The shadow space must be provided directly previous to the call. Imagine the shadow space as a relic from the old stdcall/cdecl convention: For WriteFile you needed five pushes. The shadow space stands for the last four pushes (the first four arguments). Now you need four registers, the shadow space (just the space, contents don’t … Read more
If the divisor is a signed 64-bit value, you don’t need to do anything with it. Likewise, if the dividend is a signed 128-bit value, you don’t need to do anything with it, just load the top 64 bits of it into rdx and the low 64 bits into rax. Now, if any of the … Read more
One solution that I most commonly use is to actually use the GNU linker (ld) to build the IDT and GDT for me. This answer isn’t a primer on writing GNU linker scripts, but it does make use of the BYTE, SHORT, and LONG linker script directives to build the IDT, the GDT, the IDT … Read more
From man 2 write, you can see the signature of write is, ssize_t write(int fd, const void *buf, size_t count); It takes a pointer (const void *buf) to a buffer in memory. You can’t pass it a char by value, so you have to store it to memory and pass a pointer. (Don’t print one … Read more
$$ is the address of the beginning of the current section. It is a relocatable value (not “scalar” – a word you will find in an error message, but not in the Manual). It is an offset, so doesn’t care what’s in a segment register. Documentation: https://www.nasm.us/doc/nasmdoc3.html#section-3.5 example use case for a boot sector: https://www.nasm.us/doc/nasmdo13.html#section-13.1.3 … Read more
The 64-bit OS X ABI complies at large to the System V ABI – AMD64 Architecture Processor Supplement. Its code model is very similar to the Small position independent code model (PIC) with the differences explained here. In that code model all local and small data is accessed directly using RIP-relative addressing. As noted in … Read more
fflush() flushes buffered output in line or full-buffered stdio streams: extern fflush … xor edi, edi ; RDI = 0 call fflush ; fflush(NULL) flushes all streams … Alternatively, mov rdi, [stdout] / call fflush also works to flush only that stream. (Use default rel for efficient RIP-relative addressing, and you’ll need extern stdout as … Read more
What is so special about lea that mov can’t do? mov reg,imm loads an immediate constant into its destination operand. Immediate constant is encoded directly in the opcode, e.g. mov eax,someVar would be encoded as B8 EF CD AB 00 if address of someVar is 0x00ABCDEF. I.e. to encode such an instruction with imm being … Read more
In NASM syntax, that instruction should be MOV EBX, MY_TABLE. What MOV EBX, [MY_TABLE] would do is load the first 4 bytes located at MY_TABLE into EBX. Another alternative would be to use LEA, as in LEA EBX, [MY_TABLE]. In this case the tutorial is right. MY_TABLE is defined as an array of words. A … Read more
When you inject this shellcode, you don’t know what is at message: mov ecx, message in the injected process, it can be anything but it will not be “Hello world!\r\n” since it is in the data section while you are dumping only the text section. You can see that your shellcode doesn’t have “Hello world!\r\n”: … Read more