flat assembler
Message board for the users of flat assembler.

Index > Linux > Thanks to all

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 20 Jun 2022, 22:02
Thanks to all linux root of forum, atleast I found way how to make a working GUI ELF/ELF64 executable file from any OS environment with just only fasm without stage of creating *.o and without using of outer linker for it from target environment.
Tests for ideal skeletal of Linux GUI are still in progress (I tests only 2 models: with interpreter and linking symbols with/without GOT).Variants w/o interpreter but with imports - not found proper donor for investigation.
Thanks to Ferino (one of thour examples was appreciable prey for reversing & modificating) - so I understand what exactly linker does (what is needed from it & what is unneeded).
I will share results when they become final convinient instrument.
Maybe community shoul wait for 3 IDE for linux: fasmxw,fasmxwrm,freshxw...

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 20 Jun 2022, 22:02
View user's profile Send private message Send e-mail Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 21 Jun 2022, 18:44
Code:
format ELF64 executable at $400000

SYMBOL_TABLE_ENTRY64.size = $18
RELOC_TABLE_ENTRY64.size = $18
StrTabEntry equ -STRING_TABLE+
R_X86_64_JUMP_SLOT = 7
rva equ

DT_NULL         = 0
DT_NEEDED       = 1
DT_HASH         = 4
DT_STRTAB       = 5
DT_SYMTAB       = 6
DT_RELA         = 7
DT_RELASZ       = 8
DT_RELENT       = 9
DT_STRSZ        = 10
DT_SYMENT       = 11

xdisp.default_screen    = $E0
xdisp.screens           = $E8
scr.white_pixel         = $58
scr.black_pixel         = $60
scr.root                = $10
gcval.foreground        = $10
gcval.background        = $18
xae.type                = 0
xee.count               = $38
xkpe.keycode            = $54
bitmap_x                = 64
bitmap_y                = 54
win_width       =       150
win_height      =       100

GCBackground = 8
GCForeground = 4
KeyPressMask = 1
ExposureMask = $8000
Expose = 12
KeyPress = 2
XK_Escape = $FF1B
STDOUT                  =       1
sys_write               = 1
sys_exit                = $3C

segment interpreter readable
        db '/lib64/ld-linux-x86-64.so.2',0

segment dynamic readable
DYNAMIC_TABLE:
        dq DT_NEEDED,StrTabEntry(str@libX11.so.6)
        dq DT_NEEDED,StrTabEntry(str@libc.so.6)
        dq DT_HASH,rva HASH_TABLE
        dq DT_STRTAB,rva STRING_TABLE
        dq DT_SYMTAB,rva SYMBOL_TABLE
        dq DT_RELA,rva RELOC_TABLE
        dq DT_RELASZ,relasz
        dq DT_RELENT,RELOC_TABLE_ENTRY64.size
        dq DT_STRSZ,strsz
        dq DT_SYMENT,SYMBOL_TABLE_ENTRY64.size
        dq DT_NULL,0

align $20
HASH_TABLE:
        .n_bucket       dd 17
        .n_chain        dd 25
        .bucket         dd  2, 17, 18, 21,  6,  0,  0,  1
                        dd 14, 16, 23, 13,  0, 19, 22, 24
                        dd  0
        .chain          dd  0,  0,  0,  0,  0,  0,  5,  0
                        dd  4,  0,  0,  0,  8,  9,  7, 12
                        dd 11,  0,  0,  3, 10,  0, 15, 20
                        dd  0
SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@LibcStartMain),$20,0,0,0,0
        dd StrTabEntry(str@XCopyPlane),$12,0,0,$175,0
        dd StrTabEntry(str@XSync),$12,0,0,$11B,0
        dd StrTabEntry(str@XMapWindow),$12,0,0,$B9,0
        dd StrTabEntry(str@_DYNAMIC),$11 + $FFF1 shl 16,rva DYNAMIC_TABLE,0,0,0
        dd StrTabEntry(str@XCloseDisplay),$12,0,0,$D7,0
        dd StrTabEntry(str@getenv),$12,0,0,$DD,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,$158,0
        dd StrTabEntry(str@XFreeGC),$12,0,0,$F9,0
        dd StrTabEntry(str@XReadBitmapFile),$12,0,0,$A3,0
        dd StrTabEntry(str@_init),$20,0,0,0,0
        dd StrTabEntry(str@XKeycodeToKeysym),$12,0,0,$254,0
        dd StrTabEntry(str@__bss_start),$20,0,0,0,0
        dd StrTabEntry(str@_fini),$20,0,0,0,0
        dd StrTabEntry(str@XFlush),$12,0,0,$53,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,$AB,0
        dd StrTabEntry(str@_edata),$20,0,0,0,0
        dd StrTabEntry(str@_GLOBAL_OFFSET_TABLE_),$20,0,0,0,0
        dd StrTabEntry(str@_end),$20,0,0,0,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,$FB,0
        dd StrTabEntry(str@_Jv_RegisterClasses),$20,0,0,0,0
        dd StrTabEntry(str@XCreateGC),$12,0,0,$267,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,$1062,0
        dd StrTabEntry(str@__gmon_start__),$20,0,0,0,0

STRING_TABLE:                   db 0
str@libX11.so.6                 db 'libX11.so.6',0
str@XCopyPlane                  db 'XCopyPlane',0
str@XSync                       db 'XSync',0
str@XMapWindow                  db 'XMapWindow',0
str@_DYNAMIC                    db '_DYNAMIC',0
str@XCloseDisplay               db 'XCloseDisplay',0
str@XCreateSimpleWindow         db 'XCreateSimpleWindow',0
str@XFreeGC                     db 'XFreeGC',0
str@XReadBitmapFile             db 'XReadBitmapFile',0
str@_init                       db '_init',0
str@XKeycodeToKeysym            db 'XKeycodeToKeysym',0
str@_fini                       db '_fini',0
str@XFlush                      db 'XFlush',0
str@XNextEvent                  db 'XNextEvent',0
str@_GLOBAL_OFFSET_TABLE_       db '_GLOBAL_OFFSET_TABLE_',0
str@XSelectInput                db 'XSelectInput',0
str@_Jv_RegisterClasses         db '_Jv_RegisterClasses',0
str@XCreateGC                   db 'XCreateGC',0
str@XOpenDisplay                db 'XOpenDisplay',0
str@__gmon_start__              db '__gmon_start__',0
str@libc.so.6                   db 'libc.so.6',0
str@getenv                      db 'getenv',0
str@LibcStartMain               db '__libc_start_main',0
str@_edata                      db '_edata',0
str@__bss_start                 db '__bss_start',0
str@_end                        db '_end',0
strsz = $-STRING_TABLE

align $8

RELOC_TABLE:
        dq XCopyPlane,          R_X86_64_JUMP_SLOT+ 2 shl 32, 0
        dq XSync,               R_X86_64_JUMP_SLOT+ 3 shl 32, 0
        dq XMapWindow,          R_X86_64_JUMP_SLOT+ 4 shl 32, 0
        dq XCloseDisplay,       R_X86_64_JUMP_SLOT+ 6 shl 32, 0
        dq getenv,              R_X86_64_JUMP_SLOT+ 7 shl 32, 0
        dq XCreateSimpleWindow, R_X86_64_JUMP_SLOT+ 8 shl 32, 0
        dq XFreeGC,             R_X86_64_JUMP_SLOT+ 9 shl 32, 0
        dq XReadBitmapFile,     R_X86_64_JUMP_SLOT+ 10 shl 32, 0
        dq XKeycodeToKeysym,    R_X86_64_JUMP_SLOT+ 12 shl 32, 0
        dq XNextEvent,          R_X86_64_JUMP_SLOT+ 16 shl 32, 0
        dq XSelectInput,        R_X86_64_JUMP_SLOT+ 20 shl 32, 0
        dq XCreateGC,           R_X86_64_JUMP_SLOT+ 22 shl 32, 0
        dq XOpenDisplay,        R_X86_64_JUMP_SLOT+ 23 shl 32, 0
        relasz = $-RELOC_TABLE

segment readable writeable executable

entry $
        lea     rdi,[display_name]
        call    [getenv]
        lea     r11,[msg00]
        or      rax,rax
        jz      error_exit

        lea     rdi,[rax]
        call    [XOpenDisplay]
        lea     r11,[msg01]
        or      rax,rax
        jz      error_exit
        mov     qword [disp],rax
        mov     edx,dword [rax + xdisp.default_screen]  ; XDisplay.default_screen
        mov     rsi,qword [rax + xdisp.screens]
        lea     rdi,[rsi + rdx*8]
        mov     qword [screen],rsi
        mov     rcx,qword [rdi + scr.white_pixel]
        mov     rdx,qword [rdi + scr.black_pixel]
        mov     qword [rsp+8*2],rcx
        mov     qword [rsp+8*1],rdx
        mov     qword [rsp+8*0],4
        mov     r9d,win_height
        mov     r8d,win_width
        xor     ecx,ecx
        xor     edx,edx
        mov     rsi,qword [rdi + scr.root]
        mov     qword [root],rsi
        mov     rdi,qword [disp]
        call    [XCreateSimpleWindow]
        mov     qword [win],rax 

        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XMapWindow]
        xor     esi,esi
        mov     rdi,qword [disp]
        call    [XSync]
        mov     rsi,qword [screen]
        lea     rcx,[values]
        mov     r9,qword [rsi + scr.black_pixel]
        mov     r8,qword [rsi + scr.white_pixel]
        mov     qword [rcx + gcval.foreground],r9
        mov     qword [rcx + gcval.background],r8
        mov     edx,GCBackground or GCForeground        ; valuemask
        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XCreateGC]
        mov     qword [our_gc],rax
        xor     esi,esi
        mov     rdi,qword [disp]
        call    [XSync]
        lea     rcx,[bitmap_y_hot]
        lea     rdx,[bitmap_x_hot]
        mov     qword [rsp+8*1],rcx
        mov     qword [rsp+8*0],rdx
        lea     r9,[bitmap]
        lea     r8,[bitmap_height]
        lea     rcx,[bitmap_width]
        lea     rdx,[bitmap_FileName]
        mov     rsi,qword [root]
        mov     rdi,qword [disp]
        call    [XReadBitmapFile]
        lea     r11,[msg02]
        or      rax,rax
        jnz     error_exit

        call    CopyPlane_proc

        mov     edx,KeyPressMask or ExposureMask
        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XSelectInput]

event_loop:
        lea     rsi,[event]
        mov     rdi,qword [disp]
        call    [XNextEvent]
        lea     rax,[event]
        mov     ecx,dword [rax + xae.type]
        cmp     ecx,Expose
        jz      ExposeEvent_proc
        cmp     ecx,KeyPress
        jz      KeyPress_proc
        jmp     event_loop

ExposeEvent_proc:
        cmp     dword [rax + xee.count],0
        jnz     event_loop

        call    CopyPlane_proc
        jmp     event_loop

KeyPress_proc:
        xor     edx,edx
        mov     esi,dword [rax + xkpe.keycode]
        mov     rdi,qword [disp]
        call    [XKeycodeToKeysym]

        cmp     eax,XK_Escape
        jnz     event_loop

        mov     rsi,qword [our_gc]
        mov     rdi,qword [disp]
        call    [XFreeGC]

        mov     rdi,qword [disp]
        call    [XCloseDisplay]

exit0:  xor     edi,edi
exit:   mov     eax,sys_exit
        syscall

error_exit:
        lea     rax,[r11]
        call    wzts_std

        mov     edi,1
        jmp     exit

align 8
CopyPlane_proc:
        sub     rsp,8*6
        mov     qword [rsp+8*4],1
        mov     qword [rsp+8*3],(win_height - bitmap_y) / 2
        mov     qword [rsp+8*2],(win_width - bitmap_x) / 2
        mov     rcx,qword [bitmap_height]
        mov     rdx,qword [bitmap_width]
        mov     qword [rsp+8*1],rcx
        mov     qword [rsp+8*0],rdx
        xor     r9,r9
        xor     r8,r8
        mov     rcx,qword [our_gc]
        mov     rdx,qword [win]
        mov     rsi,qword [bitmap]
        mov     rdi,qword [disp]
        call    [XCopyPlane]
        add     rsp,8*6
        ret

wzts_std:
        stc                     ; assume we fail
        pushf
        push    rax
        push    rcx
        push    rdx
        push    rsi
        push    rdi
        lea     rdi,[rax]       ; get string address
        lea     rsi,[rax]
        or      ecx,-1          ; ecx=-1
        xor     eax,eax
        lea     edx,[ecx-1]     ; edx=-2
        cld
        repnz scasb
        sub     edx,ecx         ; string size
        jz      wzts_std_done
        mov     edi,STDOUT
        mov     eax,sys_write
        syscall
wzts_std_done:
        or      rax,rax         ; check if rax<0 (error)
        setns   al              ; make AL=1 if syscall success, else AL=0
        xor     byte [rsp+8*5],al
        pop     rdi
        pop     rsi
        pop     rdx
        pop     rcx
        pop     rax
        popf

        ret

segment readable writeable
display_name    db      'DISPLAY',0
msg00           db      "There isn't 'DISPLAY' variable in environment!",0Ah,0
msg01           db      "Can't connect to X Server!",0Ah,0
msg02           db      "Something went wrong, check the bitmap file!",0Ah,0
bitmap_FileName db      'escherknot.xbm',0
align 8
disp            dq ?
screen          dq ?
root            dq ?
win             dq ?
our_gc          dq ?,?
bitmap          dq ?
bitmap_width    dq ?
bitmap_height   dq ?
bitmap_x_hot    dd ?,?
bitmap_y_hot    dd ?,?
                dq ?
event           rb $C0 ; [EDIT]corrected - was 28
values          rq 16  ; [EDIT]corrected - was 17
virtual
..extern: ; autocreate hidden segment
        XCopyPlane              dq ?
        XSync                   dq ?
        XMapWindow              dq ?
        XCloseDisplay           dq ?
        getenv                  dq ?
        XCreateSimpleWindow     dq ?
        XFreeGC                 dq ?
        XReadBitmapFile         dq ?
        XKeycodeToKeysym        dq ?
        XNextEvent              dq ?
        XSelectInput            dq ?
        XCreateGC               dq ?
        XOpenDisplay            dq ?
        ; we not needed the rest
        ; but it present in that hidden segment
        ; in order they present in symbol table
        ;__libc_start_main       dq ?
        ;_init                   dq ?
        ;__bss_start             dq ?
        ;_fini                   dq ?
        ;_edata                  dq ?
        ;_GLOBAL_OFFSET_TABLE_   dq ?
        ;_end                    dq ?
        ;_Jv_RegisterClasses     dq ?
        ;__gmon_start__          dq ?
end virtual    


requires in the same folder file escherknot.xbm from Ferino`s "_LinuxAMD64Example\x_windows\05_bitmap"

What we could see from this?
Exports in ELF are in virtual segment just after the last segment memory end
From another example I know how calculated hashes & HASH_TABLE.chain & HASH_TABLE.bucket, but choice of HASH_TABLE.n_bucket value is still mystery

to be continued...


Description: how it looks like in linux
Filesize: 5.84 KB
Viewed: 2171 Time(s)

how it look.jpg


Description: escherknot.xbm from Ferino`s "_LinuxAMD64Example\x_windows\05_bitmap"
Download
Filename: escherknot.zip
Filesize: 810 Bytes
Downloaded: 69 Time(s)


_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.


Last edited by ProMiNick on 23 Jun 2022, 14:35; edited 2 times in total
Post 21 Jun 2022, 18:44
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 21 Jun 2022, 18:52
You don't need a hash table. You can include the strings and the loader will search by text match instead.

It is "slower" without a hash table. That may or may not make a difference that is noticeable. If you have many thousand of imports then perhaps there is a perceivable difference?
Post 21 Jun 2022, 18:52
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 21 Jun 2022, 19:29
Code:
format ELF64 executable at $400000

SYMBOL_TABLE_ENTRY64.size = $18
RELOC_TABLE_ENTRY64.size = $18
StrTabEntry equ -STRING_TABLE+
R_X86_64_JUMP_SLOT = 7


DT_NULL         = 0
DT_NEEDED       = 1
DT_HASH         = 4
DT_STRTAB       = 5
DT_SYMTAB       = 6
DT_RELA         = 7
DT_RELASZ       = 8
DT_RELENT       = 9
DT_STRSZ        = 10
DT_SYMENT       = 11

xdisp.default_screen    = $E0
xdisp.screens           = $E8
scr.white_pixel         = $58
scr.black_pixel         = $60
scr.root                = $10
gcval.foreground        = $10
gcval.background        = $18
xae.type                = 0
xee.count               = $38
xkpe.keycode            = $54
bitmap_x                = 64
bitmap_y                = 54
win_width       =       150
win_height      =       100

GCBackground = 8
GCForeground = 4
KeyPressMask = 1
ExposureMask = $8000
Expose = 12
KeyPress = 2
XK_Escape = $FF1B
STDOUT                  =       1
sys_write               = 1
sys_exit                = $3C

segment interpreter readable
        db '/lib64/ld-linux-x86-64.so.2',0

segment dynamic readable
DYNAMIC_TABLE:
        dq DT_NEEDED,StrTabEntry(str@libX11.so.6)
        dq DT_NEEDED,StrTabEntry(str@libc.so.6)
        dq DT_STRTAB, STRING_TABLE
        dq DT_SYMTAB, SYMBOL_TABLE
        dq DT_RELA, RELOC_TABLE
        dq DT_RELASZ,relasz
        dq DT_RELENT,RELOC_TABLE_ENTRY64.size
        dq DT_STRSZ,strsz
        dq DT_SYMENT,SYMBOL_TABLE_ENTRY64.size
        dq DT_NULL,0

align $20
SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@XCopyPlane),$12,0,0,$175,0
        dd StrTabEntry(str@XSync),$12,0,0,$11B,0
        dd StrTabEntry(str@XMapWindow),$12,0,0,$B9,0
        dd StrTabEntry(str@XCloseDisplay),$12,0,0,$D7,0
        dd StrTabEntry(str@getenv),$12,0,0,$DD,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,$158,0
        dd StrTabEntry(str@XFreeGC),$12,0,0,$F9,0
        dd StrTabEntry(str@XReadBitmapFile),$12,0,0,$A3,0
        dd StrTabEntry(str@XKeycodeToKeysym),$12,0,0,$254,0
        dd StrTabEntry(str@XFlush),$12,0,0,$53,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,$AB,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,$FB,0
        dd StrTabEntry(str@XCreateGC),$12,0,0,$267,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,$1062,0

STRING_TABLE:                   db 0
str@libX11.so.6                 db 'libX11.so.6',0
str@XCopyPlane                  db 'XCopyPlane',0
str@XSync                       db 'XSync',0
str@XMapWindow                  db 'XMapWindow',0
str@XCloseDisplay               db 'XCloseDisplay',0
str@XCreateSimpleWindow         db 'XCreateSimpleWindow',0
str@XFreeGC                     db 'XFreeGC',0
str@XReadBitmapFile             db 'XReadBitmapFile',0
str@XKeycodeToKeysym            db 'XKeycodeToKeysym',0
str@XFlush                      db 'XFlush',0
str@XNextEvent                  db 'XNextEvent',0
str@XSelectInput                db 'XSelectInput',0
str@XCreateGC                   db 'XCreateGC',0
str@XOpenDisplay                db 'XOpenDisplay',0
str@libc.so.6                   db 'libc.so.6',0
str@getenv                      db 'getenv',0
strsz = $-STRING_TABLE

align $8

RELOC_TABLE:
        dq XCopyPlane,          R_X86_64_JUMP_SLOT+ 1 shl 32, 0
        dq XSync,               R_X86_64_JUMP_SLOT+ 2 shl 32, 0
        dq XMapWindow,          R_X86_64_JUMP_SLOT+ 3 shl 32, 0
        dq XCloseDisplay,       R_X86_64_JUMP_SLOT+ 4 shl 32, 0
        dq getenv,              R_X86_64_JUMP_SLOT+ 5 shl 32, 0
        dq XCreateSimpleWindow, R_X86_64_JUMP_SLOT+ 6 shl 32, 0
        dq XFreeGC,             R_X86_64_JUMP_SLOT+ 7 shl 32, 0
        dq XReadBitmapFile,     R_X86_64_JUMP_SLOT+ 8 shl 32, 0
        dq XKeycodeToKeysym,    R_X86_64_JUMP_SLOT+ 9 shl 32, 0
        dq XFlush,              R_X86_64_JUMP_SLOT+ 10 shl 32, 0
        dq XNextEvent,          R_X86_64_JUMP_SLOT+ 11 shl 32, 0
        dq XSelectInput,        R_X86_64_JUMP_SLOT+ 12 shl 32, 0
        dq XCreateGC,           R_X86_64_JUMP_SLOT+ 13 shl 32, 0
        dq XOpenDisplay,        R_X86_64_JUMP_SLOT+ 14 shl 32, 0
        relasz = $-RELOC_TABLE

segment readable writeable executable

entry $
        lea     rdi,[display_name]
        call    [getenv]
        lea     r11,[msg00]
        or      rax,rax
        jz      error_exit

        lea     rdi,[rax]
        call    [XOpenDisplay]
        lea     r11,[msg01]
        or      rax,rax
        jz      error_exit
        mov     qword [disp],rax
        mov     edx,dword [rax + xdisp.default_screen]  ; XDisplay.default_screen
        mov     rsi,qword [rax + xdisp.screens]
        lea     rdi,[rsi + rdx*8]
        mov     qword [screen],rsi
        mov     rcx,qword [rdi + scr.white_pixel]
        mov     rdx,qword [rdi + scr.black_pixel]
        mov     qword [rsp+8*2],rcx
        mov     qword [rsp+8*1],rdx
        mov     qword [rsp+8*0],4
        mov     r9d,win_height
        mov     r8d,win_width
        xor     ecx,ecx
        xor     edx,edx
        mov     rsi,qword [rdi + scr.root]
        mov     qword [root],rsi
        mov     rdi,qword [disp]
        call    [XCreateSimpleWindow]
        mov     qword [win],rax 

        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XMapWindow]
        xor     esi,esi
        mov     rdi,qword [disp]
        call    [XSync]
        mov     rsi,qword [screen]
        lea     rcx,[values]
        mov     r9,qword [rsi + scr.black_pixel]
        mov     r8,qword [rsi + scr.white_pixel]
        mov     qword [rcx + gcval.foreground],r9
        mov     qword [rcx + gcval.background],r8
        mov     edx,GCBackground or GCForeground        ; valuemask
        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XCreateGC]
        mov     qword [our_gc],rax
        xor     esi,esi
        mov     rdi,qword [disp]
        call    [XSync]
        lea     rcx,[bitmap_y_hot]
        lea     rdx,[bitmap_x_hot]
        mov     qword [rsp+8*1],rcx
        mov     qword [rsp+8*0],rdx
        lea     r9,[bitmap]
        lea     r8,[bitmap_height]
        lea     rcx,[bitmap_width]
        lea     rdx,[bitmap_FileName]
        mov     rsi,qword [root]
        mov     rdi,qword [disp]
        call    [XReadBitmapFile]
        lea     r11,[msg02]
        or      rax,rax
        jnz     error_exit

        call    CopyPlane_proc

        mov     edx,KeyPressMask or ExposureMask
        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XSelectInput]

event_loop:
        lea     rsi,[event]
        mov     rdi,qword [disp]
        call    [XNextEvent]
        lea     rax,[event]
        mov     ecx,dword [rax + xae.type]
        cmp     ecx,Expose
        jz      ExposeEvent_proc
        cmp     ecx,KeyPress
        jz      KeyPress_proc
        jmp     event_loop

ExposeEvent_proc:
        cmp     dword [rax + xee.count],0
        jnz     event_loop

        call    CopyPlane_proc
        jmp     event_loop

KeyPress_proc:
        xor     edx,edx
        mov     esi,dword [rax + xkpe.keycode]
        mov     rdi,qword [disp]
        call    [XKeycodeToKeysym]

        cmp     eax,XK_Escape
        jnz     event_loop

        mov     rsi,qword [our_gc]
        mov     rdi,qword [disp]
        call    [XFreeGC]

        mov     rdi,qword [disp]
        call    [XCloseDisplay]

exit0:  xor     edi,edi
exit:   mov     eax,sys_exit
        syscall

error_exit:
        lea     rax,[r11]
        call    wzts_std

        mov     edi,1
        jmp     exit

align 8
CopyPlane_proc:
        sub     rsp,8*6
        mov     qword [rsp+8*4],1
        mov     qword [rsp+8*3],(win_height - bitmap_y) / 2
        mov     qword [rsp+8*2],(win_width - bitmap_x) / 2
        mov     rcx,qword [bitmap_height]
        mov     rdx,qword [bitmap_width]
        mov     qword [rsp+8*1],rcx
        mov     qword [rsp+8*0],rdx
        xor     r9,r9
        xor     r8,r8
        mov     rcx,qword [our_gc]
        mov     rdx,qword [win]
        mov     rsi,qword [bitmap]
        mov     rdi,qword [disp]
        call    [XCopyPlane]
        add     rsp,8*6
        ret

wzts_std:
        stc                     ; assume we fail
        pushf
        push    rax
        push    rcx
        push    rdx
        push    rsi
        push    rdi
        lea     rdi,[rax]       ; get string address
        lea     rsi,[rax]
        or      ecx,-1          ; ecx=-1
        xor     eax,eax
        lea     edx,[ecx-1]     ; edx=-2
        cld
        repnz scasb
        sub     edx,ecx         ; string size
        jz      wzts_std_done
        mov     edi,STDOUT
        mov     eax,sys_write
        syscall
wzts_std_done:
        or      rax,rax         ; check if rax<0 (error)
        setns   al              ; make AL=1 if syscall success, else AL=0
        xor     byte [rsp+8*5],al
        pop     rdi
        pop     rsi
        pop     rdx
        pop     rcx
        pop     rax
        popf

        ret

segment readable writeable
display_name    db      'DISPLAY',0
msg00           db      "There isn't 'DISPLAY' variable in environment!",0Ah,0
msg01           db      "Can't connect to X Server!",0Ah,0
msg02           db      "Something went wrong, check the bitmap file!",0Ah,0
bitmap_FileName db      'escherknot.xbm',0
align 8
disp            dq ?
screen          dq ?
root            dq ?
win             dq ?
our_gc          dq ?,?
bitmap          dq ?
bitmap_width    dq ?
bitmap_height   dq ?
bitmap_x_hot    dd ?,?
bitmap_y_hot    dd ?,?
                dq ?
event           rb $C0
values          rq $16
virtual
..extern: ; autocreate hidden segment
        XCopyPlane              dq ?
        XSync                   dq ?
        XMapWindow              dq ?
        XCloseDisplay           dq ?
        getenv                  dq ?
        XCreateSimpleWindow     dq ?
        XFreeGC                 dq ?
        XReadBitmapFile         dq ?
        XKeycodeToKeysym        dq ?
        XFlush                  dq ?
        XNextEvent              dq ?
        XSelectInput            dq ?
        XCreateGC               dq ?
        XOpenDisplay            dq ?
end virtual    


well ELF GUI executable skeletal is done. (someone(or I) could make minimal GUI ELF executable).
As I understand getenv can be realized directly in assembly (I dislike presence of libc in imports, C is for C, not for assembly).
And, revolution, linuxers dislike interpreter or not? should interpreter be replaced by segment where will be realized loading & linking of imported libraries?


Last edited by ProMiNick on 23 Jun 2022, 14:35; edited 3 times in total
Post 21 Jun 2022, 19:29
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 21 Jun 2022, 19:40
The interpreter is very useful IMO. Otherwise if you don't ask for the interpreter then you have to do all the linking manually in your code. It would be awful. But you could do it.

Also, if you don't include libc then that is fine. All you need to do is write the syscalls instead. And perhaps your own version of printf and whatnot. That is also doable. And much less awful than doing import linking manually.

For getenv specifically, the environment is delivered to the app from the loader on the stack immediately above the arguments. So that is very easy to get in assembly.
Post 21 Jun 2022, 19:40
View user's profile Send private message Visit poster's website Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 21 Jun 2022, 21:50
pretendent to be minimal linux64 GUI executable file - 972 bytes
Code:
format ELF64 executable at $400000

SYMBOL_TABLE_ENTRY64.size = $18
RELOC_TABLE_ENTRY64.size = $18
StrTabEntry equ -STRING_TABLE+
R_X86_64_JUMP_SLOT = 7


DT_NULL         = 0
DT_NEEDED       = 1
DT_HASH         = 4
DT_STRTAB       = 5
DT_SYMTAB       = 6
DT_RELA         = 7
DT_RELASZ       = 8
DT_RELENT       = 9
DT_STRSZ        = 10
DT_SYMENT       = 11

xdisp.default_screen    = $E0
xdisp.screens           = $E8
scr.white_pixel         = $58
scr.black_pixel         = $60
scr.root                = $10
win_width       =       150
win_height      =       100

sys_exit                = $3C

segment interpreter readable
        db '/lib64/ld-linux-x86-64.so.2',0

segment dynamic readable
DYNAMIC_TABLE:
        dq DT_NEEDED,StrTabEntry(str@libX11.so.6)
        dq DT_STRTAB,STRING_TABLE
        dq DT_SYMTAB,SYMBOL_TABLE
        dq DT_RELA,RELOC_TABLE
        dq DT_RELASZ,relasz
        dq DT_RELENT,RELOC_TABLE_ENTRY64.size
        dq DT_STRSZ,strsz
        dq DT_SYMENT,SYMBOL_TABLE_ENTRY64.size
        dq DT_NULL,0

SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@XMapRaised),$12,0,0,$B9,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,$158,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,$AB,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,$FB,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,$1062,0

STRING_TABLE:                   db 0
str@libX11.so.6                 db 'libX11.so.6',0
str@XMapRaised                  db 'XMapRaised',0
str@XCreateSimpleWindow         db 'XCreateSimpleWindow',0
str@XNextEvent                  db 'XNextEvent',0
str@XSelectInput                db 'XSelectInput',0
str@XOpenDisplay                db 'XOpenDisplay',0
strsz = $-STRING_TABLE

align $8

RELOC_TABLE:
        dq XMapRaised,          R_X86_64_JUMP_SLOT+ 1 shl 32, 0
        dq XCreateSimpleWindow, R_X86_64_JUMP_SLOT+ 2 shl 32, 0
        dq XNextEvent,          R_X86_64_JUMP_SLOT+ 3 shl 32, 0
        dq XSelectInput,        R_X86_64_JUMP_SLOT+ 4 shl 32, 0
        dq XOpenDisplay,        R_X86_64_JUMP_SLOT+ 5 shl 32, 0
        relasz = $-RELOC_TABLE

segment readable writeable executable

entry $
        xor     edi,edi
        call    [XOpenDisplay]
        or      rax,rax
        jz      error_exit
        mov     qword [disp],rax
        xchg    rdi,rax
        mov     eax,dword [rdi + xdisp.default_screen]  ; XDisplay.default_screen
        shl     eax,3
        add     rax,qword [rdi + xdisp.screens]
        push    qword [rax + scr.white_pixel]
        push    qword [rax + scr.black_pixel]
        push    4
        mov     r9d,win_height
        mov     r8d,win_width
        xor     ecx,ecx
        xor     edx,edx
        mov     rsi,qword [rax + scr.root]
        call    [XCreateSimpleWindow]
        or      rax,rax
        jz      error_exit
        mov     qword [win],rax

        xor     edx,edx
        xchg    rsi,rax
        mov     rdi,qword [disp]
        call    [XSelectInput]

        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XMapRaised]
        or      rax,rax
        jz      error_exit

event_loop:
        lea     rsi,[event]
        mov     rdi,qword [disp]
        call    [XNextEvent]
        jmp     event_loop

error_exit:

        mov     edi,1
        mov     eax,sys_exit
        syscall

segment readable writeable
disp            dq ?
win             dq ?

event           rb $C0
align 8
virtual
        XMapRaised              dq ?
        XCreateSimpleWindow     dq ?
        XNextEvent              dq ?
        XSelectInput            dq ?
        XOpenDisplay            dq ?
end virtual    


Last edited by ProMiNick on 22 Jun 2022, 09:49; edited 2 times in total
Post 21 Jun 2022, 21:50
View user's profile Send private message Send e-mail Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 22 Jun 2022, 08:02
Hi, great discovery!

I purposely install Debian 11 on VirtualBox to see how it works (because it shows nothing in WSL). I paste your code as gui.asm, compile as gui, and extract escherknot.xbm and place the two files in the same folder.
The following screenshots are the result. Although I get an empty window, it is still exciting to see your fruitful discovery. Have I done anything wrong to the files?
EDIT: Looks like the last modified source won't show bitmap.


Description: Empty window, but nice try
Filesize: 9.53 KB
Viewed: 2124 Time(s)

gui.png


Description: Error messages
Filesize: 95.63 KB
Viewed: 2124 Time(s)

cmdgui.png


Post 22 Jun 2022, 08:02
View user's profile Send private message Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 08:59
Next, display "Hello, world" in the window. Laughing

To draw 8-bit characters in a given drawable, use XDrawString.
Code:
XDrawString(Display *display, Drawable d, GC gc, int x, int y, char *string, int length);    

https://www.x.org/releases/X11R7.7/doc/libX11/libX11/libX11.html#XDrawString
(Xlib - C Language X Interface)

The only issue is guesswork, what is that hex value in Symbol table:
Code:
SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@XMapRaised),$12,0,0,$B9,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,$158,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,$AB,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,$FB,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,$1062,0    


E.g. 0xB9, 0x158, 0xAB, 0xFB, 0x1062. Finding out for str@XDrawString
Post 23 Jun 2022, 08:59
View user's profile Send private message Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 23 Jun 2022, 10:01
Mysteric hex value is size of symbol. for R_X86_64_JUMP_SLOT size of symbol is no matter.
Code:
dd StrTabEntry(str@XDrawString),$12,0,0,0,0    
that should work (we could determine app as gentleman if it define this values but they are useless, linker make app to be gentleman)
It can be seen that XMapWindow in example at start of topic replaced with XMapRaised in example of minimal GUI that have different size than $B9 - and all OK.
Post 23 Jun 2022, 10:01
View user's profile Send private message Send e-mail Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 13:23
Thanks, it works, but I am having last issue with Bad Font in XCreateGC.

Do you think the below is correct?

Code:
;typedef struct {
;4     int function;                 /* logical operation */
;8     unsigned long plane_mask;     /* plane mask */
;8     unsigned long foreground;     /* foreground pixel */
;8     unsigned long background;     /* background pixel */
;4     int line_width;               /* line width (in pixels) */
;4     int line_style;               /* LineSolid, LineOnOffDash, LineDoubleDash */
;4     int cap_style;                /* CapNotLast, CapButt, CapRound, CapProjecting */
;4     int join_style;               /* JoinMiter, JoinRound, JoinBevel */
;4     int fill_style;               /* FillSolid, FillTiled, FillStippled FillOpaqueStippled*/
;4     int fill_rule;                /* EvenOddRule, WindingRule */
;4     int arc_mode;                 /* ArcChord, ArcPieSlice */
;8     Pixmap tile;                  /* tile pixmap for tiling operations */
;8     Pixmap stipple;               /* stipple 1 plane pixmap for stippling */
;4     int ts_x_origin;              /* offset for tile or stipple operations */
;4     int ts_y_origin
;8     Font font;                    /* default text font for text operations */
;4     int subwindow_mode;           /* ClipByChildren, IncludeInferiors */
;1     Bool graphics_exposures;      /* boolean, should exposures be generated */
;4     int clip_x_origin;            /* origin for clipping */
;4     int clip_y_origin;
;8     Pixmap clip_mask;             /* bitmap clipping; other calls for rects */
;4     int dash_offset;              /* patterned/dashed line information */
;1     char dashes;
;} XGCValues;       
    


The size of XGCValues is defined as??
Code:
segment readable writeable

values          rb 114    ;rq 17  
    

(but I changed it to "rb 114" after calculating it)

Also, I don't know how the original author calculated this:
Code:
gcval.foreground        = 4+8   ;$10
gcval.background        = 4+8+8 ;$18
gcval.font              = 10*8  
    


The $10 and $18 are original values. I think it is the offset to XGCValues, isn't it?

Almost reach the "Hello World" simple window. Mad
Post 23 Jun 2022, 13:23
View user's profile Send private message Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 691
Location: Russian Federation, Sochi
ProMiNick 23 Jun 2022, 13:42
Where I get?
from here fasm_amd64_linux64_p000.tar.gz from Topic "Linux 64 FASM coding"
[EDIT]stupid content of post removed.
XGCValues size approved by test.
Code:
00000000 XGCValues       struc ; (sizeof=0x80, align=0x8, copyof_4)
00000000 function        dd ?
00000004                 db ? ; undefined
00000005                 db ? ; undefined
00000006                 db ? ; undefined
00000007                 db ? ; undefined
00000008 plane_mask      dq ?
00000010 foreground      dq ?
00000018 background      dq ?
00000020 line_width      dd ?
00000024 line_style      dd ?
00000028 cap_style       dd ?
0000002C join_style      dd ?
00000030 fill_style      dd ?
00000034 fill_rule       dd ?
00000038 arc_mode        dd ?
0000003C                 db ? ; undefined
0000003D                 db ? ; undefined
0000003E                 db ? ; undefined
0000003F                 db ? ; undefined
00000040 tile            dq ?
00000048 stipple         dq ?
00000050 ts_x_origin     dd ?
00000054 ts_y_origin     dd ?
00000058 font            dq ?
00000060 subwindow_mode  dd ?
00000064 graphics_exposures dd ?
00000068 clip_x_origin   dd ?
0000006C clip_y_origin   dd ?
00000070 clip_mask       dq ?
00000078 dash_offset     dd ?
0000007C dashes          db ?
0000007D                 db ? ; undefined
0000007E                 db ? ; undefined
0000007F                 db ? ; undefined
00000080 XGCValues       ends    


Last edited by ProMiNick on 23 Jun 2022, 14:32; edited 1 time in total
Post 23 Jun 2022, 13:42
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 23 Jun 2022, 14:19
By default C will align the structure members. So those undefined db's are the alignment.
Code:
;typedef struct {
;4     int function;                 /* logical operation */
;4    alignment for the next member because it is a qword
;8     unsigned long plane_mask;     /* plane mask */
...    
Post 23 Jun 2022, 14:19
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 14:41
Thanks to the alignment, @ProMiNick and @revolution. Now my Font offset in XGCValues is finally error-free.

I have done the code, no error, (font_id is correct, XCreateGC does not complain anything), but it is still an empty window.

I paste it here so that someone can help to rectify the bug, faster to achieve result.

Thanks!

Code:
format ELF64 executable at $400000

SYMBOL_TABLE_ENTRY64.size = $18
RELOC_TABLE_ENTRY64.size = $18
StrTabEntry equ -STRING_TABLE+
R_X86_64_JUMP_SLOT = 7


DT_NULL         = 0
DT_NEEDED       = 1
DT_HASH         = 4
DT_STRTAB       = 5
DT_SYMTAB       = 6
DT_RELA         = 7
DT_RELASZ       = 8
DT_RELENT       = 9
DT_STRSZ        = 10
DT_SYMENT       = 11

xdisp.default_screen    = $E0
xdisp.screens           = $E8
scr.white_pixel         = $58
scr.black_pixel         = $60
scr.root                = $10
win_width       =       200
win_height      =       150
gcval.foreground        = 8+8   ;$10
gcval.background        = 8+8+8 ;$18
gcval.font              = 11*8

sys_exit                = $3C

GCBackground = 8
GCForeground = 4
GCFont       = 16384
msg.x        = 40
msg.y        = 40

segment interpreter readable
        db '/lib64/ld-linux-x86-64.so.2',0

segment dynamic readable
DYNAMIC_TABLE:
        dq DT_NEEDED,StrTabEntry(str@libX11.so.6)
        dq DT_STRTAB,STRING_TABLE
        dq DT_SYMTAB,SYMBOL_TABLE
        dq DT_RELA,RELOC_TABLE
        dq DT_RELASZ,relasz
        dq DT_RELENT,RELOC_TABLE_ENTRY64.size
        dq DT_STRSZ,strsz
        dq DT_SYMENT,SYMBOL_TABLE_ENTRY64.size
        dq DT_NULL,0

SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@XMapRaised),$12,0,0,0,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,0,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,0,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,0,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,0,0
        dd StrTabEntry(str@XCreateGC),$12,0,0,0,0
        dd StrTabEntry(str@XDrawString),$12,0,0,0,0
        dd StrTabEntry(str@XSync),$12,0,0,0,0
        dd StrTabEntry(str@XLoadFont),$12,0,0,0,0
        dd StrTabEntry(str@XBlackPixel),$12,0,0,0,0
        dd StrTabEntry(str@XWhitePixel),$12,0,0,0,0 

STRING_TABLE:                   db 0
str@libX11.so.6                 db 'libX11.so.6',0
str@XMapRaised                  db 'XMapRaised',0
str@XCreateSimpleWindow         db 'XCreateSimpleWindow',0
str@XNextEvent                  db 'XNextEvent',0
str@XSelectInput                db 'XSelectInput',0
str@XOpenDisplay                db 'XOpenDisplay',0
str@XCreateGC                   db 'XCreateGC',0
str@XDrawString                 db 'XDrawString',0
str@XSync                       db 'XSync',0
str@XLoadFont                   db 'XLoadFont',0
str@XBlackPixel                 db 'XBlackPixel',0
str@XWhitePixel                 db 'XWhitePixel',0
strsz = $-STRING_TABLE

align $8

RELOC_TABLE:
        dq XMapRaised,          R_X86_64_JUMP_SLOT+ 1 shl 32, 0
        dq XCreateSimpleWindow, R_X86_64_JUMP_SLOT+ 2 shl 32, 0
        dq XNextEvent,          R_X86_64_JUMP_SLOT+ 3 shl 32, 0
        dq XSelectInput,        R_X86_64_JUMP_SLOT+ 4 shl 32, 0
        dq XOpenDisplay,        R_X86_64_JUMP_SLOT+ 5 shl 32, 0
        dq XCreateGC,           R_X86_64_JUMP_SLOT+ 6 shl 32, 0
        dq XDrawString,         R_X86_64_JUMP_SLOT+ 7 shl 32, 0
        dq XSync,               R_X86_64_JUMP_SLOT+ 8 shl 32, 0
        dq XLoadFont,           R_X86_64_JUMP_SLOT+ 9 shl 32, 0
        dq XBlackPixel,         R_X86_64_JUMP_SLOT+ 10 shl 32, 0
        dq XWhitePixel,         R_X86_64_JUMP_SLOT+ 11 shl 32, 0
        relasz = $-RELOC_TABLE

segment readable writeable executable

entry $
        xor     edi,edi
        call    [XOpenDisplay]
        or      rax,rax
        jz      error_exit
        mov     qword [disp],rax
        mov     rsi,qword [rax + xdisp.screens]
        mov     qword [screen],rsi
        xchg    rdi,rax
        mov     eax,dword [rdi + xdisp.default_screen]  ; XDisplay.default_screen
        shl     eax,3
        add     rax,qword [rdi + xdisp.screens]
        push    qword [rax + scr.white_pixel]
        push    qword [rax + scr.black_pixel]
        push    4
        mov     r9d,win_height
        mov     r8d,win_width
        xor     ecx,ecx
        xor     edx,edx
        mov     rsi,qword [rax + scr.root]
        call    [XCreateSimpleWindow]
        or      rax,rax
        jz      error_exit
        mov     qword [win],rax

        xor     edx,edx
        xchg    rsi,rax
        mov     rdi,qword [disp]
        call    [XSelectInput]

        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XMapRaised]
        or      rax,rax
        jz      error_exit    
        
        ;Font XLoadFont(Display *display, char *name);
        lea     rsi, [font_name]
        mov     rdi, qword [disp]
        call    [XLoadFont] 
        mov     qword [font_id], rax
        or      rax,rax
        jz      error_exit
      
        mov     rsi,qword [screen]
        lea     rcx, [values]
        mov     r8, qword [font_id]
        mov     r9, qword [rsi + scr.black_pixel]
        ;mov     r10,qword [rsi + scr.white_pixel]
        mov     qword [rcx+gcval.font], r8         ; font_id
        mov     qword [rcx+gcval.foreground], r9  
        ;mov    qword [rcx+gcval.background], r10       
        mov     rdx,GCFont or GCForeground         ; valuemask
        mov     rsi,qword [win]                    ;drawable
        mov     rdi,qword [disp]
        call    [XCreateGC]        
        mov     qword [our_gc],rax 
        or      rax,rax
        jz      error_exit
       
        ;XDrawString(Display *display, Drawable d, GC gc, int x, int y, char *string, int length);

        mov     qword [rsp+8*0], len
        lea     r9, [msg]
        mov     r8, msg.y        
        mov     rcx, msg.x
        mov     rdx, qword [our_gc]
        mov     rsi,qword [win]  ;drawable
        mov     rdi,qword [disp]
        call    [XDrawString] 
        cmp     rax, 7          ;BadFont
        jz      error_exit   
        cmp     rax, 9          ;BadDrawable
        jz      error_exit   
        cmp     rax, 13         ;BadGC
        jz      error_exit                

event_loop:
        lea     rsi,[event]
        mov     rdi,qword [disp]
        call    [XNextEvent]
        jmp     event_loop

;        mov     rsi,qword [our_gc]
;        mov     rdi,qword [disp]
;        call    [XFreeGC]

;        mov     rdi,qword [disp]
;        call    [XCloseDisplay]

error_exit:
        mov     edi,1
        mov     eax,sys_exit
        syscall

segment readable writeable
disp            dq ?
win             dq ?
our_gc          dq ?,?
screen          dq ?
values          rb 128   ;rq 17
msg             db "Hello World!",0
len             = $ - msg
font_name       db "fixed",0    ;"*helvetica-bold-r-normal--18*",0
font_id         dq ?

event           rb $C0
align 8
virtual
        XMapRaised              dq ?
        XCreateSimpleWindow     dq ?
        XNextEvent              dq ?
        XSelectInput            dq ?
        XOpenDisplay            dq ?
        XCreateGC               dq ?
        XDrawString             dq ?
        XSync                   dq ?
        XLoadFont               dq ?
        XBlackPixel             dq ?
        XWhitePixel             dq ?
end virtual    


;typedef struct {
;4     int function;                 /* logical operation */
;4
;8     unsigned long plane_mask;     /* plane mask */
;8     unsigned long foreground;     /* foreground pixel */
;8     unsigned long background;     /* background pixel */
;4     int line_width;               /* line width (in pixels) */
;4     int line_style;               /* LineSolid, LineOnOffDash, LineDoubleDash */
;4     int cap_style;                /* CapNotLast, CapButt, CapRound, CapProjecting */
;4     int join_style;               /* JoinMiter, JoinRound, JoinBevel */
;4     int fill_style;               /* FillSolid, FillTiled, FillStippled FillOpaqueStippled*/
;4     int fill_rule;                /* EvenOddRule, WindingRule */
;4     int arc_mode;                 /* ArcChord, ArcPieSlice */
;4
;8     Pixmap tile;                  /* tile pixmap for tiling operations */
;8     Pixmap stipple;               /* stipple 1 plane pixmap for stippling */
;4     int ts_x_origin;              /* offset for tile or stipple operations */
;4     int ts_y_origin
;8     Font font;                    /* default text font for text operations */
;4     int subwindow_mode;           /* ClipByChildren, IncludeInferiors */
;1     Bool graphics_exposures;      /* boolean, should exposures be generated */
;4     int clip_x_origin;            /* origin for clipping */
;4     int clip_y_origin;
;8     Pixmap clip_mask;             /* bitmap clipping; other calls for rects */
;4     int dash_offset;              /* patterned/dashed line information */
;1     char dashes;
;} XGCValues;
    
Post 23 Jun 2022, 14:41
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 23 Jun 2022, 14:49
You need alignment after graphics_exposures for the next dword.
Code:
;1     Bool graphics_exposures;      /* boolean, should exposures be generated */
;3 align
;4     int clip_x_origin;            /* origin for clipping */
...    
Post 23 Jun 2022, 14:49
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 14:55
revolution wrote:
You need alignment after graphics_exposures for the next dword.
Code:
;1     Bool graphics_exposures;      /* boolean, should exposures be generated */
;3 align
;4     int clip_x_origin;            /* origin for clipping */
...    


Yes, you're right. But it doesn't affect the code, because I reference "font" before "graphics_exposures":
Code:
...
;4     int ts_x_origin;              /* offset for tile or stipple operations */
;4     int ts_y_origin
;8     Font font;                    /* default text font for text operations */
...
    


And somemore, "values" is already defined as 128:
Code:
values          rb 128   ;rq 17
    


...and...
Code:
        lea     rcx, [values]
    


However, I am not very sure how to assign the 7th parameter:
Code:
        mov     qword [rsp+8*0], len
        lea     r9, [msg]
    


Is the above correct? (for "len")
Post 23 Jun 2022, 14:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 23 Jun 2022, 14:57
You are only initialising two members of the entire structure. Are you sure leaving all the other members at zero is expected to work?
Post 23 Jun 2022, 14:57
View user's profile Send private message Visit poster's website Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 15:01
revolution wrote:
You are only initialising two members of the entire structure. Are you sure leaving all the other members at zero is expected to work?


From the C example code online, I think it is correct.

Because I did this:
Code:
        mov     qword [rcx+gcval.font], r8         ; font_id
        mov     qword [rcx+gcval.foreground], r9  
        ;mov    qword [rcx+gcval.background], r10       
        mov     rdx,GCFont or GCForeground         ; valuemask
    


From: https://www.x.org/releases/X11R7.7/doc/libX11/libX11/libX11.html#Manipulating_Graphics_ContextState
Quote:
To set an attribute of a GC, set the appropriate member of the XGCValues structure and OR in the corresponding value bitmask in your subsequent calls to XCreateGC.
Post 23 Jun 2022, 15:01
View user's profile Send private message Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 15:49
Or the following, simpler, also just an empty window:

Code:
        ;Font XLoadFont(Display *display, char *name);
        lea     rsi, [font_name]
        mov     rdi, qword [disp]
        call    [XLoadFont] 
        mov     qword [font_id], rax
        or      rax,rax
        jz      error_exit
        
        ;GC XDefaultGC(Display *display, int screen_number);
        xor     rsi, rsi
        mov     rdi, qword [disp]
        call    [XDefaultGC]
        mov     qword [our_gc], rax        
        
        ;XSetFont(Display *display, GC gc, Font font);
        mov     rdx, qword [font_id]
        mov     rsi, qword [our_gc]
        mov     rdi, qword [disp]
        call    [XSetFont]           
    


(The code above is placed before XDrawString)
Post 23 Jun 2022, 15:49
View user's profile Send private message Reply with quote
FlierMate1



Joined: 31 May 2022
Posts: 118
FlierMate1 23 Jun 2022, 17:08
ProMiNick wrote:
pretendent to be minimal linux64 GUI executable file - 972 bytes


You win, mine is 1023 bytes, but code is shorter, I think.

Code:
format ELF64 executable 3

SYMBOL_TABLE_ENTRY64.size = $18
RELOC_TABLE_ENTRY64.size = $18
StrTabEntry equ -STRING_TABLE+
R_X86_64_JUMP_SLOT = 7

DT_NULL         = 0
DT_NEEDED       = 1
DT_HASH         = 4
DT_STRTAB       = 5
DT_SYMTAB       = 6
DT_RELA         = 7
DT_RELASZ       = 8
DT_RELENT       = 9
DT_STRSZ        = 10
DT_SYMENT       = 11

win_width       = 256
win_height      = 256

segment interpreter readable
        db '/lib64/ld-linux-x86-64.so.2',0

segment dynamic readable
DYNAMIC_TABLE:
        dq DT_NEEDED,StrTabEntry(str@libX11.so.6)
        dq DT_STRTAB,STRING_TABLE
        dq DT_SYMTAB,SYMBOL_TABLE
        dq DT_RELA,RELOC_TABLE
        dq DT_RELASZ,relasz
        dq DT_RELENT,RELOC_TABLE_ENTRY64.size
        dq DT_STRSZ,strsz
        dq DT_SYMENT,SYMBOL_TABLE_ENTRY64.size
        dq DT_NULL,0

SYMBOL_TABLE:
        dd 0,0,0,0,0,0
        dd StrTabEntry(str@XMapRaised),$12,0,0,0,0
        dd StrTabEntry(str@XCreateSimpleWindow),$12,0,0,0,0
        dd StrTabEntry(str@XNextEvent),$12,0,0,0,0
        dd StrTabEntry(str@XSelectInput),$12,0,0,0,0
        dd StrTabEntry(str@XOpenDisplay),$12,0,0,0,0
        dd StrTabEntry(str@XDefaultRootWindow),$12,0,0,0,0

STRING_TABLE:                   db 0
str@libX11.so.6                 db 'libX11.so.6',0
str@XMapRaised                  db 'XMapRaised',0
str@XCreateSimpleWindow         db 'XCreateSimpleWindow',0
str@XNextEvent                  db 'XNextEvent',0
str@XSelectInput                db 'XSelectInput',0
str@XOpenDisplay                db 'XOpenDisplay',0
str@XDefaultRootWindow          db 'XDefaultRootWindow',0
strsz = $-STRING_TABLE

align $8

RELOC_TABLE:
        dq XMapRaised,          R_X86_64_JUMP_SLOT+ 1 shl 32, 0
        dq XCreateSimpleWindow, R_X86_64_JUMP_SLOT+ 2 shl 32, 0
        dq XNextEvent,          R_X86_64_JUMP_SLOT+ 3 shl 32, 0
        dq XSelectInput,        R_X86_64_JUMP_SLOT+ 4 shl 32, 0
        dq XOpenDisplay,        R_X86_64_JUMP_SLOT+ 5 shl 32, 0
        dq XDefaultRootWindow,  R_X86_64_JUMP_SLOT+ 6 shl 32, 0
        relasz = $-RELOC_TABLE

segment readable writeable executable

entry $
        ;Display *XOpenDisplay(char *display_name);
        xor     edi,edi
        call    [XOpenDisplay]
        mov     qword [disp],rax
        
        ;Window XDefaultRootWindow(Display *display);
        mov     rdi, qword [disp]
        call    [XDefaultRootWindow]
        mov     qword [root], rax
        
        ;Window XCreateSimpleWindow(Display *display, Window parent, intx, y, unsignedintwidth, height, unsignedint border_width, unsignedlong border, unsignedlong background);
        
        push    0xFFFFFF
        push    0
        push    0
        mov     r9d, win_height
        mov     r8d, win_width
        xor     ecx, ecx
        xor     edx, edx
        mov     rsi, qword [root]
        mov     rdi, qword [disp]
        call    [XCreateSimpleWindow]
        mov     qword [win],rax
        
        ;XMapRaised(Display *display, Window w);
        mov     rsi,qword [win]
        mov     rdi,qword [disp]
        call    [XMapRaised]
        
        ;XSelectInput(Display *display, Window w, long event_mask);
        xor     edx,edx
        mov     rsi, qword [win]
        mov     rdi,qword [disp]
        call    [XSelectInput] 
        
event_loop:
        ;XNextEvent(Display *display, XEvent *event_return);
        lea     rsi,[event]
        mov     rdi,qword [disp]
        call    [XNextEvent]        
        jmp     event_loop

segment readable writeable
disp            dq ?
root            dq ?
win             dq ?
;gc             dq ?
event           rb 32

align 8
virtual
        XMapRaised              dq ?
        XCreateSimpleWindow     dq ?
        XNextEvent              dq ?
        XSelectInput            dq ?
        XOpenDisplay            dq ?
        XDefaultRootWindow      dq ?
end virtual    

    
Post 23 Jun 2022, 17:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18948
Location: In your JS exploiting you and your system
revolution 23 Jun 2022, 20:03
FlierMate1 wrote:
However, I am not very sure how to assign the 7th parameter:
Code:
        mov     qword [rsp+8*0], len
        lea     r9, [msg]
    


Is the above correct? (for "len")
It will work. When you have all-integer parameters then the seventh and higher are placed on the stack in reverse order.

But it would be more normal to use push len (and later pop rcx, or add rsp, 8) to avoid overwriting a return address. For your case in the entry routine you overwrite the argc value, but since you don't use it then it doesn't matter.
Post 23 Jun 2022, 20:03
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.