0

I'm trying to jump to an address in memory but it's only the offset in the file so 0x530 instead 0x555555.... but I don't know how to do. Here is the code. 

global _start

_start:
    push rax
    push rdi
    push rsi
    push rdx

    mov rax,1
    mov rdi,1
    lea rsi,[rel msg]
    mov rdx,msg_end - msg
    syscall

    pop rdx
    pop rsi
    pop rdi
    pop rax

    mov rax,0x1111111111111111
    jmp rax

align 8
    msg db "....WOODY....",10,0
    msg_end db 0x0

Here I'm moving to 0x11111111111, a value that I change to 0x530 before the execution of the file, so it will give mov rax,0x530, however I don't know how to get the absolute address.

Basically I'm trying to inject some code inside a ELF files, I need to change the entry point of the executable and then jump back, since I don't know at first where to jump I put a value in memory 0x111111111111, that I will change by the original entry point of the program, as example I gave, let's say we have a original entry point at offset 0x530, I should access the memory of the computer something like 0x55555555fff530, instead of that, I'm jumping to the offset of the file.

I'm working on Ubuntu.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Alexandre Le Goff
  • 3
  • 3
  • Which CPU is the target of this assembler code? Also, I am a. It unclear how the code relates to the peoblem as there does not appear to be a JMP or BRanch instruction in the code and the values you mention in the post do not seem to be evident in the source... – GMc Jul 04 '19 at 23:09
  • Basically I'm trying to inject some code inside a ELF files, I need to change the entry point of the executable and then jump back, since I don't know at first where to jump I put a value in memory 0x111111111111, that I will change by the original entry point of the program, as example I gave, let's say we have a original entry point at offset 0x530, I should access the memory of the computer something like 0x55555555fff530, instead of that, I'm jumping to the offset of the file. I'm working on Ubuntu. – Alexandre Le Goff Jul 04 '19 at 23:27
  • Why don't you change the source and assemble the modified source? – GMc Jul 04 '19 at 23:34
  • I need to apply my program to all ELF files executables. Since the entry point and a lot of things differs I can't. – Alexandre Le Goff Jul 04 '19 at 23:38
  • 1
    Due to ASLR you don't know the address before the process is launched. You need to find that out when you inject the code. – Jester Jul 05 '19 at 00:05
  • Any ideas of how can I do that ? – Alexandre Le Goff Jul 05 '19 at 00:12
  • So your question is really about how to defeat a protection against exploits used by hackers to gain control over systems. I will assume that your intentions are honourable, but suppose a viable answer is posted here, what about others who are not so honourable? What might they do? – GMc Jul 05 '19 at 00:13
  • 2
    You also mention that you need to apply it to all ELF executables. Perhaps if you mentioned something about the root problem you are trying to solve (as opposed to the technical problem of needing to "hack" an executable), someone might come up with a viable alternative... – GMc Jul 05 '19 at 00:17
  • @GMc or perhaps knowing the "root problem", it may be better to decline suggesting a viable alternative.... – David C. Rankin Jul 05 '19 at 02:44
  • @david_c._rankin Exactly! – GMc Jul 05 '19 at 04:44

1 Answers1

1

You probably want to build non-PIE executables to start with, so things are simpler with no ASLR for the base-address of the executable. Use gcc -no-pie -static foo.o. Then objdump will be able to give you absolute addresses.

Or just use a RIP-relative LEA to get the address of other code in the same section/segment of the binary. That offset is known at link time (or at edit-binary time).

Using mov r64, imm64 is just making life difficult for yourself because you're trying to use absolute addresses without runtime fixups, but your program will be ASLRed when mapped to somewhere near 0x5555... unless you disable ASLR for it (e.g. by running it under GDB), or globally in /proc/sys.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • [How to load address of function or label into register](https://stackoverflow.com/q/57212012) for RIP-relative LEA details. – Peter Cordes Oct 13 '22 at 04:04