Graphics Programs Reference
In-Depth Information
comprises 80 percent of the code. Subtracting any value from itself also pro-
duces 0 and doesn't require any static data. This can be done with a single
two-byte instruction:
29 C0 sub eax,eax
Using the
sub
instruction will work fine when zeroing registers at the
beginning of shellcode. This instruction will modify processor flags, which
are used for branching, however. For that reason, there is a preferred two-
byte instruction that is used to zero registers in most shellcode. The
xor
instruc-
tion performs an e
x
clusive
or
operation on the bits in a register. Since 1
xor
ed
with 1 results in a 0, and 0
xor
ed with 0 results in a 0, any value
xor
ed with itself
will result in 0. This is the same result as with any value subtracted from itself,
but the
xor
instruction doesn't modify processor flags, so it's considered to be
a cleaner method.
31 C0 xor eax,eax
You can safely use the
sub
instruction to zero registers (if done at the
beginning of the shellcode), but the
xor
instruction is most commonly used
in shellcode in the wild. This next revision of the shellcode makes use of the
smaller registers and the
xor
instruction to avoid null bytes. The
inc
and
dec
instructions have also been used when possible to make for even smaller
shellcode.
helloworld3.s
BITS 32 ; Tell nasm this is 32-bit code.
jmp short one ; Jump down to a call at the end.
two:
; ssize_t write(int fd, const void *buf, size_t count);
pop ecx ; Pop the return address (string ptr) into ecx.
xor eax, eax ; Zero out full 32 bits of eax register.
mov al, 4 ; Write syscall #4 to the low byte of eax.
xor ebx, ebx ; Zero out ebx.
inc ebx ; Increment ebx to 1, STDOUT file descriptor.
xor edx, edx
mov dl, 15 ; Length of the string
int 0x80 ; Do syscall: write(1, string, 14)
; void _exit(int status);
mov al, 1 ; Exit syscall #1, the top 3 bytes are still zeroed.
dec ebx ; Decrement ebx back down to 0 for status = 0.
int 0x80 ; Do syscall: exit(0)
one:
call two ; Call back upwards to avoid null bytes
db "Hello, world!", 0x0a, 0x0d ; with newline and carriage return bytes.
