flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
moveax41h 27 Jul 2018, 00:37
This page discusses a specific software exploit. 99% of the page is not relevant, so I'll include the relevant part:
Quote:
Trying to understand this conceptually, I wrote a fasm program: Code: format ELF64 executable entry main segment readable executable include 'io.inc' include 'unistd64.inc' main: mov eax, 0xFFFFFFFF add rax, 1 mov rax, 0xFFFFFFFF add eax, 1 xor eax, eax sub ax, 1 mov eax, 0xFFFFFFFF add ax, 1 call done This program doesn't do anything really but it was intended for me to run it through gdb to view the register states. If I add 1 to ax when eax when eax is full with 0xFFFFFFFF, it just wraps back to 0 again on the low word and remains 0xFFFF on the high word of eax. Similarly, if I load 0x00000000 into eax and then I sub ax, 1, it sets ax to 0xFFFF but again, I don't see how updating specifically the LO WORD of a DWORD could cause an abnormally large number that would not be caused by doing the same operation on the full DWORD. Can someone with a bit more experience explain shed some light? Thank you. _________________ -moveax41h |
|||
![]() |
|
moveax41h 27 Jul 2018, 18:50
Ok so basically writing only the lower two bytes causes an improper carry into the 0x10000s place because the rewriting of the lower two bytes causes a carry which ends up there?
|
|||
![]() |
|
Furs 27 Jul 2018, 19:11
moveax41h wrote: Ok so basically writing only the lower two bytes causes an improper carry into the 0x10000s place because the rewriting of the lower two bytes causes a carry which ends up there? 1) you have a number larger than 65536, e.g. 0x10001 2) since it doesn't fit in 16-bits, you saturate it to 65535 (0xFFFF) which is the max 3) but you only write back the lower 16-bits, which are now 0xFFFF. Recall that the number was 0x10001. If you replace the lower 16-bits, you end up with 0x1FFFF, which is obviously larger than 0x10001. You could say it's the absence of a borrow from the upper 16 bits. ![]() |
|||
![]() |
|
moveax41h 27 Jul 2018, 19:16
Aha, thanks Furs... That was a tricky one to understand but that makes a lot of sense. So it's more a problem of not clearing the bits above bit 16 than it is the contents of the low word.
|
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.