How to Remove NULL (00) from Machine Code?_问答_开发者

How to Remove NULL (00) from Machine Code?

开发者 https://www.devze.com 2023-01-29 19:15 出处：网络

I need to know how i remove the null (00) from machine code. i wrote the code in Assembly Language. It running Successfully. I need the output without NULL

.data
  Bash:
      .asciz "/bin/hostname"
  Null1:
      .int 0
  AddrToBash:
      .int 0
  NULL2:
      .int 0

  .text
      .globl _start

_start:
       #execute routine

       xor  %eax,%eax
       movl $Bash, AddrToBash
       movl $11,%eax
       movl $Bash,%ebx
       movl $AddrToBash,%ecx
       movl $NULL2,%edx
       int  $0x80

       #exit routine


     Exit:
       movl $10,%ebx
       movl $1,%eax
       int $0x80

The following Output is

4000b0: 31 c0                   xor    %eax,%eax
  4000b2:   c7 04 25 f2 00 60 00    movl   $0x6000e0,0x6000f2
  4000b9:   e0 00 60 00 
 开发者_StackOverflow社区 4000bd:   b8 0b 00 00 00          mov    $0xb,%eax
  4000c2:   bb e0 00 60 00          mov    $0x6000e0,%ebx
  4000c7:   b9 f2 00 60 00          mov    $0x6000f2,%ecx
  4000cc:   ba f6 00 60 00          mov    $0x6000f6,%edx
  4000d1:   cd 80                   int    $0x80

00000000004000d3 <Exit>:
  4000d3:   bb 0a 00 00 00          mov    $0xa,%ebx
  4000d8:   b8 01 00 00 00          mov    $0x1,%eax
  4000dd:   cd 80                   int    $0x80

how to remove 00, I did the changed like eax to al, bx to bl blahahahahahaha...... but not work can someone modify it.......

You have to take a lot of things into consideration if you want to avoid NULL bytes in shellcode. However, most of the time it involves replacing instructions with equivalent ones.

For example,

mov $0, %eax

produces b8 00 00 00 00 which contains NULL bytes. Replacing it with

xor %eax, %eax

is semantically equivalent but produces 31 c0 instead.

For a good introduction on writing shellcode, read Smashing The Stack For Fun And Profit. The book Hacking: The Art of Exploitation contains a section (0x523) about avoiding NULL bytes in shellcode.

So, you want to use opcodes that does not contain byte 0. This could be useful only to create buffer overflows with strings (example: strcpy()).

Either you learn assembly wery well, so that you would know the binary encoding of most common instructions by heart, thus being able to avoid 0. Or by using existing tools for that: something that encodes the original code to a representation without 0 bytes (example: BCD, base64, or even ASCII string like 010010010), and prepends to it a special decriptor that does not contain zeros.