如何转换组件与外部函数壳code在OSX英特尔64 [英] how can convert assembly with extern function to shellcode in osx 64 intel

问题描述

我想这个汇编程序壳code转换。

I want to convert this assembly program to shellcode.

这只是程序创建了一个文件，我的目的是我应该如何转换组装壳我在使用它EXTERN命令时，code

This program just creates a file , my purpose is how I should convert assembly to shellcode when I using extern command in it

我ASSMBLY code是：

My assmbly code is :

extern _fopen,_fclose

global main
section .text

main:

    xor r10,r10  

    push r10   
    mov r13, 0x6277
    push r13
    mov     rsi,rsp

    push r10   
    mov r13, 0x726964656b616d
    push r13
    mov     rdi,rsp

    call    _fopen
        mov     r14, rax


    mov     rdi, r14
    call    _fclose

    mov     rax, 0x2000001 ; exit
    mov     rdi, 0
    syscall

我用这个命令来编译：

I used this command to compile it :

nasm -f macho64 test2.asm
ld -o test -e main test2.o -lSystem 

和我用objdum -d测试，以创建shell code

and I used objdum -d test to create shellcode

...........$ objdump -d test

test:     file format mach-o-x86-64


Disassembly of section .text:

0000000000001f93 <main>:
    1f93:   4d 31 d2                xor    %r10,%r10
    1f96:   41 52                   push   %r10
    1f98:   41 bd 77 62 00 00       mov    $0x6277,%r13d
    1f9e:   41 55                   push   %r13
    1fa0:   48 89 e6                mov    %rsp,%rsi
    1fa3:   41 52                   push   %r10
    1fa5:   49 bd 6d 61 6b 65 64    movabs $0x726964656b616d,%r13
    1fac:   69 72 00 
    1faf:   41 55                   push   %r13
    1fb1:   48 89 e7                mov    %rsp,%rdi
    1fb4:   e8 1d 00 00 00          callq  1fd6 <_fopen$stub>
    1fb9:   49 89 c6                mov    %rax,%r14
    1fbc:   4c 89 f7                mov    %r14,%rdi
    1fbf:   e8 0c 00 00 00          callq  1fd0 <_fclose$stub>
    1fc4:   b8 01 00 00 02          mov    $0x2000001,%eax
    1fc9:   bf 00 00 00 00          mov    $0x0,%edi
    1fce:   0f 05                   syscall 

Disassembly of section __TEXT.__stubs:

0000000000001fd0 <_fclose$stub>:
    1fd0:   ff 25 3a 00 00 00       jmpq   *0x3a(%rip)        # 2010 <_fclose$stub>

0000000000001fd6 <_fopen$stub>:
    1fd6:   ff 25 3c 00 00 00       jmpq   *0x3c(%rip)        # 2018 <_fopen$stub>

Disassembly of section __TEXT.__stub_helper:

0000000000001fdc <__TEXT.__stub_helper>:
    1fdc:   68 00 00 00 00          pushq  $0x0
    1fe1:   e9 0a 00 00 00          jmpq   1ff0 <_fopen$stub+0x1a>
    1fe6:   68 0e 00 00 00          pushq  $0xe
    1feb:   e9 00 00 00 00          jmpq   1ff0 <_fopen$stub+0x1a>
    1ff0:   4c 8d 1d 11 00 00 00    lea    0x11(%rip),%r11        # 2008 <>
    1ff7:   41 53                   push   %r11
    1ff9:   ff 25 01 00 00 00       jmpq   *0x1(%rip)        # 2000 <>
    1fff:   90                      nop

在正常情况下，我用运code主要部分，并conveted它外壳code和使用该code来运行它。

In normal condition i used opcode in "main" section and conveted it to shellcode and used this code to run it

#include <sys/mman.h>
#include <inttypes.h>
#include <unistd.h> 

char code[] = "\x4d\x31\xd2\x41\x52\x41...For Example ...";

int main()
{     
    int (*ret)() = (int (*)())code;
    void *page = (void *)((uintptr_t)code & ~(getpagesize() - 1));   
    mprotect(page, sizeof code, PROT_EXEC);
    ret();
    return 0;
}

但在这种情况下，忽略了最低的工作，我知道我应该使用的其他部分运codeS提到的主要部分的下方，但我不知道安排调用它们。

but in this case it dosen't work and I know I should used other sections opcodes mentioned below the main section , but I don't know the arrange of calling them.

请指引我。

推荐答案

您ASSMBLY code是写在64模式下，你确定了架'main'程序也编译到x64？

your assmbly code is written in x64 mode,are you sure that the loader-'main' program is also compile to x64?

这篇关于如何转换组件与外部函数壳code在OSX英特尔64的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！