Created
March 19, 2024 18:45
-
-
Save rbran/adbd0940f94e9de3a019574425262615 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This code demonstrate how to break a simple disassembler. | |
| // you may need to build with "-no-pie" | |
| // gcc -o get_key get_key.c -no-pie | |
| #include <stdio.h> | |
| const char reveal_key[] = "The key is '%x'\n"; | |
| int get_key(int argc) { | |
| int key = 0; | |
| __asm__( | |
| // sub 1 because argc is almost never 0 | |
| " sub $1, %1\n" | |
| // makeshift switch statement based on the argc | |
| " cmp $2, %1\n" | |
| " ja end\n" | |
| " shl $2, %1\n" | |
| " add $offsets, %1\n" | |
| " mov $0,%%rdi\n" | |
| " mov (%1),%%edi\n" | |
| " jmp *%%rdi\n" | |
| // I will put the jmp table in the middle of the function LOL | |
| "offsets:\n" | |
| " .long zero\n" | |
| " .long one\n" | |
| " .long two\n" | |
| // just data that is impossible to disassembly with x86_64 | |
| " .long 0xFFFFB8FF\n" | |
| " .long 0xFFFFB8FF\n" | |
| " .long 0xFFFFB8FF\n" | |
| " .long 0xFFFFB8FF\n" | |
| "zero:\n" | |
| " mov $0xDEADBEFF, %0\n" | |
| " jmp end\n" | |
| "one:\n" | |
| " mov $0xDEC0C0FF, %0\n" | |
| " jmp end\n" | |
| "two:\n" | |
| " mov $0x1337, %0\n" | |
| "end:\n" | |
| : "=r" (key) | |
| : "r" (argc) | |
| : "%rdi", "%edi"); | |
| return key; | |
| } | |
| int main(int argc, char **argv) { | |
| printf("argc %d\n", argc); | |
| int key = get_key(argc); | |
| printf("key %x\n", key); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment