Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Opcodes?
Posted by: DomD
Date: August 07, 2008 12:48PM

Hi! First post :)

Just wondering if people could suggest any methods of finding "JMP %ebx" opcodes and the like on a OS X (or *nix, might work on mac I suppose...)

Before making the switch to OS X (a while ago) I'd just use metasploit's opcode database to find them in shared modules, now I'm struggling a little!

I'm learning to exploit a simple gets() program in c and I can control the eip, with ebx and ebp pointing into my buffer, just can't figure out how to get a JMP ebx or CALL, etc address.

Any pointers will be appreciated!

Options: ReplyQuote
Re: Opcodes?
Posted by: rsnake
Date: September 02, 2008 06:21PM

Hey, DomD - this isn't really the right forum for questions like this. I don't think many webappsec guys live in IDA Pro and the like. Just a different discipline. You're probably better off asking one of the Metaspoit guys, like HD Moore in particular.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Opcodes?
Posted by: hdm
Date: September 02, 2008 10:02PM

Right now, we [metasploit] don't have a msf*scan tool for mach-o binaries. Its been on the TODO list for a while, but we haven't made much progress on it. In the meantime, you can try some of the gdb macros that allow memory searches, and search the raw opcodes (jmp/call/push ebx;ret) in memory.

Options: ReplyQuote
Re: Opcodes?
Posted by: kuza55
Date: September 03, 2008 08:36AM

Actually, I had to do this for a wargame recently (and memgrep wasn't doing quite what I wanted) and found/modified the following gdb script to search memory regions for a given 2 byte short:

define search
  set $start = (char *) $arg0
  set $end = (char *) $arg1
  set $pattern = (short) $arg2
  set $p = $start
  while $p < $end
    if (*(short *) $p) == $pattern
      printf "pattern 0x%hx found at 0x%x\n", $pattern, $p
    end
    set $p++
  end
end

It's very, very, very slow though, so expect searching through the mapped process space to take a few minutes at least, anyway remember that since gdb is casting to short ints you need to know what endian-ness your processor is, so on a little-endian box searching some memory region for a jmp (%esp) is:
(gdb) search 0x40113598 0x4013ab34 0xe4ff

P.S. Does anyone how you (properly)can find out what memory regions are mapped in an executable in gdb? I've just been running "info files", which seems to be giving me what I want (and gave me the right memory ranges to search, etc) but I'm not sure if that's giving me everything...yes, I fail at gdb

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 09/03/2008 08:40AM by kuza55.

Options: ReplyQuote
Re: Opcodes?
Posted by: rvdh
Date: January 21, 2009 08:33AM

Quote

RSnake said: I don't think many webappsec guys live in IDA Pro and the like. Just a different discipline.

Why not? I know a couple, including myself. But your right that it ain't the proper forum to get a quick reply on his question ;-)

Options: ReplyQuote
Re: Opcodes?
Posted by: rvdh
Date: January 21, 2009 08:35AM

Quote

Kuza55 said: P.S. Does anyone how you (properly)can find out what memory regions are mapped in an executable in gdb? I've just been running "info files", which seems to be giving me what I want (and gave me the right memory ranges to search, etc) but I'm not sure if that's giving me everything...yes, I fail at gdb

Try AutoDebug to find out which hooks/API's are called, it's way quicker to find out.

EDIT: simple video tutorial to trace Notepad using AutoDebug: http://www.autodebug.com/notepad.php

.



Edited 1 time(s). Last edit at 01/21/2009 08:38AM by rvdh.

Options: ReplyQuote


Sorry, only registered users may post in this forum.