-2

I need to know how i remove the null (00) from machine code. i wrote the code in Assembly Language. It running Successfully. I need the output without NULL

.data
  Bash:
      .asciz "/bin/hostname"
  Null1:
      .int 0
  AddrToBash:
      .int 0
  NULL2:
      .int 0

  .text
      .globl _start

_start:
       #execute routine

       xor  %eax,%eax
       movl $Bash, AddrToBash
       movl $11,%eax
       movl $Bash,%ebx
       movl $AddrToBash,%ecx
       movl $NULL2,%edx
       int  $0x80

       #exit routine


     Exit:
       movl $10,%ebx
       movl $1,%eax
       int $0x80

The following Output is

4000b0: 31 c0                   xor    %eax,%eax
  4000b2:   c7 04 25 f2 00 60 00    movl   $0x6000e0,0x6000f2
  4000b9:   e0 00 60 00 
  4000bd:   b8 0b 00 00 00          mov    $0xb,%eax
  4000c2:   bb e0 00 60 00          mov    $0x6000e0,%ebx
  4000c7:   b9 f2 00 60 00          mov    $0x6000f2,%ecx
  4000cc:   ba f6 00 60 00          mov    $0x6000f6,%edx
  4000d1:   cd 80                   int    $0x80

00000000004000d3 <Exit>:
  4000d3:   bb 0a 00 00 00          mov    $0xa,%ebx
  4000d8:   b8 01 00 00 00          mov    $0x1,%eax
  4000dd:   cd 80                   int    $0x80

how to remove 00, I did the changed like eax to al, bx to bl blahahahahahaha...... but not work can someone modify it.......

Ethan Heilman
  • 16,347
  • 11
  • 61
  • 88
Neefra
  • 365
  • 1
  • 4
  • 5
  • Please fix the markdown of your posting. – Marcus Borkenhagen Dec 08 '10 at 20:16
  • 11
    I will never understand why people find it so difficult to click the magic "format code" button. Or even why people don't *look at the preview* and realize that half their code **is not even being shown because of bad formatting**. If you can't be bothered to look at your **own** question, why do you expect anyone else to read it? – jalf Dec 08 '10 at 20:18
  • 2
    And what do you mean "without null"? Which null do you want to remove, and *why*? – jalf Dec 08 '10 at 20:20
  • 4
    Just a wild quess: Do you want to avoid opcodes that contains byte 0? Like for a string oveflow exploit? – ruslik Dec 08 '10 at 20:21
  • If you remove all the nulls, your code will do something completely different. – Anon. Dec 08 '10 at 20:26
  • @Anon: technically it's possible, but it requires lots of knowledge and patience. For example, if you manage to write base64 decoder with this property, you can attach any code to it. – ruslik Dec 08 '10 at 20:30
  • 1
    Basically i want to print the host name on FREEBSD doing Buffer overflow. So i need to know how i write the Assembly code in FreeBSD to avoid 00's ..... – Neefra Dec 10 '10 at 18:06
  • 1
    you should say avoid - not removing ~ seems you're trying to build a shellcode ;) – Yuda Prawira May 06 '11 at 21:18

2 Answers2

6

You have to take a lot of things into consideration if you want to avoid NULL bytes in shellcode. However, most of the time it involves replacing instructions with equivalent ones.

For example,

mov $0, %eax

produces b8 00 00 00 00 which contains NULL bytes. Replacing it with

xor %eax, %eax

is semantically equivalent but produces 31 c0 instead.

For a good introduction on writing shellcode, read Smashing The Stack For Fun And Profit. The book Hacking: The Art of Exploitation contains a section (0x523) about avoiding NULL bytes in shellcode.

mtvec
  • 17,846
  • 5
  • 52
  • 83
0

So, you want to use opcodes that does not contain byte 0. This could be useful only to create buffer overflows with strings (example: strcpy()).

Either you learn assembly wery well, so that you would know the binary encoding of most common instructions by heart, thus being able to avoid 0. Or by using existing tools for that: something that encodes the original code to a representation without 0 bytes (example: BCD, base64, or even ASCII string like 010010010), and prepends to it a special decriptor that does not contain zeros.

ruslik
  • 14,714
  • 1
  • 39
  • 40
  • THanks for Reply ...... I need to print hostname using execv system calll in Assembly language. The operating System is FreeBSD. after compiling and running the code i will get produce the opcode.... But the opcode must not contain 00 pair......... but i dont know how to do that – Neefra Dec 10 '10 at 18:08