Assembly tip 1

Assembly tip 1

Tip 1: Get the current instruction address and add the instruction

{
_ ASM
{
CallGet_next_addr; get the next JMP eax address and save it in eax.
JMPEax; local jump, endless loop, waiting for correction to 0x90, 0x90 NOP
MoVEax, 0x1
JMPQuit

_ Emit0x12; useless data flower command
_ Emit0x34
_ Emit0xff
_ Emit0x4f
_ Emit0xd3
_ Emit0xe3
_ Emit0x67
_ Emit0x12
_ Emit0x89
_ Emit0x00

Get_next_addr:
PopEax
PushEax
RET
Quit:
JMP gothis;
}
}
Gothis:
Printf ("Hello world! ");

Tip 2: Add simple instructions

The appearance of instructions:
Assembly language is actually a symbolic form of machine commands. To some extent, it is just easier to understand machine commands. Each assembly statement translates Assembly commands into binary code based on the CPU-specific command symbol table. In applications, we can decompile a binary program into assembly code through the VC ide or other disassembly and decompilation software such as OD.
The general format of the machine is: Command + data.
The general process of disassembly is: first determine the first address of the instruction, then determine which Assembly statement is based on the script, and then disassemble the subsequent data.
From this, we can see that there is a vulnerability in the disassembly process of this step: If someone intentionally places the wrong machine instruction in the wrong position, then during the disassembly, it is possible to disassemble the Code together with the subsequent data. In this way, we can see a wrong disassembly code.
This is the "Flower command". In short, the flower command is a vulnerability that determines the results of the disassembly simply based on the machine script in the disassembly process.

Thunkcode: useless data added (with _ emit)
--------------------------------------
Instance 1:
Call label_1
DB thunkcode
JMP label_2
DB thunkcode
Label_1:
Pop eax; Get the return address of label_1 and store it to eax to restore the stack(The following statement does not use ret, so manual pop recovery is required)
JMP label_3
DB thunkcode, thunkcode, thunkcode
Label_3:
INC eax; Eax value plus 1, eax is now the address of the JMP label_2 command
JMP label_4
DB thunkcode, thunkcode, thunkcode
Label_4:
JMP eaxJump to the JMP label_2 command and execute
DB thunkcode
Label_2:
....

--------------------------------------
Instance 2:
Call label_1
DB thunkcode, thunkcode
JMP label_4
Label_1:
Pop eax; Get the return address of label_1 and store it to eax. The pop Stack
JMP label_2
DB thunkcode, thunkcode
Label_2:
Add eax, 2; Eax value plus 2, eax is now the address of the JMP label_4 command
JMP label_3
DB thunkcode
Label_3:
Push eaxThe returned address of label_1 (the address of the JMP label_4 command) is pushed to the stack, and the RET command is responsible for returning the stack (because RET is used here, the integrity of the stack should be guaranteed)
RET; Return to the address of the JMP label_4 command for execution
DB thunkcode
Label_4 :....