#include #include #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) #ifdef __x86_64 #define PROGRAM_START_OFFSET 0x400440 #define DATA_START_OFFSET 0x601000 #else #define PROGRAM_START_OFFSET 0x8048000 #define DATA_START_OFFSET 0x804A020 #endif void * find_sig(unsigned char * array, int len, void * start, void * end, int offset, int align) { void * pos; for (pos = start; pos < end; pos += align) { if (memcmp(pos, array, len) == 0) return pos + offset; } return NULL; } char I_WANT_SPACE_SIGNATURE[] = "IWANTSPACE"; char HUEBR_SIGNATURE[] = "HUEBR\n"; char printfHUEoffset[] = { 0xBF, 0x00, 0x00, 0x00, 0x00 }; void __attribute__((constructor)) initialize(void) { //char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE char *x = find_sig(I_WANT_SPACE_SIGNATURE, 10, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); char *huebr = find_sig(HUEBR_SIGNATURE, 6, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); if (x == NULL || huebr == NULL) { printf("OH FUCK IT! %p %p\n", x, huebr); exit(1); } printfHUEoffset[1] = (((int)huebr) >> 0) & 0xFF; printfHUEoffset[2] = (((int)huebr) >> 8) & 0xFF; printfHUEoffset[3] = (((int)huebr) >> 16) & 0xFF; printfHUEoffset[4] = (((int)huebr) >> 24) & 0xFF; int *z = find_sig(printfHUEoffset, 5, (void *)PROGRAM_START_OFFSET, (void *)(PROGRAM_START_OFFSET+4096),0,1); x[0] = 'p'; x[1] = 'h'; x[2] = 'p'; x[3] = '\n'; x[4] = 0x00; UNPROTECT(PROGRAM_START_OFFSET,4096); // 0x400530 is the address of the main() space int *t = (((int)z)+1); // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste *t = x; /* x = 0x40056F; // mov eax, 0 - Before last line x[0] = 0x48; x[1] = 0xc7; x[2] = 0xc0; t = x + 3; *t = 0x40053A; // Address of start of the main() function excluding the stack pushes. x[7] = 0xff; x[8] = 0xe0; */ }