Questions tagged [assembly]
Assembly language is a low-level programming language whose instructions map almost 1-to-1 to a computer's machine code.
84
questions
1
vote
0
answers
37
views
How can I jump to an address after executing a donut shellcode?
I'm looking to execute a shellcode by packaging it inside an executable.
I generate an executable (open the calculator)
I output a shellcode from the executable with donut.
donut.exe -i opencalc.exe ...
- 11
0
votes
0
answers
99
views
How do I prevent the random alignment of the instructions during debugging using gdb? Even tried turning off the optimization with -O0 in gcc
I have started with the book 'Hacking: The art of exploitation!'. I know some of you might suggest that it's pretty old... But I think great buildings withstand due to their strong foundational base. ...
0
votes
1
answer
117
views
what is stack segment manipulation?
I was trying to research about anti-debugging techniques here, but i failed to make sense of what stack segment manipulation's. Could anyone have a good explanation for what it means or nice resources ...
1
vote
2
answers
619
views
Linux x86_64 Assembly works standalone, but Segfaults when ran as shellcode in C
I wrote a NASM program that uses the execve system call to run wget inside a newly spawned shell and execute the retrieved page:
[bits 64]
global _start
section .text
_start:
xor rcx, rcx
...
- 992
0
votes
1
answer
445
views
ROP - ret VS ret 0
I'm doing a binary challenge from pwnable.kr and I'm examining a some ROP gadget.
Until now I've always used gadget ending with ret or syscall/int 0x80, but now ROPgadget gave me a gadget ending with ...
- 103
4
votes
1
answer
701
views
Why does my RIP value change after overwriting via an overflow?
I've been working on a buffer overflow on a 64 bit Linux machine for the past few days. The code I'm attacking takes in a file. This original homework ran on a 32-bit system, so a lot is differing. I ...
17
votes
2
answers
3k
views
How are code-branch side channel attacks mitigated on Java?
When you are working with secret keys, if your code branches unequally it could reveal bits of the secret keys via side channels. So for some algorithms it should branch uniformly independently of the ...
- 425
0
votes
1
answer
2k
views
How to use pwntools to generate a relative jump?
I want to use pwntools to generate a relative jump 0x20 bytes forward. It isn't described in the documentation how to do that.
What's the command for doing a JMP SHORT 0x20 in pwntools?
- 265
0
votes
1
answer
865
views
Some introductory reverse engineering help on finding a string
I understand the crackme I am researching is from 2007, however this was the point in my life when I initially became interested in reverse engineering and wish to complete it for nostalgia sake. ...
- 211
0
votes
1
answer
2k
views
Instead of JMP ESP can we use it's opcodes?
In a buffer overflow exploit, when we use a JMP ESP instruction to jump to the ESP, instead of using the address of the JMP ESP, can't we use the opcodes of it?. I generated the opcodes of the JMP ESP ...
- 101
0
votes
2
answers
473
views
Shellcode not executing despite EIP being overwritten properly
Here is my exploit:
junk = b'A' * 1032
eip = b"\xf5\x93\x4a\x00" # some address where 'jmp esp' lives
shellcode = b""
shellcode += b"\x33\xc0" # xor eax, ...
- 121
1
vote
0
answers
1k
views
msfvenom: how to output assembly of windows payload for inline assembly in C?
My goal is to obfuscate metasploit windows payloads' assembly code (adding junk code to the payload itself), then adding the obfuscated shellcode to inline assembly in C. The issue is there is no ...
- 11
1
vote
2
answers
604
views
How do attackers determine ROP gadgets remotely?
Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to ...
- 11
1
vote
1
answer
1k
views
Understanding ret2libc return address location
I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows:
bytes to fill buffer + address of system ...
- 13
0
votes
1
answer
3k
views
What is source of bad characters exist in buffer overflows
I'm new to exploit development and while watching a tutorial I came across the topic of "Bad character identification". I'm referring to the process of sending all possible characters to the ...
- 141