanding of
register widths and addressing. Notice that the first
jmp
instruction is actually
jmp short
. This means execution can only jump a maximum of approximately
128 bytes in either direction. The normal
jmp
instruction, as well as the call
instruction (which has no short version), allows for much longer jumps. The
difference between assembled machine code for the two jump varieties is
shown below:
EB 1E jmp short 0x20
versus
E9 1E 00 00 00 jmp 0x23
The EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP registers are 32 bits
in width. The
E
stands for
extended
, because these were originally 16-bit reg-
isters called AX, BX, CX, DX, SI, DI, BP, and SP. These original 16-bit versions
of the registers can still be used for accessing the first 16 bits of each corre-
sponding 32-bit register. Furthermore, the individual bytes of the AX, BX, CX,
and DX registers can be accessed as 8-bit registers called AL, AH, BL, BH, CL,
CH, DL, and DH, where
L
stands for
low byte
and
H
for
high byte
. Naturally,
assembly instructions using the smaller registers only need to specify operands
up to the register's bit width. The three variations of a
mov
instruction are
shown below.
Machine code
Assembly
B8 04 00 00 00
mov eax,0x4
66 B8 04 00
mov ax,0x4
B0 04
mov al,0x4
Using the AL, BL, CL, or DL register will put the correct least significant
byte into the corresponding extended register without creating any null bytes
in the machine code. However, the top three bytes of the register could still
contain anything. This is especially true for shellcode, since it will be taking
over another process. If we want the 32-bit register values to be correct, we
need to zero out the entire register before the
mov
instructions—but this, again,
must be done without using null bytes. Here are some more simple assembly
instructions for your arsenal. These first two are small instructions that incre-
ment and decrement their operand by one.
