www.main.lv

Don't think just code it

Menu

  • Projects
    • Robatik
    • ArpSni
  • Samples
    • FreeBSD Asm
    • Linux Asm
    • PyGame Tutorial
    • UNIX programming
    • PSP programming
    • AVR
    • Math
  • Contact

Tags

algo (1)asm (19)attractor (2)avr (2)blender (3)bug (1)c (25)coalision (2)debug (3)editor (1)elf (1)fractals (2)freebsd (3)game (3)generator (1)gimp (1)int80h (22)map (1)math (5)mit (1)nano (1)net (2)opengl (1)plugin (1)post (2)povray (1)psp (3)pygame (19)python (28)robatik (2)sdl (3)skype (2)sql (1)towers (2)tutorial (7)voronoi (1)wudu (1)

Archive

  • 2010 august (1)
  • 2010 july (2)
  • 2010 june (1)
  • 2010 april (2)
  • 2010 march (2)
  • 2010 february (2)
  • 2010 january (2)
  • 2009 december (3)
  • 2009 november (8)
  • 2009 october (3)
  • 2009 september (5)
  • 2009 august (1)
  • 2009 july (1)
  • 2009 june (1)
  • 2009 may (1)
  • 2009 april (3)
  • 2009 march (1)
  • 2009 february (2)
  • 2009 january (1)
  • 2008 october (2)
  • 2008 september (4)

2010-03-16 Python Manage Lynksys Router

Good fellow asked me to write some script that will help him to turn on/off passway to
global network. There was used linksys machine for controlling such stuff


Here is some code that login, change some rulles and logout. Also pygtk script that do
it in visual way

from linksys import *
 
ls = LinkSys( "http://192.168.1.1/" )
ls.login( "admin" , "admin" )
ls.setip( STATIC_IP , "gateway" , 10 , 66 , 66 , 66 )
ls.setip( STATIC_IP , "subnet" , 255 , 255 , 255 , 0  )
if ls.response():
	print "Succes"
else:
	print "O_O AIam BAd GUy -^-"
ls.logout()
Everything was writen in early 2009. I have tested at that days. Now I don't have linksys machine
to test it.

Source


2010-03-05 Linux antidebug 3

Now we will try to make disasm output whery unclear. We make jump with eax register
Programm 1

main:
	push lbl+1
	pop eax
	jmp eax	
lbl:
	db 0xe8
	mov eax, 4
	mov ebx, 1
	mov ecx, msg1
	mov edx, msg1_size
	int 80h
 
	mov eax, 1
	mov ebx, 0
	int 80h
Output is same as source. Nothing changes

Dissassembler output 1
│ ....... ! main:                           ;xref o80482d7                                       │
│ ....... !   push        offset_804837d                                                         │
│ 8048379 !   pop         eax                                                                    │
│ 804837a !   jmp         eax                                                                    │
│ 804837c     db          0e8h                                                                   │
│ 804837d !                                                                                      │
│ ....... ! offset_804837d:                 ;xref o8048374                                       │
│ ....... !   mov         eax, 4                                                                 │
│ 8048382 !   mov         ebx, 1                                                                 │
│ 8048387 !   mov         ecx, strz_I_am_running__8049568                                        │
│ 804838c !   mov         edx, 0eh                                                               │
│ 8048391 !   int         80h                                                                    │
│ 8048393 !   mov         eax, 1                                                                 │
│ 8048398 !   mov         ebx, 0                                                                 │
│ 804839d !   int         80h
Here we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.

Programm 2
Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used
for disasm output. That nice.
main:
	push lbl
	pop eax
	inc eax
	jmp eax
lbl:
	db 0xe9
	mov eax, 4
	mov ebx, 1
	mov ecx, msg1
	mov edx, msg1_size
	int 80h
 
	mov eax, 1
	mov ebx, 0
	int 80h


Dissassembler output 2
│ ....... ! main:                           ;xref o80482d7                                       │
│ ....... !   push        offset_804837d                                                         │
│ 8048379 !   pop         eax                                                                    │
│ 804837a !   inc         eax                                                                    │
│ 804837b !   jmp         eax                                                                    │
│ 804837d !                                                                                      │
│ ....... ! offset_804837d:                 ;xref o8048374                                       │
│ ....... !   jmp         804883ah                                                               │
│ 8048382     add         [ebx+1], bh                                                            │
│ 8048388     mov         ecx, 8049568h                                                          │
│ 804838d     mov         edx, 0eh                                                               │
│ 8048392     int         80h                                                                    │
│ 8048394     mov         eax, 1                                                                 │
│ 8048399     mov         ebx, 0                                                                 │
│ 804839e     int         80h

Now we add nop instruction after every line of our code. It doesnt have any imapct on programm work.

Programm 3 
main:
	push lbl
	pop eax
	inc eax
	jmp eax
lbl:
	db 0xe9
	mov eax, 4
	nop 
	mov ebx, 1
	nop
	mov ecx, msg1
	nop
	mov edx, msg1_size
	int 80h
 
	mov eax, 1
	mov ebx, 0
	jmp lbl2+1
lbl2:
	db 0xe9
	int 80h
Disasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclear
about what exactly is done by this code.

Dissassembler output 3
│ ....... ! main:                           ;xref o80482d7                                       │
│ ....... !   push        offset_804837d                                                         │
│ 8048379 !   pop         eax                                                                    │
│ 804837a !   inc         eax                                                                    │
│ 804837b !   jmp         eax                                                                    │
│ 804837d !                                                                                      │
│ ....... ! offset_804837d:                 ;xref o8048374                                       │
│ ....... !   jmp         804883ah                                                               │
│ 8048382     add         [eax+1bbh], dl                                                         │
│ 8048388     add         [eax+49578b9h], dl                                                     │
│ 804838e     or          [eax+0ebah], dl                                                        │
│ 8048394     add         ch, cl                                                                 │
│ 8048396     cmp         byte ptr [eax+1], 0bbh                                                 │
│ 804839d     add         [eax], al                                                              │
│ 804839f     add         [eax], al                                                              │
│ 80483a1     jmp         80483a4h                                                               │
│ 80483a3     jmp         98950475h

Here is one more way how to make unclear jumo to other place. We using function
and inside function we change return adress by 1.

Programm 4
Thats also works fine. Disasm dont know real return adress ans and use 0xe8 as he think is better.
main:
	call fun
	db 0xe8
	mov eax, 4
	mov ebx, 1
	mov ecx, msg1
	mov edx, msg1_size
	int 80h
 
	mov eax, 1
	mov ebx, 0
	int 80h
 
fun:
	pop ebp
	inc ebp
	push ebp
	ret




Dissassembler output 4
│ ....... ! main:                           ;xref o80482d7                                       │
│ ....... !   call        sub_804839c                                                            │
│ 8048379 !   call        8048836h                                                               │
│ 804837e !   add         [ebx+1], bh                                                            │
│ 8048384 !   mov         ecx, strz_I_am_running__8049568                                        │
│ 8048389 !   mov         edx, 0eh                                                               │
│ 804838e !   int         80h                                                                    │
│ 8048390 !   mov         eax, 1                                                                 │
│ 8048395 !   mov         ebx, 0                                                                 │
│ 804839a !   int         80h                                                                    │
│ 804839c !                                                                                      │
│ ....... ! ;-----------------------                                                             │
│ ....... ! ;  S U B R O U T I N E                                                               │
│ ....... ! ;-----------------------                                                             │
│ ....... ! sub_804839c:                    ;xref c8048374                                       │
│ ....... !   pop         ebp                                                                    │
│ 804839d !   inc         ebp                                                                    │
│ 804839e !   push        ebp                                                                    │
│ 804839f !   ret


Source


© 2010