Re: Mac OS X shellcode and SIGTRAP

From: Dino Dai Zovi (
Date: 05/25/03

  • Next message: Diode Trnasistor: "N00b questions :\"
    Date: Sat, 24 May 2003 18:05:18 -0600


    The SIGTRAP you get is to notify the debugger that a new process was
    started, so you can usually safely continue through it.

    You are having a problem because you inserted your stuff before the
    'bnel' instruction. The xor./bnel combo is what actually moves the pc
    into the lr register. Without that, the value in r31 that you use is
    bogus. So when you run it from the command line, you are getting a
    segfault because you are trying to write to an illegal address.
    Somehow, when you run it in GDB, the value that just happens to be r31
    at the time does not cause an illegal access in the 'stbx' instruction.
      If you move the 'bnel' back up to after the 'xor.', you will have a
    valid value you can use in there.

    Also, don't bother fixing up the 'sc' instruction. The unused bits in
    it are ignored, so there is no need to set them back to nulls. It also
    does no good right now because the data cache and instruction cache on
    the PowerPC are separate. So the processor is executing the unmodified
    'sc' instruction from the cache, not the one that you modified (which
    will be stored in the data cache and written through to main memory).
    You will need to put in an 'icbi' instruction to invalidate the
    instruction cache block that contains the 'sc' instruction for the
    processor to execute the modified instruction. But, that is a pain,
    and unnecessary, so just don't bother.

    Best of luck and have fun with my shellcode,


              Dino Dai Zovi / /
           "Bein' Crazy is the least of my worries." - Jack Kerouac
              C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F

  • Next message: Diode Trnasistor: "N00b questions :\"

    Relevant Pages

    • Re: Superstitious learning in Computer Architecture
      ... don't really eat up that much memory bandwidth. ... That's what instruction caches and Harvard architecture is for. ... about is a loop with a 100% hit in the instruction cache, ... There's also a processor+DRAM chip (Mitsubishi DN10000 series, ...
    • Re: Revise text section that has been loaded into virtual memory
      ... between all processes executing the same code. ... instruction and data caches and any write operation goes to the data ... cache while any instruction fetch will be done through the instruction ...
    • Re: Increase WinXP/jre CPU usage?
      ... or the instruction decode pipeline. ... thread is stalled on a cache read, or otherwise has nothing in its instruction ... mix of instructions seen by each CPU resembles that case, ... Note that, in the worst case, the cache behaviour of the two threads executing ...
    • [PATCH] ia64: race flushing icache in do_no_page path
      ... This is a very similar problem to a copy-on-write cache flushing problem ... from the icache for that page on ia64 processors. ... executing the same code. ... DMA into the new page is making the instruction cache coherent. ...
    • Re: Have the Itanium critics all been proven wrong?
      ... Just to decrease the chance that data looks like valid code. ... the cache line address) and put it, say, in the last 32 bits of the cache ... instruction bandwidth to verify that it is valid code. ... I have a whole list of possible security enhancements. ...