MAIN.LV

Create small ELF file byte by byte

Thu, 10 May 2012 19:22:00 +0200

Creating smallest possible elf file. Structure of ELF file:

Elf header

Program header

Code Part

Data Part

C structure of ELF header /usr/include/elf.h:

	typedef struct
	{
	  unsigned char	e_ident[EI_NIDENT];	/* Magic number and other info */
	  Elf64_Half	e_type;				/* Object file type */
	  Elf64_Half	e_machine;			/* Architecture */
	  Elf64_Word	e_version;			/* Object file version */
	  Elf64_Addr	e_entry;			/* Entry point virtual address */
	  Elf64_Off		e_phoff;			/* Program header table file offset */
	  Elf64_Off		e_shoff;			/* Section header table file offset */
	  Elf64_Word	e_flags;			/* Processor-specific flags */
	  Elf64_Half	e_ehsize;			/* ELF header size in bytes */
	  Elf64_Half	e_phentsize;		/* Program header table entry size */
	  Elf64_Half	e_phnum;			/* Program header table entry count */
	  Elf64_Half	e_shentsize;		/* Section header table entry size */
	  Elf64_Half	e_shnum;			/* Section header table entry count */
	  Elf64_Half	e_shstrndx;			/* Section header string table index */
	} Elf64_Ehdr;

Structure of Program header file /usr/include/elf.h:

	typedef struct
	{
	  Elf64_Word	p_type;			/* Segment type */
	  Elf64_Word	p_flags;		/* Segment flags */
	  Elf64_Off		p_offset;		/* Segment file offset */
	  Elf64_Addr	p_vaddr;		/* Segment virtual address */
	  Elf64_Addr	p_paddr;		/* Segment physical address */
	  Elf64_Xword	p_filesz;		/* Segment size in file */
	  Elf64_Xword	p_memsz;		/* Segment size in memory */
	  Elf64_Xword	p_align;		/* Segment alignment */
	} Elf64_Phdr;

This structures is all what we need to make our ELF file. Now we will look inside kernel source and see that we need only one program header for our program. All big programs using usually two program headers one for code and one for data. /linux-3.3.1/fs/binfmt_elf.c:605

	
	if (loc->elf_ex.e_phnum < 1 ||
		loc->elf_ex.e_phnum > 65536U / sizeof(struct elf_phdr))
		goto out;

Step by step there should be filled all fields of the ELF header structure.

	typedef struct
	{
	  unsigned char	e_ident[EI_NIDENT];	/* default values of ELFMAG,ELFCLASS64,ELFDATA2LSB */
	  Elf64_Half	e_type;				/* we making executable then it would be ET_EXEC  */
	  Elf64_Half	e_machine;			/* Architecture is 0x3e(EM_X86_64) 
										 (not from elf header 
										 from /binutils/include/elf/common.h) */
	  Elf64_Word	e_version;			/* Object file version EV_CURRENT */
	  Elf64_Addr	e_entry;			/* Entry point virtual address points to
										 main function it is with label entrypoint */
	  Elf64_Off		e_phoff;			/* Program header table file offset */
										  offset of program header sizeof(Elf64_Ehdr)
	  Elf64_Off		e_shoff;			/* Section header table file offset 
											there is no section header */
	  Elf64_Word	e_flags;			/* No processor-specific flags 
											*/
	  Elf64_Half	e_ehsize;			/* ELF header size in bytes 
											0x40 sizeof(Elf64_Ehdr)
	  Elf64_Half	e_phentsize;		/* Program header table entry size 
											0x38 sizeof(Elf64_Phdr) */
	  Elf64_Half	e_phnum;			/* Program header table entry count 
											0x01 */
	  Elf64_Half	e_shentsize;		/* Section header table entry size 
											I put 0x40 */
	  Elf64_Half	e_shnum;			/* Section header table entry count 
											0x00 */
	  Elf64_Half	e_shstrndx;			/* There is no section header and 
										 string table index is 0x0 then */
	} Elf64_Ehdr;

With program header we will tell kernel how to load our file in memory and with part of file will be mmaped to needed address. As our data and code is placed in one address space and kernel ELF source says that there is enough with 1 program header then we will use only 1.

	typedef struct
	{
	  Elf64_Word	p_type;			/* Segment type PT_LOAD */
	  Elf64_Word	p_flags;		/* Segment flags PF_X,PF_R,PF_W
									as our memory should be readable, writable and
									executable as it contains code and data */
	  Elf64_Off		p_offset;		/* Segment file offset 
										point to offset of entry point label offset
										in file */
	  Elf64_Addr	p_vaddr;		/* Segment virtual address 
										64bits programs is usually at 0x400000+code_file_offset*/
	  Elf64_Addr	p_paddr;		/* Segment physical address 
										same as above*/
	  Elf64_Xword	p_filesz;		/* Segment size in file 
										size of code and data if file */
	  Elf64_Xword	p_memsz;		/* Segment size in memory 
										same as above */
	  Elf64_Xword	p_align;		/* Segment alignment 
										same as all programs have on my PC*/
	} Elf64_Phdr;

Now everything is ready. Only thing that is left is code some small code that uses data. And it would be hello world

mov eax, 1
mov edx, 12
mov rsi, qword 0x040009c ;address of string 
mov edi, 1
syscall

xor edi, edi
mov eax, 60
syscall

msg db "Hello World",0xA

To calculate offsets of code and data labels is used macro:

macro doffset
{	
	bits = 16
    display " 0x"
    repeat bits/4
        d = "0" + $ shr (bits-%*4) and 0Fh
        if d > "9"
            d = d + "A"-"9"-1
        end if
        display d
    end repeat
    display 13,10
}

Total size of executable on 64bit system:

Program part	Size
ELF header size	0x40
Program header	0x38
Code size	0x24
Data size	0xc
Total:	168 bytes

If 32 bit system is used then need to find defintions of data structures and retype some bytes. Also architecture variable need to be changed. Future plans: Add some shared libs and compile smallest possible program using SDL graphics lib. Code: Source Code is written and tested on x86_64. Links: [1] http://refspecs.freestandards.org/elf/elf.pdf

List ELF section names

Thu, 15 Dec 2011 20:32:00 +0200

Every ELF (Executable Linux Format) file has standard structure. There is section names that used to identify purpose of section. Here is example how to write all names of all ELF sections. Here is steps that we have taken: 1. Find String Table Section 2. Get all section names from string table section 3. Run trough all section an get names of sections First of all we need get ELF header (Elf32_Ehdr) from position 0. ELF header have offset of section headers (Elf32_Ehdr.e_shoff). Sting table section have attributes with help us to recognize it: 1. string table section header address in memory (Elf32_Shdr.sh_addr) is 0 2. its type (Elf32_Shdr.sh_type) is SHT_STRTAB = 3 3. and it is first section with such attributes To get trough all sections we make for cycle. We can get number of sections from (Elf32_Ehdr.e_shnum) . we run all trough all sections and checking for 3 string table section rules.

for ( iter_s=0; iter_s < ELFheader.e_shnum; iter_s++  )
	{
		fseek( f, ELFheader.e_shoff+(ELFheader.e_shentsize*iter_s), SEEK_SET);
		fread( &STRheader, ELFheader.e_shentsize, 1, f );
		if ((STRheader.sh_type == SHT_STRTAB) && 
			(STRheader.sh_addr == 0x00000000))
		{
			//some code
			iter_s=ELFheader.e_shnum+1; //this is to exit from for cycle
		}
	}

String table section has all section names as strings. Section name is in (Elf32_Shdr.sh_name) as position number of strings first symbol. All string table values we read inside buffer

fseek( f, STRheader.sh_offset, SEEK_SET);
fread( STR_buffer, STRheader.sh_size, 1, f);

Now we can get section name with

printf("%s\n", STR_buffer+ITERheader.sh_name);

This is example code to get some info from ELF file. There is allot other info that can be gained from ELF file.

C inline assembler

Sun, 30 Oct 2011 16:30:00 +0200

There is long time since wanted to learn "creepy" gcc inline assembly. Looking at manuals its not so hard and "creepy". Using it is more interesting and dissambly of compiled code is very nice looking. volatile puts our asm code where it is and don"t optimize it without volatile it can optimize. What to write in __asm__ directive looks like this

__asm__ __volatile__("our_code":output:input:used)

as code to convert to inline asm we will use last post [2]. There is only one instruction that we using and it usage was

get_timer:
	rdtsc
	ret

its not very optimal and for 1 instruction writing whole function its not beautiful. We remember that returning result of this function is saved in eax register.

__asm__ __volatile__("rdtsc":"=a"(x)::)

code looks like this. But we can make it as define function

#define get_timer(X) __asm__ __volatile__("rdtsc":"=a"(X)::)

This code works fine and give 70058 ticks on cycle When adding option -O2 then result becomes wherry strange. As we remember that rdtsc return result in edx:eax then we add to used registers(clobber) %edx.

#define get_timer(X) __asm__ __volatile__("rdtsc":"=a"(X)::"%edx")

And also we can rewrite everything as inline function.

static inline unsigned int get_timeri()
{
	unsigned int i;
	__asm__ __volatile__("rdtsc":"=a"(i)::);
	return i;
}

Now this two functions works fine with -O options. When empty cycle is optimized then it becomes empty and resulting tick number is 32 for both inline function and define macro. It not working for his main purpose. When no optimization switched then get_timer works for some ticks faster then get_timeri. We can add attribute always inline and we will win some ticks and function will always inline regards optimization level

__attribute__((always_inline)) unsigned int get_timeri()

Too fix test cycle for our measurement we make it as object file and it will compiled without options.

void fixed_cycle()
{
	int i;
	for (i=0;i<10000;i++)
	{
	}
}

Now everything looks quite good and also inline assembly works as expected. For reference about inline asm you can go to [1] Source Links [1]http://www.ibiblio.org/gferg/ldp/GCC-Inline-Assembly-HOWTO.html [2]http://main.lv/post/linux-antidebug-5

Linux antidebug 5

Wed, 28 Sep 2011 20:50:00 +0200

When debuging programm line by line or when running it in some debugger then ther can be some time delays when you pressing buttons. We can measure them with asm command

rdtsc

this instruction read time-stamp counter into edx:eax in our programm will be enought values from eax function for c that uses rdtsc is

extern int get_timer()

in fasm it looks like

get_timer:
	rdtsc
	ret

ther is writen code

s = get_timer();
for (i=0;i<10000;i++)
{
}
e = get_timer();
d = e - s;

average time to execute 10000 is 70069 ticks for value on with we detecting how fast working code i have choose twice of average 120000 if execution time is larger then probably it is debuged. Compile


make

Linux antidebug 4

Thu, 15 Sep 2011 19:48:00 +0200

Here is one more method how to check if your application is debugged. Need to set signal handler with handles interrupt number 3 with is used for step by step debugging Compile: gcc main.c -o main

#include 
#include 
#include 

#define FALSE 0
#define TRUE  1

void sig_handler( int );

int debuging;

int main()
{
	debuging = FALSE;
	signal(SIGTRAP, sig_handler);
	__asm__("int3");
	if (debuging == FALSE)
	{
		printf("Nothing special\n");
	} else
	{
		printf("Playing seek and hide\n");
	}
	exit(1);
}

void sig_handler( int sig)
{
	debuging = TRUE;
}

Run: ./main Example with asm Compile:

fasm ad4.asm ad4.o

gcc ad4.o -o ad4

format ELF

include "ccall.inc"

SYS_EXIT	equ		1
SIGTRAP		equ		5
TRUE		equ		1
FALSE		equ		0
section ".text" executable

public main

extrn printf
extrn exit
extrn signal

main:
	ccall	signal, SIGTRAP, sig_handler
	int		3h
	
	cmp		[debug],FALSE
	jne		no_dbg
	ccall	printf,str1
	jmp exit
	
no_dbg:
	ccall	printf,str2

to_exit:
	mov		eax, SYS_EXIT
	mov		ebx, 0
	int		80h

sig_handler:
	param1 equ dword [ebp+8]	
	mov		[debug], TRUE
	ret

section ".data" writable

debug	db	FALSE
str1	db "Under debug",0xA,0
str2	db "No debug",0xA,0

Tested and works for gdb and ald. Links:
[1] http://blog.binarycell.org/2011/04/simple-antidebugging-methods-part-2.html

Embeding Lua in C

Wed, 10 Aug 2011 19:37:00 +0200

Bedimming lua in you C programs is can be done in few minutes. Many examples is in lua-users.org. First thing to write is module and then compile everything with lua precompiled lib.

int module_register(lua_State*);
void module_print(lua_State*);
int module_getone(lua_State*);

int module_gc(lua_State*);
int module_tostring(lua_State*);

static const luaL_reg module_methods[] =
{
	//{,(void *)},
	{"print",	(void *)module_print},
	{"getone",	(void *)module_getone},
	{0,			0}
};

static const luaL_reg module_meta[] = 
{
	{"__gc",		(void *)module_gc},
	{"__tostring",	(void *)module_tostring},
	{0, 0}
};

to make printf("%s\n") available in lua

void module_print( lua_State *L)
{
	int argc = lua_gettop(L);
	int n;
	for (n=1; n <= argc; n++) printf("%s\n", lua_tostring(L, n));
}

next one function that have return value 1

int module_getone(lua_State *L)
{
	int x=1;
	lua_pushnumber(L, x);
	return 1;
}

and easy to compile if needed. gcc -c module.c gcc module.o main.c -o main -llua Links: [1] http://lua-users.org/wiki/SampleCode

AVR disassembler

Fri, 1 Jul 2011 22:33:00 +0200

Disassembler for Atmel AVR microcontrollers made for be fast and simple. No extra features only basics. Converts binary file to AVR asm output. If you have ihex then you can convert it to binary with ReprBin Here is example output

2411      CLR   0x11  
be1f      OUT   0x3f   , 0x1    
e5cf      LDI   0xc    , 0x5f   
e0d4      LDI   0xd    , 0x4    
bfde      OUT   0x3e   , 0x1d   
bfcd      OUT   0x3d   , 0x1c   
e010      LDI   0x1    , 0x0    
e6a0      LDI   0xa    , 0x60   
e0b0      LDI   0xb    , 0x0    
ebee      LDI   0xe    , 0xbe   
e0f0      LDI   0xf    , 0x0    
c002      RJMP  +4    
9005      LPM   0x0   
920d      ST    0x0    , 0x0    
36a0      CPI   0xa    , 0x60   
07b1      CPC   0x1b   , 0x11   
f7d9      BRBC  0x1    , -10 
e010      LDI   0x1    , 0x0    
e6a0      LDI   0xa    , 0x60   
e0b0      LDI   0xb    , 0x0    
c001      RJMP  +2

Phase space for chaos

Mon, 30 May 2011 22:55:00 +0200

Phase space for some chaotic function. And see the picture of it.

from MO0_w0 import t
from pylab import *

dt = []
for tt in xrange(0,len(t)-1):
	dt.append(t[tt+1]-t[tt])

figure(1)
plot(dt,t[:len(t)-1])
show()

Hooking interrupt descriptor table

Thu, 21 Apr 2011 13:03:00 +0200

Hook interrupt descriptor table Hooking interrupt table is very interesting thing with it you can dissallow some operations to be made or watch what happening in system. This article is more like review and more tehnical description is in link 1 First thing that we should know that it will done trought kernel module there is 2 commands for loading and unloading modules


insmod

and


rmmod

there is way how we can check system call addresses and position of syscall table


grep sys_call_table /proc/kallsyms 

grep system_call /proc/kallsyms

also we can use it for detecting our module functions and syscall addreses


grep sys_write /proc/kallsyms

or if we whant check out module functions


grep hook_idt /proc/kallsyms

We will now try to hook sys_mkdir. I usualy using some minimalistic windowmanagers but some browsers or other GUIsh programs like such directories "Download" or "Desktop" all my directories in ~/ is lowercase and I realy hate anoying "Download" and "Desktop" directories that are made without my permission and for my lowercase /home directory style is agly. With this hook they will be denied to make such thing. Out kernel module consist of such functions:

static int __init hook_init(void) //stufff on module init,idt hooking
static void __exit hook_exit(void) //stuff on module exit, restore idt table

asmlinkage long hooked_mkdir(const char *filename, mode_t mode) //our hook function

//how works this functions you can find in link number 1 
void *get_writable_sct(void *sct_addr)
void *get_syscall_table(void)

Basic hooked function is:

asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
	return mkdir(filename, mode);
}

but now we need to add check for ("Desktop","Download"). First we need some error that will returned when some one whant to make bad directory we will use EACCES error. here is modified functions for out task:

//hook mkfile command
asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
	//it will disallow all files that starts with Desktop&&Download
	if (((strncmp(filename,"Desktop",7) == 0) && (strlen(filename) == 7)) ||
		((strncmp(filename,"Download",8) == 0) && (strlen(filename) == 8)))
	{
		printk(KERN_INFO "Mkdir hook\n");
		return EACCES;
	}
	return real_mkdir(filename, mode);
}

For module compiling:


make

This is tested with kernel version 2.6.38 Links:
[1] http://codenull.net/articles/kmh_en.html
[2] http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html

Sauerbraten patching and cheating

Sun, 13 Mar 2011 21:43:00 +0200

sauerbraten is open source first person shooter. Also there is multi player mode. I like time to time play sauerbraten. But I am not very good player. As game source is comes with game you can view it and add some patches that can help get better scores in games. Usually it called cheating. As this features/cheats is made by my self I don"t think so. But in game admins don"t care =] about it. First of all this patches don"t make game enjoyable for other players that way sooner or later you will be banned. Every one have freedom to be banned. First "allowed" cheat is recoil to 0 from any weapon in file src/fpsgame/game.h on line 333:

static const struct guninfo { short sound, attackdelay, damage, projspeed, part, kickamount, range; const char *name, *file; } guns[NUMGUNS] = 
 { 
 { S_PUNCH1, 250, 50, 0, 0, 0, 14, "fist", "fist" }, 
 { S_SG, 1400, 10, 0, 0, 20, 1024, "shotgun", "shotg" }, // *SGRAYS 
 { S_CG, 100, 30, 0, 0, 7, 1024, "chaingun", "chaing"}, 
 { S_RLFIRE, 800, 120, 80, 0, 10, 1024, "rocketlauncher", "rocket"}, 
 { S_RIFLE, 1500, 100, 0, 0, 30, 2048, "rifle", "rifle" }, 
 { S_FLAUNCH, 500, 75, 80, 0, 10, 1024, "grenadelauncher", "gl" }, 
 { S_PISTOL, 500, 25, 0, 0, 7, 1024, "pistol", "pistol" }, 
 { S_FLAUNCH, 200, 20, 50, PART_FIREBALL1, 1, 1024, "fireball", NULL }, 
 { S_ICEBALL, 200, 40, 30, PART_FIREBALL2, 1, 1024, "iceball", NULL }, 
 { S_SLIMEBALL, 200, 30, 160, PART_FIREBALL3, 1, 1024, "slimeball", NULL }, 
 { S_PIGR1, 250, 50, 0, 0, 1, 12, "bite", NULL }, 
 { -1, 0, 120, 0, 0, 0, 0, "barrel", NULL } 
 };

changing sixths values all to 0 makes no recoil. but if you change recoil to 1024 you can easily jump on the sky after shut. Think what will see your on-line opponents? Someone if shutting from the skies. Not-flying rocket? Yes you can make it. fourth field in structure is projspeed change it for rocket launcher to 0 and you can place your rockets on air. Bet I don"t know what see others. Only thing with that you will get ban for team-killing because team mates are usually around you and they blow-up when colliding with rockets in air. Precision also is very nice but every one will notice that you shutting with shotgun and chain-gun with precision like rifle. In src/fpsgame/weapon.cpp on 130 line:

void offsetray(const vec &from, const vec &to, int spread, float range, vec &dest) 
   { 
       float f = to.dist(from)*spread/1000; 
       for(;;) 
       { 
           #define RNDD rnd(101)-50 
           vec v(RNDD, RNDD, RNDD); 
           if(v.magnitude()>50) continue; 
           v.mul(f); 
           v.z /= 2; 
           dest = to; 
           dest.add(v); 
           vec dir = dest; 
           dir.sub(from); 
           dir.normalize(); 
           raycubepos(from, dir, dest, range, RAY_CLIPMAT|RAY_ALPHAPOLY); 
           return; 
       } 
   }

make

#define RNDD rnd(2)-1

and it will work fine. Remember this patches is cheat/like and it is not good to play with others when this patches is added because they loose their enjoyment of game. Remember of FREEDOM to be banned.

Python web login tips

Sat, 12 Mar 2011 16:16:00 +0200

Some times there is need to automitize all tasks. Like login on page download some info and go out. There is html parsers they can do such tasks For example it can be login script for some browser game or mail account that doesnt allow SMTP or SMTP is not for free. For example there is web-browser game travian an it after some time playing it becomes very boring to play because only thing that you do it waiting while some game events take too many time. Like when you click upgdade something than you need to wait some hours until finish. Now here we will make login example. We need external libraries: httplib2 http://code.google.com/p/httplib2/ lxml http://lxml.de/ First thing that we need its to get page source.

conn = httplib2.Http("cache")
resp,cont = conn.request("http://travian.com")

After we have source we look on login form

As we see here is many inputs As ther is only 1 form we dont check and simply take first form from array

from lxml.html import parse,tostring,fromstring,submit_form

page = fromstring( cont )
form = page.forms[0] 
for inp in form.inputs:
	if inp.type == "text":
		inp.value = name
	if inp.type == "password":
		inp.value = password

Dont forget about method="post"

headers = {"Content-type": "application/x-www-form-urlencoded"}

Now we are ready to send data and get cookie that will allow us get inside the page

resp , cont = self.conn.request( self.server+"/"+form.action , "POST" , body=urllib.urlencode(body) , headers=headers )

Response has cookie that we need to save if would like to work with page in future

cookie = resp["set-cookie"]

Also cookie is needed if whant to logout:

headers = { "Content-type": "application/x-www-form-urlencoded" }
headers = { "Cookie": self.cookie }
body = {}
resp,cont = self.conn.request(self.server+"/logout.php", body=urllib.urlencode(body) , headers=headers)

As you see now cookie is inside headers. You should allways place cookie inside headers if whant to be loged in. Because only cookie that you get at login says for server that you are loged in and can see what is behind the wall. Thers is also easy way how to access DOM components With your favorite browser you can easly get DOM path to prefered tag in HTML source.

tmp = page.xpath("/html//div//div//div//div//p//span")

You can find some tag by class name using find_class() Or get text content from tag with text_content()

tmp = page.xpath("/html//div//div//div//div//p//span")[2].find_class("none")[0].text_content()

To make your own script that can parse and get info you need only

reguest()
find_class()
text_content()
xpath()
fromstring()

It is very easy. Now you know everything to make your first script that can login on you favorite page.

Linux Assembler SSE add

Fri, 25 Feb 2011 15:30:00 +0200

SSe programming is whery interesting fromthat point that there are parallely 4 numbers that are porcessed.SSE has registers of size 128 bits. They can handle 4 floats.GCC C there is no default type for 128 bits and we define our ownstructure for that.

typedef struct xmm
{
    float a;
    float b;
    float c;
    float d;
} xmm __attribute__ ((aligned (16)));

structure is aligned for perfomance.to make 4byted value + 4byte valuewe need to load values:

movaps xmm0, [eax]
movaps xmm1, [ebx]

and add them

addps xmm0,xmm1

after that store somewhere

movaps [eax], xmm0

Final test program in C looks like:

typedef struct xmm
{
    float a;
    float b;
    float c;
    float d;
} xmm __attribute__ ((aligned (16)));

extern void sse_add( xmm *, xmm * );

int main( int argc, char **argv)
{
    xmm x0,x1;
    x0.a = 1.0;
    x0.b = 2.0;
    x0.c = 3.0;
    x0.d = 4.0;
    x1.a = x1.b = x1.c = x1.d = 5.0;
    
    printf("%10f %10f %10f %10f\n",x0.a,x0.b,x0.c,x0.d);
    printf("%10f %10f %10f %10f\n",x1.a,x1.b,x1.c,x1.d);
    
    sse_add( &x0 , &x1 );
    
    printf("%10f %10f %10f %10f\n",x0.a,x0.b,x0.c,x0.d);
    printf("%10f %10f %10f %10f\n",x1.a,x1.b,x1.c,x1.d);
    
    return 0;
}

gcc main.c add.o -o main And asm example

format ELF

section ".text"

public sse_add

align 4
sse_add:
    ;arguments that are pointers for 2 xmm data blocks
    x0 equ [ebp+8]
    x1 equ [ebp+12]
    
    push ebp
    mov ebp, esp
    
    mov eax, x0
    mov ebx, x1
    
    ;load in xmm0 and xmm1 values
    ;if values where not aligned than we would used other instruction
    movaps xmm0, [eax]
    movaps xmm1, [ebx]
    
    ;sum up and save inside xmm0
    addps xmm0,xmm1
    
    ;save value in first argument
    movaps [eax], xmm0
    
    pop ebp
    ret

fasm add.asm add.o

Intel/Linux/BSD system

Fri, 18 Feb 2011 11:28:00 +0200

FreeBSD assembler sample: Tools Simple programm Hello world Hello world + libc C + asm Links where is somthing useful Files Open File Linux assembler samples: Hello World gcc + asm g++ + asm Open file Make directory SDL assembler example SDL programming FPU Topics Calculating polinom SSE SSE add Programming sample from various themes. Basic HTTP server FPU catch division by zero BIn2Hex converter ReprBin Arp Packet Analyzer Keyboard LED flush PC speaker Xlib, hello world Interesting themes: Linux Format String Attack ELF rewrite function Assembler scripting language ELF text section Linux ShellCode 1 Local Descriptor Table Nano bug (CVS 2010-1160) Hooking interrupt descriptor table Antidebug Antidebug 1 Antidebug 2 Antidebug 3

ReprBin - represent binary files in different formats

Thu, 10 Feb 2011 22:12:00 +0200

This is bin2hex style project. It converts binary to other formats. Its purpose is to use with combination with assembler or uC.Code is public and on Evil Google::Code page Google storage SVN line:


svn checkout http://represent-binary-file.googlecode.com/svn/trunk/ represent-binary-file-read-only

Linux assembler scripting language

Sat, 22 Jan 2011 17:06:00 +0200

This is small interpretr in asm. It works with small language thats can make simple things All that you need to know about language is this symbols "ABCDI$@" ABCD is used with parametr. I without param $@ is params
ABCD - is like assembler command mov where symbol is register name
A0 is mov eax, 0
B9 is mov ebx, 9
only one number is supported. Number range after ABCD suposed to be 0...9. But you can add any other symbol only not @ or $. Look inside ascii table char "0" is 0 and other goes relativly from it. number "~" is "~"-"0"=127-48=79

I - is interupt number 80h

$@ - is variables from stack
@ - uses current varaible from stack and stack pointer goes to next stack value
$ - uses current stack value and dont change stack pointer position

Thats all.

Now we can make our first script and run it.

There is 2 thing that you should know. Script is converted to assembler commands and copyed in memory position.

Every file has hiw own purpose and all they seperated for easy to use

"script.inc" you scipt inside it
"stack_table.inc" configure stack for use
"variables.inc" define variables
"exec.inc" memory region wher script interpreted commands will copyed

Example 1:
Now first example script:

script db "A1B0I"

mov eax, 1 ;you can look this variable inside

#include < asm/unistd.h>

or in http://bluemaster.iu.hio.no/edu/dark/lin-asm/syscalls.html

mov ebx, 0
int 80h

it is command exit. stack can be empty.
Example2:
Now we can make hello_world.

script db "A4B1C@D@IA1B0I"

It is

mov eax, 4
mov ebx, 1
mov ecx, buffer_msg; stack value 0
mov edx, buffer_len; stack value 1
int 80h

mov eax, 1
mov ebx, 0
int 80

in C it would be

write(1,buffer_msg,buffer_len)
exit(0);

Here is example how corresponds asm to C code http://www.main.lv/posts/view/linux-assembler-open-file. Ther is used stack in "stack_table.inc":

stack_table:
	dd buffer_msg ;variable 0
	dd buffer_len ;variable 1

and in "variables.inc" we define this variables:

buffer_msg db "Hello world",10	;with newline
buffer_len = $-buffer_msg	;using fasm mega feature to detect size

we can count equvialent asm commands and there is 8 of them it means add 8 lines in "exec.inc"

	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90
	db 0x90,0x90,0x90,0x90,0x90

type make and everything works =]. WooHoo small interpretd language is made and it fits in 417 bytes.

FPU catch division by zero

Sun, 16 Jan 2011 22:52:00 +0200

There can occure some problems in C onw of them is divison on zero. For this we setup system exception handler or signal handler. When is division on zero it works.Also for return in main function there is used setjmp and longjmp

void set_exception_handler()
{
	int err;
	fenv.__control_word &= ~FE_ALL_EXCEPT;
	fenv.__cs_selector &= ~FE_ALL_EXCEPT << 7;
	fesetenv( &fenv );	
	
	sa.sa_sigaction = &exception_handler;
	sa.sa_flags = SA_SIGINFO;
	err = sigaction( SIGFPE, &sa, NULL );
	if (err != 0)
		printf("Cannot set FloatingPoint exception handler\n");
	else
		printf("[OK] SIGFPE is set\n");
}

void exception_handler(int i, siginfo_t *s, void *v )
{
	if (s->si_signo == SIGFPE)
	{
		printf("[SIGFPE] SIGFPE Occure\n");
		printf("[SIGFPE] Error number: %d\n", s->si_errno);
		printf("[SIGFPE] Signal code: %d\n", s->si_code);
		switch (s->si_code)
		{
			case FPE_INTDIV:
				printf("[SIGFPE] Divison by 0\n");
				longjmp( jmp , 1 );
				break;
		}
	}
	abort();
}

Compilation is easy: gcc sigfpe.c -o sigfpe -lm Now it will no so big problem when some error occur to properly exit or make some checks.

Skype Fallow Mood Text

Fri, 3 Dec 2010 00:52:00 +0200

There are dozzen mood texts that have your skype contacts. But if someone from contact changte it. I have writen this script for following changes in mood textes. It creates sqlite data base, records user name, hash of mood text and mood text. If some of contacts have changed mood text then it show it in output. Run: ./checkMood.py and everything works.

Skype Rich Mood Text Animations

Fri, 3 Dec 2010 00:12:00 +0200

Mood text in skype is simple and not very interactive. Trought skype api there can be done some animations.First step was to test set mood text trought api.Here is script that directly sends to skype Skype commnd for setting rich mood text. Linux dont support latest skype Protocol 7 (API version 3.0) but on Win there everything words ok. Here you type in commandline ./setrichmood.py "New mood" and rich mood text changed

import sys
import os
import Skype4Py

skype = Skype4Py.Skype()
skype.Attach()

if len(sys.argv) == 2:
	if os.path.exists( sys.argv[1] ):
		f = open( sys.argv[1] , "r" )
		s = unicode(f.read())
		f.close()
		c = skype.Command( "SET PROFILE RICH_MOOD_TEXT "+s )
		skype.SendCommand( c )
	else:
		s = unicode(sys.argv[1])
		c = skype.Command( "SET PROFILE RICH_MOOD_TEXT "+s )
		skype.SendCommand( c )

Why I it call rich mood text? because it support some xml like commands.from skype api there is such commands

Example:

//------------------------------------------------------------------
// For purpose of bit conservation we omit feedback notifications
SET PROFILE RICH_MOOD_TEXT Smiley: :-)
SET PROFILE RICH_MOOD_TEXT Red text
SET PROFILE RICH_MOOD_TEXT Blinking text
SET PROFILE RICH_MOOD_TEXT Bold text
SET PROFILE RICH_MOOD_TEXT Italics
SET PROFILE RICH_MOOD_TEXT Underlined
SET PROFILE RICH_MOOD_TEXT First lineSecond lineThird line

 also accepts following smileys:

    * smile, sad, laugh, cool, surprised, wink, cry, sweat, speechless, kiss, tongueout, blush, wonder, sleepy, snooze, dull, inlove, talk, yawn, puke, doh, angry, wasntme, party, worry, mmm, nerdy, lipssealed, hi, call, devil, angel, envy, wait, hug, makeup, giggle, clap, think, bow, rofl, whew, happy, smirk, nod, shake, punch, emo, no, yes, handshake, skype, heart, brokenheart, mail, flower, rain, sun, time, music, movie, phone, coffee, pizza, cash, muscle, beer, drink, dance, ninja, star, mooning, finger, bandit, smoke, toivo, rock, headbang, poolparty, swear, bug, fubar, tmi.

I have tryed use them one inside other but it doesnt worked.How there can be made animations? Here is very simple example that reads from file linesand after time delay shows lines. ./moodanime.py anime.xml Here is new peace of script:

import sys
import os
import Skype4Py
import time

skype = Skype4Py.Skype()
skype.Attach()

s = []
if os.path.exists( sys.argv[1] ):
	f = open( sys.argv[1] , "r" )
	for line in f:
		s.append(line)
	f.close()
	
while True:
	for frame in s:
		c = skype.Command( "SET PROFILE RICH_MOOD_TEXT "+frame )
		skype.SendCommand( c )
		time.sleep( 1 )

as example file can be:

____Bonanza____
___#Bonanza#___
__##Bonanza##__
_###Bonanza###_
####Bonanza####
_###Bonanza###_
__##Bonanza##__
___#Bonanza#___

And now everything works fine. I have tested this scipts with python2.7 and on ArchLinux. If there is some problems try static or dynamic skype from skype download page

Scan memory for variable

Thu, 18 Nov 2010 15:35:00 +0200

Somedays ago I was playing one game. And as I not so often playing games. I would like to change some variables in memory like ammo quantity or health. May be it is not very interesting to play game with "cheating" but there is much more interest to play with program.
In such play can help scanmem
Here is example of programm that will help us to lern how to use scanmem:

#include 
#include 

unsigned int secret_dw = 1000; //variable to search
unsigned int tmp;//for input variable


int main()
{
	int i;
	while ( secret_dw != -1 )
	{
		scanf("%u",&tmp);
		printf("secret_dw was %u \n",secret_dw);
		secret_dw = tmp;
		tmp = 0; // This is to prevent from detecting tmp variable position
	}
	printf("\bExit\n");
	return 0;
}

here only two variables one secret_dw for value that we will search and second one tmp to save input. Also tmp will zeroed if not then we will find tmp and secret_dw. compile example with
make
and run
./example
And in paralel run

$ scanmem `pidof example`
scanmem version 0.11
Copyright (C) 2009,2010 Tavis Ormandy, Eli Dupree, WANG Lu
Copyright (C) 2006-2009 Tavis Ormandy
scanmem comes with ABSOLUTELY NO WARRANTY; for details type `show warranty".
This is free software, and you are welcome to redistribute it
under certain conditions; type `show copying" for details.

info: maps file located at /proc/1801/maps opened.
info: 5 suitable regions found.
Please enter current value, or "help" for other commands.

As we searching 4 byte value of uint we defining it by setting up option

0> option scan_data_type int32

Now we ready to start our game. At begining we know our secret_dw value it is 1000 but we will not use it. Type 1 in example

secret_dw was 1000 in scanmem

0> 1
info: 01/05 searching  0x8049000 -  0x804a000...........ok
info: 02/05 searching 0xb763d000 - 0xb763e000...........ok
info: 03/05 searching 0xb7787000 - 0xb778a000...........ok
info: 04/05 searching 0xb77a7000 - 0xb77a9000...........ok
info: 05/05 searching 0xbf9d4000 - 0xbf9f5000...........ok
info: we currently have 58 matches.

As we can see 58 matches. WooHoo. Now type "1000"in example

secret_dw was 1 in scanmem

58> 1000
..........info: we currently have 2 matches.

only 2 now scanmem has also many built in commands you can see them when type help. One of them is "list". Use it.

2> list
[ 0]            0x8049680, 1000, [I32 ]
[ 1]           0xbf9f2dd8, 1000, [I32 ]

Here is list of matched variables. Number,address,value,size. By adress we see that our variable is with number 0.

2> set 0=999
info: setting *0x8049680 to 0x3e7...
2> list
[ 0]            0x8049680, 1000, [I32 ]
[ 1]           0xbf9f2dd8, 1000, [I32 ]

Now our variable is with value 999. When you type list it may be little bit confusing that values is the same. Go in example

secret_dw was 999 Yes. We have changed our variable. Our goal is completed. Scanmem webpage http://taviso.decsystem.org/scanmem.html Source contains programm outputs and example code.

Numerical integration. Simpson method

Tue, 9 Nov 2010 21:16:00 +0200

Simpsons method not to compilcated to calculate numerical value of integral.Main point of this Simpson rules is insert values in to parabole \[ y(x) = Ax^2+Bx+C \] this parabole going trought points x_0, x_0+h, x_0+2*h we doubling number of points where we will calculate by 2 and this gives us enought points for this formula. \[ \int_{x_0}^{x_0+2h} y(x)= \frac{h}{3}(y_0+4y_1+y_2) \]

#include <stdio.h>
#include <math.h>

#define TYPE float
#define NUMBER 10

TYPE integ_simpson( TYPE f(TYPE) , TYPE, TYPE, int);
TYPE fun( TYPE );

int main()
{
	printf("Result: %f\n",integ_simpson( &fun , 0.0 , 1.0 , NUMBER ));
	return 0;
}

TYPE integ_simpson( TYPE f(TYPE) , TYPE a, TYPE b, int n)
{
	int i;
	n=2*n;
	TYPE sum=f(a),h=(b-a)/n;
	for (i=1;i<=n-1;i+=2) sum += 4*f(a+h*i);
	for (i=2;i<=n-2;i+=2) sum += 2*f(a+h*i);
	sum += f(b);
	return h * sum / 3;
}

TYPE fun( TYPE x )
{
	return 1/(1+pow(x,2.0));
}