Skip to content

Instantly share code, notes, and snippets.

@blue-devil

blue-devil/_jump2itself.md

Last active February 14, 2024 18:49
Show Gist options
  • Save blue-devil/9a34653d759a6dfa11acd0f88246e77b to your computer and use it in GitHub Desktop.
Save blue-devil/9a34653d759a6dfa11acd0f88246e77b to your computer and use it in GitHub Desktop.
Download ZIP
Unconditional Branch/Jump to Itself
Raw
_jump2itself.md

Unconditional Branch/Jump to Itself

In reverse engineering we often need an executable binary to mapped in memory, stopped at a certain address. One approach is to modify the executable binary temporarily to jump at its own address. I have written a very small c code and compile it with optimization level 2.

#include <stdio.h>

int main(void)
{
    while(1);

    return 0;
}

NOTE If we use for(;;) instead of while(1), we would get the same result.

In x86 (both in 64-bit and 32 bit), you can use these two bytes : 0xEB 0xFE. While writing in assembly we can use jmp $ for the very same purpose.

In AARCH64 we can use 0x14000000. In aarch64 assembly it is equivalent to b .. b instruction means unconditional branch

In ARM we can use 0xeafffffe.

Below you can find PoC code and objdump output for x86_64, x86_32, AARCH64 and ARM

x86

Compile with gcc -Wall -O2 loop.c -o loop

$ objdump -d -M intel loop-x86_64

<snipped for brevity>

0000000000001020 <main>:
    1020:       eb fe                   jmp    1020 <main>
    1022:       66 2e 0f 1f 84 00 00    cs nop WORD PTR [rax+rax*1+0x0]
    1029:       00 00 00
    102c:       0f 1f 40 00             nop    DWORD PTR [rax+0x0]

<snipped for brevity>

For 32-bit executable compile with gcc -m32 -Wall -O2 loop.c -o loop-x86_32

$ objdump -d -M intel loop-x86_32

<snipped for brevity>

Disassembly of section .text:

00001050 <main>:
    1050:       eb fe                   jmp    1050 <main>

<snipped for brevity>

Instead of GCC we can use ML64 on x64 Windows systems. Then we can use dumpbin to inspect disassembly code:

dumpbin /disasm Jump2Itself2.exe
Microsoft (R) COFF/PE Dumper Version 14.36.32532.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file Jump2Itself2.exe

File Type: EXECUTABLE IMAGE

  0000000140001000: EB FE              jmp         0000000140001000
  0000000140001002: C3                 ret

  Summary

        1000 .rdata
        1000 .text

AARCH64

On my x86_64 ArchLinux platform I have compiled with : aarch64-linux-gnu-gcc -Wall -O2 loop.c -o loop-aarch64

$ aarch64-linux-gnu-objdump -d loop-aarch64

<snipped for brevity>

Disassembly of section .text:

0000000000000600 <main>:
 600:   14000000        b       600 <main>

<snipped for brevity>

ARM

On my x86_64 ArchLinux platform I have compiled with : arm-linux-gnueabihf-gcc -Wall -O2 loop.c -o loop-arm

$ arm-linux-gnueabihf-objdump -d loop-arm

<snipped for brevity>

Disassembly of section .text:

000003d0 <main>:
 3d0:   eafffffe        b       3d0 <main>

<snipped for brevity>
Raw
branch2itself_aarch64.s
/* _______________________________________________________________________
| ______ __ ,.' __.'.__ . ______ ___ |
| | | | /b` '-. .-' d\| ; | | |
| | __ | | .5h /.'.\ =5| _ \ | | |
| |. 1 \| | (0=h ' ' =C) 1\ \ .--:. | |
| | 1_/| | ?3==, .==7| | \ \ |__| | |
| |. | .-- -.-----{=`==oo____oo==`=}| | |.----.-- -.--:. | |
| |. __ | | V | ^__|'"o58888888888,; |. | || ^_| V | |. | |
| |: 1 \|_|____|_____| `?88P^\,?88^\P |. | / |____|\___|__|: |___ |
| |: 1_/ / C8?\__d88\_/' |: 1/ / . |: 1 | |
| |::.. . / `8o8888/\88P |::.. . / |::.. . | |
| `-------' '7oo88oo8P `------' `-------' |
| Cooo##~\/\/\/~====> github.com/blue-devil |
| / Freedom, doesn't come from \ gitlab.com/bluedevil |
| \ second-hand thoughts / www.sctzine.com |
|_______________________________________________________________________|
| @author : Blue DeviL <bluedevil.SCT@gmail.com> |
| @tester : ErrorInside <errorinside@sctzine.com> |
| @IDE : ViM <Vi iMproved> |
| @template : Blue DeviL |
| @date : 07/06/2023 |
| @license : AGPLv3 |
|_______________________________________________________________________|
| |
| Linux AARCH64 Assembly Work With GNU Assembler |
| AARCH64 Code Writes To STDOUT and Branches to Itself |
\_______________________________________________________________________/
*/
.arch armv8-a
.section .data
mystr:
.string "[!] Unconditional branch to itself AARCH64\n"
len = . - mystr // dynamically calc string size
.section .text
.global _start
_start:
/* syscall write(unsigned int fd, const char *buf, size_t count) */
mov x0, #1 // fd = STDOUT
ldr x1, =mystr // buf = mystr
mov x2, #len // count = len
mov x8, #64 // write = 64
svc #1 // sistem çağrısı yap
b . // unconditional branch to itself
/* syscall exit(int error_code) */
mov x0, #0 // exit status = 0
mov x8, #93 // exit = 93
svc #1 // sistem çağrısı yap
Raw
branch2itself_arm32.s
/* _______________________________________________________________________
| ______ __ ,.' __.'.__ . ______ ___ |
| | | | /b` '-. .-' d\| ; | | |
| | __ | | .5h /.'.\ =5| _ \ | | |
| |. 1 \| | (0=h ' ' =C) 1\ \ .--:. | |
| | 1_/| | ?3==, .==7| | \ \ |__| | |
| |. | .-- -.-----{=`==oo____oo==`=}| | |.----.-- -.--:. | |
| |. __ | | V | ^__|'"o58888888888,; |. | || ^_| V | |. | |
| |: 1 \|_|____|_____| `?88P^\,?88^\P |. | / |____|\___|__|: |___ |
| |: 1_/ / C8?\__d88\_/' |: 1/ / . |: 1 | |
| |::.. . / `8o8888/\88P |::.. . / |::.. . | |
| `-------' '7oo88oo8P `------' `-------' |
| Cooo##~\/\/\/~====> github.com/blue-devil |
| / Freedom, doesn't come from \ gitlab.com/bluedevil |
| \ second-hand thoughts / www.sctzine.com |
|_______________________________________________________________________|
| @author : Blue DeviL <bluedevil.SCT@gmail.com> |
| @tester : ErrorInside <errorinside@sctzine.com> |
| @IDE : ViM <Vi iMproved> |
| @template : Blue DeviL |
| @date : 07/06/2023 |
| @license : AGPLv3 |
|_______________________________________________________________________|
| |
| Linux ARM32 Assembly Work With GNU Assembler |
| ARM32 Code Writes To STDOUT and Branches to Itself |
\_______________________________________________________________________/
*/
.section .data
mystr:
.asciz "[!] Unconditional branch to itself ARM32\n"
len = . - mystr
.section .text
.global _start
_start:
// syscall write(unsigned int fd, const char *buf, size_t count)
mov r0, #1 // fd = STDOUT
ldr r1, =mystr // buf = mystr
mov r2, #len // count = len
mov r7, #4 // write = 4
svc #0 /* syscall'u çağır */
b . // unconditional branch to itself
/* syscall exit(int status) */
mov r0, #0 // exit status = 0
mov r7, #1 // exit = 1
svc #0 // syscall'u çağır
Raw
jump2itself_x64.asm
; _______________________________________________________________________
; | ______ __ ,.' __.'.__ . ______ ___ |
; | | | | /b` '-. .-' d\| ; | | |
; | | __ | | .5h /.'.\ =5| _ \ | | |
; | |. 1 \| | (0=h ' ' =C) 1\ \ .--:. | |
; | | 1_/| | ?3==, .==7| | \ \ |__| | |
; | |. | .-- -.-----{=`==oo____oo==`=}| | |.----.-- -.--:. | |
; | |. __ | | V | ^__|'"o58888888888,; |. | || ^_| V | |. | |
; | |: 1 \|_|____|_____| `?88P^\,?88^\P |. | / |____|\___|__|: |___ |
; | |: 1_/ / C8?\__d88\_/' |: 1/ / . |: 1 | |
; | |::.. . / `8o8888/\88P |::.. . / |::.. . | |
; | `-------' '7oo88oo8P `------' `-------' |
; | Cooo##~\/\/\/~====> github.com/blue-devil |
; | gitlab.com/bluedevil |
; | Freedom doesn't come from second-hand thoughts. www.sctzine.com |
; |_______________________________________________________________________|
; | @author : Blue DeviL <bluedevil@sctzine.com> |
; | @tester : ErrorInside <errorinside@sctzine.com> |
; | @IDE : RadASM v2.2.2.4 |
; | @template : Blue DeviL |
; | @date : 08/06/2023 |
; | @license : AGPLv3 |
; |_______________________________________________________________________|
; | |
; | MASM64 Programming Console Code Sniplet |
; | Branch to Itself |
; \_______________________________________________________________________/
OPTION DOTNAME ; required for macro files
option casemap:none ; case sensitive
.code
mainCRTStartup proc
jmp $
ret
mainCRTStartup endp
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment