shellcode - What Does Assembly Instruction Shift Do? -


i came across pretty interesting article demonstrated how remove nullbyte characters shellcode. among techniques used, assembly instructions shl , shr seemed occupy rather important role in code.

i realize assembly instructions mov $0x3b, %rax , mov $59, %rax each generate machine code instructions 48 c7 c0 3b 00 00 00. cope this, author instead uses mov $0x1111113b, %rax fill register system call number, generates instead machine code 48 c7 c0 3b 11 11 11, removes nullbytes.

unfortunately, code still doesn't execute because syscall treats 3b 11 11 11 illegal instruction, or causes code seg fault. author did shift %rax , forth 56 bytes commands 

shl $0x38, %rax  shr $0x38, %rax

after shift, code executes perfectly. want know how shift instructions fixes 48 c7 c0 3b 11 11 11 issue, , somehow makes %rax proper , syscall'able. know shl/shr shifts bits left , right, meaning shifting left moves bits higher bits, , shifting right makes them lower again, because binary read right left. how @ change code , make executable? doesn't shifting , forth change nothing, putting shifted bits in beginning?

my theory shifting bits away leaves behind zeros. still don't see how shifting %rax forward , fixes solution, because wouldn't bring 11 11 11 section anyway?

anyways, thought interesting had never seen shift operands before today. in advance.

shifting lossy operation - if bits shifted outside of register, disappear. (sometimes 1 of them stored in carry flag, that's not important here.) see http://en.wikibooks.org/wiki/x86_assembly/shift_and_rotate#logical_shift_instructions .

the shift left (shl) operation this:

0x000000001111113b << 0x38 = 0x3b00000000000000

the 0x111111 part have occupied bit 64, 65, 66 etc., %rax 64-bit register, bits vanish. then, logical shift right (shr) operation this:

0x3b00000000000000 >> 0x38 = 0x000000000000003b

giving number want. , that's there it.


-

Popular posts from this blog

c# - ODP.NET Oracle.ManagedDataAccess causes ORA-12537 network session end of file -

overview i want replace oracle.dataaccess orcale. managed dataaccess, opening connection latter throws ora-12537 network session end of file exception. exception message / stack trace {oracleinternal.network.networkexception (0x000030f9): ora-12537 : netzwerksession: dateiende @ oracleinternal.network.readerstream.read(orabuf ob) @ oracleinternal.ttc.orabufreader.getdatafromnetwork() @ oracleinternal.ttc.orabufreader.read(boolean bignoredata) @ oracleinternal.ttc.marshallingengine.unmarshalub1(boolean bignoredata) @ oracleinternal.ttc.ttcprotocolnegotiation.readresponse()} i trying connect oracle 11g database , not have client installed on local machine. working test application (unmanaged) using oracle.dataaccess works fine . using system; using oracle.dataaccess.client; namespace app.odp.unmanaged { internal class program { private static void main(string[] args) { //dummy connection string
Read more

matlab - Compression and Decompression of ECG Signal using HUFFMAN ALGORITHM -

i want compress , decompress ecg signal stored text message text file , find out file size, cr,prd ratio,and qs. here code compression , decompression of ecg signal using huffman algorithm. i'm trying find out file size, compression ratio,prd ratio,qs. but error i'm getting the ecg file in text format. %clearing variables , screen enter code here clear all; close all; clc; [file1]=uigetfile('*.txt'); %fprintf('enter ecg file name :%s',file1); p=file1; t=sprintf('%s',p); b1=dlmread([file1]); len=length(b1); lead=input('enter lead number :'); %lead=str2double(lead); col2=b1(1:end,lead); e=fix(sqrt(len)); m=1; i=1:e j=1:e g2(i,j)=fix(col2(m)*1000); %amplifying 1000 m=m+1; end end g3=g2; i=1:e j=1:e
Read more

utf 8 - split utf-8 string into bytes in python -

i trying split utf-8 string bytes in python 3. problem is, when use bytearray, byte, encode etc functions array size of element 14 bytes, not 1 byte expected. need split text file sequence of bytes , send them byte after byte using sockets. tried this: infile = open (file, "r") str = infile.read() byte_str = bytes(str, 'utf-8') print("size of byte_str",sys.getsizeof(byte_str[0])) print gives me 14, need 1... suggestion? quoting official documentation : sys.getsizeof(object[, default]) return size of object in bytes. object can type of object. built-in objects return correct results, not have hold true third-party extensions implementation specific. only memory consumption directly attributed object accounted for, not memory consumption of objects refers to. if given, default returned if object not provide means retrieve size. otherwise typeerror raised. getsizeof() calls object’s __sizeof__ method , adds
Read more