Reputation: 11
shellcode in x86_64 avoiding null byte in large constants like an absolute address?
I'm new to learning x86_64 assembly, trying to move something in address 0x400da6 to register eax, I use
mov 0x400da6, %eax
but that will causing a 00 at the end of the binary, how to avoid this?
0: 8b 3c 25 a6 0d 40 00 mov 0x400da6,%eax
Upvotes: 1
Views: 537
Answers (1)
Reputation: 364287
You're going to need a tmp register (for example EAX which you're about to overwrite anyway) to construct the address in a way that avoids any 00 bytes, then mov (%rax), %eax. There's no encoding for a load that uses a 24-bit absolute address.
For example:
mov $0x400da6 + 0x1111111, %eax
mov -0x1111111(%rax), %eax
The resulting machine code is:
note non-zero high byte
vv
0: b8 b7 1e 51 01 mov eax,0x1511eb7
5: 8b 80 ef ee ee fe mov eax,DWORD PTR [rax-0x1111111]
You can use any constant you want, as long as it fits in a 32-bit sign-extended disp32 so you can use it as part of the addressing mode. If you want other operations like XOR, you'll need to XOR separately from the load; x86 addressing modes can only add 2's complement sign-extended 8 or 32-bit values.
Upvotes: 1
Related Questions
- How to use a syscall in a shellcode without use `syscall` or `sysenter` for Linux x86-64, avoiding 0x0F bytes?
- NULL-free shellcode
- Removing null bytes for shellcode results in missing char and continuous loop
- Compact shellcode to print a 0-terminated string pointed-to by a register, given puts or printf at known absolute addresses?
- How can I reprogram my shellcode snippet to avoid null bytes?
- Address in shellcode changing during execution
- How to get the instruction pointer in x86_64 without 0x00 or 0xFF bytes?
- Manual Null-Termination on Unix using Intel x86 Assembly (address vs value in memory operands)?
- Null bytes in shellcode?
- More Null Free Shellcode