Lucas Teske revised this gist 10 years ago. Go to revision
1 file changed, 11 insertions
test_autolookup.c(file created)
| @@ -0,0 +1,11 @@ | |||
| 1 | + | int y = 100; | |
| 2 | + | ||
| 3 | + | char teste[] = "HUEBR\n"; | |
| 4 | + | ||
| 5 | + | char I_WANT_SPACE[100] = "IWANTSPACE"; // Because I WANT SPACE | |
| 6 | + | ||
| 7 | + | int main() { | |
| 8 | + | printf("Y: %d\n", y); | |
| 9 | + | printf(teste); | |
| 10 | + | printf(teste); | |
| 11 | + | } | |
Lucas Teske revised this gist 10 years ago. Go to revision
1 file changed, 64 insertions
test2_autolookup.c(file created)
| @@ -0,0 +1,64 @@ | |||
| 1 | + | #include <stdio.h> | |
| 2 | + | #include <sys/mman.h> | |
| 3 | + | ||
| 4 | + | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) | |
| 5 | + | ||
| 6 | + | #ifdef __x86_64 | |
| 7 | + | #define PROGRAM_START_OFFSET 0x400440 | |
| 8 | + | #define DATA_START_OFFSET 0x601000 | |
| 9 | + | #else | |
| 10 | + | #define PROGRAM_START_OFFSET 0x8048000 | |
| 11 | + | #define DATA_START_OFFSET 0x804A020 | |
| 12 | + | #endif | |
| 13 | + | ||
| 14 | + | void * find_sig(unsigned char * array, int len, void * start, void * end, int offset, int align) { | |
| 15 | + | void * pos; | |
| 16 | + | for (pos = start; pos < end; pos += align) { | |
| 17 | + | if (memcmp(pos, array, len) == 0) | |
| 18 | + | return pos + offset; | |
| 19 | + | } | |
| 20 | + | return NULL; | |
| 21 | + | } | |
| 22 | + | ||
| 23 | + | char I_WANT_SPACE_SIGNATURE[] = "IWANTSPACE"; | |
| 24 | + | char HUEBR_SIGNATURE[] = "HUEBR\n"; | |
| 25 | + | char printfHUEoffset[] = { 0xBF, 0x00, 0x00, 0x00, 0x00 }; | |
| 26 | + | ||
| 27 | + | void __attribute__((constructor)) initialize(void) { | |
| 28 | + | //char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE | |
| 29 | + | char *x = find_sig(I_WANT_SPACE_SIGNATURE, 10, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); | |
| 30 | + | char *huebr = find_sig(HUEBR_SIGNATURE, 6, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); | |
| 31 | + | ||
| 32 | + | if (x == NULL || huebr == NULL) { | |
| 33 | + | printf("OH FUCK IT! %p %p\n", x, huebr); | |
| 34 | + | exit(1); | |
| 35 | + | } | |
| 36 | + | ||
| 37 | + | ||
| 38 | + | printfHUEoffset[1] = (((int)huebr) >> 0) & 0xFF; | |
| 39 | + | printfHUEoffset[2] = (((int)huebr) >> 8) & 0xFF; | |
| 40 | + | printfHUEoffset[3] = (((int)huebr) >> 16) & 0xFF; | |
| 41 | + | printfHUEoffset[4] = (((int)huebr) >> 24) & 0xFF; | |
| 42 | + | ||
| 43 | + | int *z = find_sig(printfHUEoffset, 5, (void *)PROGRAM_START_OFFSET, (void *)(PROGRAM_START_OFFSET+4096),0,1); | |
| 44 | + | ||
| 45 | + | x[0] = 'p'; | |
| 46 | + | x[1] = 'h'; | |
| 47 | + | x[2] = 'p'; | |
| 48 | + | x[3] = '\n'; | |
| 49 | + | x[4] = 0x00; | |
| 50 | + | ||
| 51 | + | UNPROTECT(PROGRAM_START_OFFSET,4096); // 0x400530 is the address of the main() space | |
| 52 | + | int *t = (((int)z)+1); // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste | |
| 53 | + | *t = x; | |
| 54 | + | /* | |
| 55 | + | x = 0x40056F; // mov eax, 0 - Before last line | |
| 56 | + | x[0] = 0x48; | |
| 57 | + | x[1] = 0xc7; | |
| 58 | + | x[2] = 0xc0; | |
| 59 | + | t = x + 3; | |
| 60 | + | *t = 0x40053A; // Address of start of the main() function excluding the stack pushes. | |
| 61 | + | x[7] = 0xff; | |
| 62 | + | x[8] = 0xe0; | |
| 63 | + | */ | |
| 64 | + | } | |
Lucas Teske revised this gist 10 years ago. Go to revision
1 file changed, 3 insertions, 1 deletion
README.md
| @@ -1,3 +1,5 @@ | |||
| 1 | + | ```bash | |
| 1 | 2 | gcc test.c -o test | |
| 2 | 3 | gcc -shared -fPIC test2.c -o test2.so | |
| 3 | - | LD_PRELOAD="./test2.so" ./test | |
| 4 | + | LD_PRELOAD="./test2.so" ./test | |
| 5 | + | ``` | |
Lucas Teske revised this gist 10 years ago. Go to revision
3 files changed, 44 insertions
README.md(file created)
| @@ -0,0 +1,3 @@ | |||
| 1 | + | gcc test.c -o test | |
| 2 | + | gcc -shared -fPIC test2.c -o test2.so | |
| 3 | + | LD_PRELOAD="./test2.so" ./test | |
test.c(file created)
| @@ -0,0 +1,15 @@ | |||
| 1 | + | #include <stdio.h> | |
| 2 | + | #include <sys/mman.h> | |
| 3 | + | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) | |
| 4 | + | ||
| 5 | + | int y = 100; | |
| 6 | + | ||
| 7 | + | char teste[] = "HUEBR\n"; | |
| 8 | + | ||
| 9 | + | char I_WANT_SPACE[100]; // Because I WANT SPACE | |
| 10 | + | ||
| 11 | + | int main() { | |
| 12 | + | printf("Y: %d\n", y); | |
| 13 | + | printf(teste); | |
| 14 | + | printf(teste); | |
| 15 | + | } | |
test2.c(file created)
| @@ -0,0 +1,26 @@ | |||
| 1 | + | #include <stdio.h> | |
| 2 | + | #include <sys/mman.h> | |
| 3 | + | ||
| 4 | + | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) | |
| 5 | + | ||
| 6 | + | void __attribute__((constructor)) initialize(void) { | |
| 7 | + | char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE | |
| 8 | + | x[0] = 'p'; | |
| 9 | + | x[1] = 'h'; | |
| 10 | + | x[2] = 'p'; | |
| 11 | + | x[3] = '\n'; | |
| 12 | + | x[4] = 0x00; | |
| 13 | + | ||
| 14 | + | UNPROTECT(0x400530,4096); // 0x400530 is the address of the main() space | |
| 15 | + | int *t = 0x400552; // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste | |
| 16 | + | *t = x; | |
| 17 | + | ||
| 18 | + | x = 0x40056F; // mov eax, 0 - Before last line | |
| 19 | + | x[0] = 0x48; | |
| 20 | + | x[1] = 0xc7; | |
| 21 | + | x[2] = 0xc0; | |
| 22 | + | t = x + 3; | |
| 23 | + | *t = 0x40053A; // Address of start of the main() function excluding the stack pushes. | |
| 24 | + | x[7] = 0xff; | |
| 25 | + | x[8] = 0xe0; | |
| 26 | + | } | |