Valhalla Legends Archive

Quote from: MyndFyre on November 16, 2009, 01:45 AM
How did you solve the first problem?

Instead of "pushl  0x8048cd0," I did "pushl  $0x8048cd0."

The result was 1 byte shorter..  And it made the code work how it was suppose to rather than pushing the value stored in that memory address.

Update, I solved that one.  1 more to do.

"Your exploit code should set your cookie as the return value, restore any corrupted state, push the correct return location on the stack, and execute a ret instruction to really return to test."

Here's my guess?

   0:   68 b0 b5 ff bf          push   $0xbfffb5b0  #ebp of previous stack
   5:   b8 57 a3 24 1a          mov    $0x1a24a357,%eax #move cookie to return
   a:   c9                      leave #i got away with not having this in my last problem.  Do I need it?
   b:   c3                      ret #hopefully return to the actual caller function :)


Any help would be nice =)

Its suppose to be a buffer overflow.  There are 12 available bytes in the buffer, then 4 more that can be used overwriting %ebp, and then the next 4 are used for the return address of the beginning of the buffer to run the exploit code.

Basically its suppose to just set a global variable at memory address "0x804a1c0" with my cookie which is  $0x1a24a357.  That cookie is static but it is also stored at "0x804a1b0" if there is any other way you could see that being used.

the assignment explicitly states that the code for this should be exactly 16 bytes.

Edit:  If there is any way I could speak more directly to you it would be much appreciated.  The assignment is due in 2 hours and there are only 4 parts to it and I'm currently finished with 2, and close to the other 2.  Thanks either way though.

I need this to fit into 16 bytes.

]code]   0:   ff 35 d0 8c 04 08       pushl  0x8048cd0
   6:   c7 05 c0 a1 04 08 57    movl   $0x1a24a357,0x804a1c0
   d:   a3 24 1a
  10:   c3                      ret


Might need more help too.

Tim

Haha, yeah I'm really telling the truth.  Dreams come true in Burke, VA tho =).  I actually live in Fairfax, VA now but its adjacent to Burke.

If you talk to him again tell him to give me the answers .

lol,  Tim

Quote from: brew on October 13, 2009, 12:26 PM
Are you the_wiz_kid_89 on Freenode?

No.

A lot of the questions I had my professor went over in class yesterday.  There still some things she needs to cover, but I should know more answers after class today.  (yes I know its weird to have 2 lectures 2 days in a row, weird week because of Columbus Day).

If I have more time today I'll give you some feedback on how the lab is going.

I'd love some references to anything useful that has helped people in the past.  You can never know too much =)

Tim

Thanks a ton to both of you.  Brew you clarified a lot things to me and things started making a little more sense.  I'm 2/3 done now.  There some smaller issues that I could use some answeres to:

0x08048cf2 <phase_5+45>: add    0x80497c0(,%eax,4),%ecx

(gdb) print (char*) 0x80497c0
$197 = 0x80497c0 "\002"



is this 4x$eax+"\002" ?  If so, how does that effect the "string" "\002" ? 

0x08048ce1 <phase_5+28>: mov    $0x0,%edx
0x08048ce6 <phase_5+33>: mov    $0x0,%ecx
0x08048ceb <phase_5+38>: movsbl (%edx,%ebx,1),%eax
0x08048cef <phase_5+42>: and    $0xf,%eax
0x08048cf2 <phase_5+45>: add    0x80497c0(,%eax,4),%ecx
0x08048cf9 <phase_5+52>: add    $0x1,%edx
0x08048cfc <phase_5+55>: cmp    $0x6,%edx
0x08048cff <phase_5+58>: jne    0x8048ceb <phase_5+38>


Stepping into this, %eax = 0x06 I think.  Can someone explain the algorithm taking place a little better?  I read that "movsbl" drags the sign bit over.  Can someone show a small example exactly how that will look in this code?

Please don't give me the solutions to any thing either.  I actually do enjoy learning.

Thanks =)

Tim

Yessirr.

I guess this isn't an uncommon lab for people who are CS majors.  Its the "bomb lab"

You enter the wrong things and it says "boom - blah. blah blah..."

I got first the past part.  I'm stuck on the 2nd now.

Tim

For a lab assignment, I've basically been given a compiled C program on an x86 linux machine.  The goal of the assignment is to figure out the 6 strings I have to enter in order to get through the program.

I've already spent over 20 hours reading my text book / internet sources and still have yet to get the first answer.

Basically I have been using gdb and stepping through each line of assembly monitoring each register and searching for the answers.

There are really a bunch of questions I could use help with and it would be easiest if someone could really help familiarize me a little more to why certain instructions are the way they are.  AIM would be the best way of contact for this,  My screen name is ooi tim ioo.

If no one has time for that, here are some questions I would like answered please:

What is the purpose of "test %eax, %eax"?  I know its a bitwise AND and I'm assuming no matter what it is, the ZF is set.  I read something like it is used to see if the SF changes or something?

When I do "info registers" in gdb, it will echo the register name, a hexidecimal value, and an interger value.  Are the hex and int values just the address the register points to?  If so, is "print /x $reg" returning the value the address points to or the address it self.

I'm aware that %ebp and %esp are the base stack pointer and the stack pointer.  Is the following statement correct?  0x4(%ebp) = return address;  0x8(%ebp) = first parameter;  0xC(%ebp) = 2nd paramenter; and so on? 

Where there is a call such as "push %ebi", why does the %esp move a WORD in the negative direction?  What is the purpose of pushing registers on the stack when you can use htem regaurdless?

is "ret" always %eax?

Is there any real difference between each register (without including %esp and %ebp)?

I'm sure I have more questions but that is all I can think of off the top of my head.

Any help would be much appreciated.

Thanks,

Tim

I solved int sm2tc(int x); with out any help.

Here it is:

int sm2tc(int x) {
   int y = x & (0x80<<24);
   int z = y>>31;
   int a = (x^z);
   int b = (a|y)+!!y;
   return b;
}


As far as the LessThanOrEqual function goes, I already thought of what you suggested Kane.  Unfortunately the test cases cause overflows. 

So unfortunately I will have to take another approach towards it.  Think XOR might do the trick?  http://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMax

CrAzY

I'm pretty stuck on some hw I was assigned.  We are limited to what operations we are allowed to use in order to evaluate given functions.

Here's what we are allowed/not allowed to do:


CODING RULES:

  Replace the "return" statement in each function with one
  or more lines of C code that implements the function. Your code
  must conform to the following style:

  int Funct(arg1, arg2, ...) {
      /* brief description of how your implementation works */
      int var1 = Expr1;
      ...
      int varM = ExprM;

      varJ = ExprJ;
      ...
      varN = ExprN;
      return ExprR;
  }

  Each "Expr" is an expression using ONLY the following:
  1. Integer constants 0 through 255 (0xFF), inclusive. You are
      not allowed to use big constants such as 0xffffffff.
  2. Function arguments and local variables (no global variables).
  3. Unary integer operations ! ~
  4. Binary integer operations & ^ | + << >>
   
  Some of the problems restrict the set of allowed operators even further.
  Each "Expr" may consist of multiple operators. You are not restricted to
  one operator per line.

  You are expressly forbidden to:
  1. Use any control constructs such as if, do, while, for, switch, etc.
  2. Define or use any macros.
  3. Define any additional functions in this file.
  4. Call any functions.
  5. Use any other operations, such as &&, ||, -, or ?:
  6. Use any form of casting.

  You may assume that your machine:
  1. Uses 2s complement, 32-bit representations of integers.
  2. Performs right shifts arithmetically.
  3. Has unpredictable behavior when shifting an integer by more
     than the word size.

I have solved most problems but there are a few I just cannot figure out an algorithm in order to solve it meeting the restrictions.

Here are the ones I have left:

/*
* isLessOrEqual - if x <= y  then return 1, else return 0
*   Example: isLessOrEqual(4,5) = 1.
*   Legal ops: ! ~ & ^ | + << >>
*   Max ops: 24
*   Rating: 3
*/
int isLessOrEqual(int x, int y) {
return ;
}
/*
* sm2tc - Convert from sign-magnitude to two's complement
*   where the MSB is the sign bit
*   Example: sm2tc(0x80000005) = -5.
*   Legal ops: ! ~ & ^ | + << >>
*   Max ops: 15
*   Rating: 4
*/
int sm2tc(int x) {
  return ;
}

Any help or suggestions would be appreciated. 

Thanks,

CrAzY

Hi all,

http://nopaste.gamedev.pl/?id=3727

Specifically looking at:

char *show_pizza(int pizza)
   {
      char *output = (char*)malloc(100*sizeof(char));
      output[0] = '\0';
      int i;
      for(i=0; i<8; i++)
      {
         if((input[pizza]>>i)&1)
         {
            //printf("%s", *strcat("hi", "pepperoni "));
            if(i==0)
              strcat(output, "pepperoni ");
            else if(i==1)
              strcat(output, "cheese ");
            else if(i==2)
               strcat(output, "mushrooms ");
            else if(i==3)
              strcat(output, "onions ");
            else if(i==4)
               strcat(output, "green peppers ");
            else if(i==5)
              strcat(output, "olives ");
            else if(i==6)
               strcat(output, "ham ");
            else if(i==7)
              strcat(output, "sausage ");
         }
      }
     
      if(output[0]=='\0')
        strcat(output, "no toppings");
      printf("%s", output);
      return output;
   }

The strings don't concat correctly.  I either get a weird output or nothing at all.

Any suggestions?

Thanks,

Tim

i have no idea how to use CVS .  Maybe I should learn

URL for source?  I'll make an attempt to bring it back to life 

Hey all,

I'm looking for a solid working java source code for a bot.

I want to program some bots that will use AI and chat with people =).

I'm preferably looking for one that works with SC too .

If any one has C sources I'll take that too .

Thanks,

Tim