Keith Makan k3170makan

## 1_heap.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

char * make_string(size_t length){
	char *arr = (char *)malloc(length);
	asm("int $3");
	return arr;
}
void free_string(char *arr){

## never_call.c
#include <stdio.h>
void never_call(void){
	printf("[*] success!! call to function never_call!!!\n\n");
}
void foo(void){
	printf("[*] call to function foo\n");
	return;
}
int main(int argc, char **argv){
	printf("[*] call to main function\n");

## init_fini.c
#include <stdio.h>
void never_call(void){
	printf("[*] success!! call to function never_call!!!\n\n");
}
void __attribute__ ((destructor)) foo_destructor(void){
	printf("[*] hay! you called by destructor!! \n");
	return;
}
void __attribute__ ((constructor)) foo_constructor(void){
	printf("[*] hay! you called by constructor!! \n");

## start.S
   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */

/* This is the canonical entry point, usually the first thing in the text
   segment.  The SVR4/i386 ABI (pages 3-31, 3-32) says that when the entry
   point runs, most registers' values are unspecified, except for:
   %rdx		Contains a function pointer to be registered with `atexit'.
		This is how the dynamic linker arranges to have DT_FINI
		functions called for shared libraries that have been loaded

## dl-init.c
void
_dl_init (struct link_map *main_map, int argc, char **argv, char **env)
{
  ElfW(Dyn) *preinit_array = main_map->l_info[DT_PREINIT_ARRAY];
  ElfW(Dyn) *preinit_array_size = main_map->l_info[DT_PREINIT_ARRAYSZ];
  unsigned int i;
//... snip ....

      addrs = (ElfW(Addr) *) (preinit_array->d_un.d_ptr + main_map->l_addr);
      for (cnt = 0; cnt < i; ++cnt)

## dl_fini.c

          void
_dl_fini (void)
{
  /* Lots of fun ahead.  We have to call the destructors for all still
     loaded objects, in all namespaces.  The problem is that the ELF
     specification now demands that dependencies between the modules
     are taken into account.  I.e., the destructor for a module is
     called before the ones for any of its dependencies.
     To make things more complicated, we cannot simply use the reverse

## _start.c
   0x0000000000400450 <+0>:	xor    %ebp,%ebp
   0x0000000000400452 <+2>:	mov    %rdx,%r9
   0x0000000000400455 <+5>:	pop    %rsi
   0x0000000000400456 <+6>:	mov    %rsp,%rdx
   0x0000000000400459 <+9>:	and    $0xfffffffffffffff0,%rsp
   0x000000000040045d <+13>:	push   %rax
   0x000000000040045e <+14>:	push   %rsp
   0x000000000040045f <+15>:	mov    $0x4005e0,%r8
   0x0000000000400466 <+22>:	mov    $0x400570,%rcx
   0x000000000040046d <+29>:	mov    $0x400430,%rdi

## dl-load.c
1738       abi_note = (void *) abi_note + note_size;
1739          }
1740
1741        if (size == 0)
1742          continue;
1743
1744        osversion = (abi_note[5] & 0xff) * 65536
1745          + (abi_note[6] & 0xff) * 256
1746          + (abi_note[7] & 0xff);
1747        if (abi_note[4] != __ABI_TAG_O

## Makefile
PROG=compile_me
CC=gcc
FLAGS=-Wall -O2
all:
	$(CC) -o $(PROG).elf $(PROG).c $(FLAGS)
clean:
	rm -f *.elf

## compile_me.c
#include <stdio.h>
void never_call(void){
	printf("[*] wow how did you manage to call this?\n");
	return;
}
int main(int argc, char **argv){
	printf("[*] you ran this binary!\n");
	return 0;
}
	#include <string.h>
	#include <stdio.h>
	#include <stdlib.h>

	char * make_string(size_t length){
	char arr = (char )malloc(length);
	asm("int $3");
	return arr;
	}
	void free_string(char *arr){
	#include <stdio.h>
	void never_call(void){
	printf("[*] success!! call to function never_call!!!\n\n");
	}
	void foo(void){
	printf("[*] call to function foo\n");
	return;
	}
	int main(int argc, char **argv){
	printf("[*] call to main function\n");
	You should have received a copy of the GNU Lesser General Public
	License along with the GNU C Library; if not, see
	<http://www.gnu.org/licenses/>. */

	/* This is the canonical entry point, usually the first thing in the text
	segment. The SVR4/i386 ABI (pages 3-31, 3-32) says that when the entry
	point runs, most registers' values are unspecified, except for:
	%rdx Contains a function pointer to be registered with `atexit'.
	This is how the dynamic linker arranges to have DT_FINI
	functions called for shared libraries that have been loaded
	void
	_dl_init (struct link_map main_map, int argc, char argv, char *env)
	{
	ElfW(Dyn) *preinit_array = main_map->l_info[DT_PREINIT_ARRAY];
	ElfW(Dyn) *preinit_array_size = main_map->l_info[DT_PREINIT_ARRAYSZ];
	unsigned int i;
	//... snip ....

	addrs = (ElfW(Addr) *) (preinit_array->d_un.d_ptr + main_map->l_addr);
	for (cnt = 0; cnt < i; ++cnt)

	void
	_dl_fini (void)
	{
	/* Lots of fun ahead. We have to call the destructors for all still
	loaded objects, in all namespaces. The problem is that the ELF
	specification now demands that dependencies between the modules
	are taken into account. I.e., the destructor for a module is
	called before the ones for any of its dependencies.
	To make things more complicated, we cannot simply use the reverse
	0x0000000000400450 <+0>: xor %ebp,%ebp
	0x0000000000400452 <+2>: mov %rdx,%r9
	0x0000000000400455 <+5>: pop %rsi
	0x0000000000400456 <+6>: mov %rsp,%rdx
	0x0000000000400459 <+9>: and $0xfffffffffffffff0,%rsp
	0x000000000040045d <+13>: push %rax
	0x000000000040045e <+14>: push %rsp
	0x000000000040045f <+15>: mov $0x4005e0,%r8
	0x0000000000400466 <+22>: mov $0x400570,%rcx
	0x000000000040046d <+29>: mov $0x400430,%rdi
	1738 abi_note = (void *) abi_note + note_size;
	1739 }
	1740
	1741 if (size == 0)
	1742 continue;
	1743
	1744 osversion = (abi_note[5] & 0xff) * 65536
	1745 + (abi_note[6] & 0xff) * 256
	1746 + (abi_note[7] & 0xff);
	1747 if (abi_note[4] != __ABI_TAG_O
	PROG=compile_me
	CC=gcc
	FLAGS=-Wall -O2
	all:
	$(CC) -o $(PROG).elf $(PROG).c $(FLAGS)
	clean:
	rm -f *.elf
	#include <stdio.h>
	void never_call(void){
	printf("[*] wow how did you manage to call this?\n");
	return;
	}
	int main(int argc, char **argv){
	printf("[*] you ran this binary!\n");
	return 0;
	}