Author | Message | Time |
---|---|---|
CrAzY | [code]I need this to fit into 16 bytes. ]code] 0: ff 35 d0 8c 04 08 pushl 0x8048cd0 6: c7 05 c0 a1 04 08 57 movl $0x1a24a357,0x804a1c0 d: a3 24 1a 10: c3 ret [/code] Might need more help too. Tim | November 15, 2009, 10:25 PM |
BreW | Is that the exact assignment, to fit the equivalent of that code into one byte less? I don't see smaller code happening. | November 16, 2009, 1:46 AM |
CrAzY | Its suppose to be a buffer overflow. There are 12 available bytes in the buffer, then 4 more that can be used overwriting %ebp, and then the next 4 are used for the return address of the beginning of the buffer to run the exploit code. Basically its suppose to just set a global variable at memory address "0x804a1c0" with my cookie which is $0x1a24a357. That cookie is static but it is also stored at "0x804a1b0" if there is any other way you could see that being used. the assignment explicitly states that the code for this should be exactly 16 bytes. Edit: If there is any way I could speak more directly to you it would be much appreciated. The assignment is due in 2 hours and there are only 4 parts to it and I'm currently finished with 2, and close to the other 2. Thanks either way though. | November 16, 2009, 2:00 AM |
CrAzY | Update, I solved that one. 1 more to do. "Your exploit code should set your cookie as the return value, restore any corrupted state, push the correct return location on the stack, and execute a ret instruction to really return to test." Here's my guess? [code] 0: 68 b0 b5 ff bf push $0xbfffb5b0 #ebp of previous stack 5: b8 57 a3 24 1a mov $0x1a24a357,%eax #move cookie to return a: c9 leave #i got away with not having this in my last problem. Do I need it? b: c3 ret #hopefully return to the actual caller function :) [/code] Any help would be nice =) | November 16, 2009, 3:02 AM |
Myndfyr | How did you solve the first problem? | November 16, 2009, 7:45 AM |
CrAzY | [quote author=MyndFyre link=topic=18113.msg183700#msg183700 date=1258357552] How did you solve the first problem? [/quote] Instead of "pushl 0x8048cd0," I did "pushl $0x8048cd0." The result was 1 byte shorter.. And it made the code work how it was suppose to rather than pushing the value stored in that memory address. | November 17, 2009, 12:42 AM |