| [ | Current Mood |
| |  flirty | ] |
extern int get_proc();
int main(int argc, char **argv)
{
unsigned int *a = (unsigned int*)get_proc(0x08048000, "syscall");
if (a != 0) {
int (*s)() = (int (*)())*a;
s(4, 1, "HI!\n", 4);
s(1, 0);
}
syscall(1, 2);
}
BITS 32
CPU 386
global get_proc
e_ident equ 0 ; 16
e_type equ 16 ; 2
e_machine equ 18 ; 2
e_version equ 20 ; 2
e_entry equ 24 ; 4
e_phoff equ 28 ; 4
e_shoff equ 32 ; 4
e_flags equ 36 ; 4
e_ehsize equ 40 ; 2
e_phentsize equ 42 ; 2
e_phnum equ 44 ; 2
e_shentsize equ 46 ; 2
e_shnum equ 48 ; 2
e_shstrndx equ 50 ; 2
sh_name equ 0 ; 4
sh_type equ 4 ; 4
sh_flags equ 8 ; 4
sh_addr equ 12 ; 4
sh_offset equ 16 ; 4
sh_size equ 20 ; 4
sh_link equ 24 ; 4
sh_info equ 28 ; 4
sh_addralign equ 32 ; 4
sh_entsize equ 36 ; 4
%define SHT_DYNSYM 11
; get_proc(elf_file,function_name)
get_proc: pusha
mov esi, [esp + 36]
mov ebp, [esi + e_shoff]
add ebp, esi
.get_sym_number:
movzx ecx, word [esi + e_shnum]
mov edi, ebp
.L0: cmp dword [edi + sh_type], SHT_DYNSYM
je .do_dyn_symtab
add edi, 40
loop .L0
jmp .failed
.do_dyn_symtab:
; string = (char*)ehdr + shdr[shdr[i].sh_link].sh_offset;
mov eax, [edi + sh_link]
lea eax, [eax + eax*4]
mov edx, [ebp + eax * 8 + sh_offset]
add edx, esi
; symp = (Elf32_Sym *)((char*)ehdr + shdr[i].sh_offset);
mov ecx, [edi + sh_offset]
add ecx,esi
; symt = symp;
mov ebx, ecx
.nexts: mov eax, [esp + 40]
push eax
movzx eax, word [ecx + 0] ; string + symp->st_name
add eax, edx
push eax
call strcmp
or eax, eax
jz .founds
add ecx, 16 ; sizeof(Elf32_Sym)
mov eax, ecx
sub eax, ebx
cmp eax, [edi + sh_size]
jb .nexts
jmp .failed
.founds:sub ecx, ebx
shr ecx, 4 ; sym = symp - symt
; string = (char*)ehdr + shdr[ehdr->e_shstrndx].sh_offset;
movzx eax, word [esi + e_shstrndx]
lea eax, [eax + eax * 4]
mov edx, [ebp + eax * 8 + sh_offset]
add edx, esi
; find .rel.plt section
movzx ebx, word [esi + e_shnum]
mov edi, ebp
.L1: mov eax, [edi + sh_name]
add eax, edx
cmp dword [eax + 0], '.rel'
jne .nextr
cmp dword [eax + 4], '.plt'
je .do_rel
.nextr: add edi, 40
dec ebx
jnz .L1
jmp .failed
.do_rel:; relt = (Elf32_Rel*)((char*)ehdr + shdr[i].sh_offset);
mov ebx, [edi + sh_offset]
add ebx, esi
; relp = relt
mov esi, ebx
.do_rel_l:
mov eax, [esi + 4]
shr eax, 8
; ELF32_R_SYM(relp->r_info) == sym
cmp eax, ecx
je .found
add esi, 8
mov eax, esi
sub eax, ebx
cmp eax, [edi + sh_size]
jb .do_rel_l
.failed:xor eax,eax
jmp .done
.found: mov eax, [esi] ; relp->r_offset
.done: mov [esp + 28], eax
popa
ret
strcmp: push ecx
push edx
mov ecx, [esp + 12]
mov edx, [esp + 16]
xor eax, eax
.l: mov al, [ecx]
cmp al, [edx]
jnz .d
inc edx
inc ecx
test al, al
jnz .l
jmp .r
.d: movzx ecx, byte [edx]
sub eax, ecx
.r: pop edx
pop ecx
retn 8
Жаль только, что подходящий набор функций (opendir,readdir,closedir,read,write,lseek,close,malloc,free; про mmap, уж и не говорю) встречается довольно редко, хотя опять-таки, подобрать можно... Ж;-)
не забыть:
protected:
pusha
push srest
push 0x4000000
push 0
push hsegv
mov eax, 67 ; sigaction
mov ebx, 11
mov ecx, esp
mov edx, 0
int 0x80
add esp, 16
...
restore:
popa
ret
hsegv: mov dword [esp + 0x40], restore
ret
db 0
align 8
srest: pop eax
mov eax, 119 ; sigreturn
int 0x80
|
![[info]](http://lj.rossia.org/img/imported-profile.gif){kind=small}