Skip to content

Commit

Permalink
Support for MacOSX and it now correctly dumps Fischers inception thou…
Browse files Browse the repository at this point in the history 
…ght at the end in OSX also. Had to generate another inception_thoughts opcode buffer specific to OSX once I figured that OSX pushes syscall arguments into the stack before int 0x80. Also remove hints with respect to Fischers inception thought dumped in the last output line as thats for users to find :-)
  • Loading branch information
@karthick18
karthick18 committed Jul 28, 2010
1 parent 16ee812 commit d0e148c
Showing 1 changed file with 43 additions and 69 deletions.
112 changes: 43 additions & 69 deletions inception.h
View file
@@ -1,67 +1,21 @@
/*
* x86 code morphing to perform inception. Hints in this file. Find the inception!
* x86 code morphing to perform inception. Find the inception!
*/

#ifndef _INCEPTION_C_
#error "This special header file has to be included only from inception.c"
#endif

/*
* Fill the inception target Fischers dream buffer to return with x86 instruction NOP op-code
* This is the target buffer to be filled with the actual thoughts by the guys planting the inception in
* Fischers dream
* Removed inception string hints from the header. The hints were in earlier commits.
*/
#ifdef __linux__

#define __STR(X) #X
#define STR(X) __STR(X) /*: Use 32 bit syscall number for the interrupt syscall*/
#if 0
__asm__ __volatile__("nop;nop;nop;nop;\n" /* repeated 95 times*/
"mov $"STR(__NR_exit)", %eax\n"
"mov $0, %ebx\n"
"int $0x80");

/*
(gdb) x/16xb main+8 is the above NOP/exit op code
0x400e0d <main+8>:0x90 0x90 0x90 0x90 0xb8 0x3c 0x00 0x00
0x400e15 <main+16>:0x00 0xbb 0x00 0x00 0x00 0x00 0xcd 0x80
*/

#endif
#ifdef __i386__

/*
* For 32 bit using int 0x80, find the assembly equivalent of the opcode buffer.
asm(".section .text\n"
".byte 0xe9\n" // fool linker to enable relative addressing
".long 0x1e\n" // relative JMP call to 0x1e or "call" instruction below
"popl %ecx\n"
"mov $"STR(__NR_write)",%eax\n"
"movl $1, %ebx\n"\
"movl $55, %edx\n"
"int $0x80\n"
"movl $"STR(__NR_exit)",%eax\n"
"movl $0, %ebx\n"
"int $0x80\n"
".byte 0xe8\n"
".long -0x23\n"//"call -0x23\n"
".string \"Reconcile with my father and have my own individuality\\n\"");
(gdb) x/95xb main+4
0x400f4b <main+4>:0xe90x1e0x000x000x000x590xb80x04
0x400f53 <main+12>:0x000x000x000xbb0x010x000x000x00
0x400f5b <main+20>:0xba0x370x000x000x000xcd0x800xb8
0x400f63 <main+28>:0x010x000x000x000xbb0x000x000x00
0x400f6b <main+36>:0x000xcd0x800xe80xdd0xff0xff0xff
0x400f73 <main+44>:0x520x650x630x6f0x6e0x630x690x6c
0x400f7b <main+52>:0x650x200x770x690x740x680x200x6d
0x400f83 <main+60>:0x790x200x660x610x740x680x650x72
0x400f8b <main+68>:0x200x610x6e0x640x200x680x610x76
0x400f93 <main+76>:0x650x200x6d0x790x200x6f0x770x6e
0x400f9b <main+84>:0x200x690x6e0x640x690x760x690x64
0x400fa3 <main+92>:0x750x610x6c0x690x740x790x0a
*/

#ifdef __i386__
* Uses IA32 emulation specific int 0x80 for syscalls
*/

static unsigned char inception_thoughts[] = {
0xe9, 0x1e, 0x00, 0x00, 0x00, 0x59, 0xb8, 0x04,
Expand All @@ -83,22 +37,6 @@ static unsigned char inception_thoughts[] = {
/*
* For 64 bit, find the inception buffer with the assembly equivalent using:
* syscall over int 0x80 for x86_64
* Find the gdb: x/103xb main+8
*
*0x400603 <main+8>: 0xe9 0x26 0x00 0x00 0x00 0x5e 0x48 0xc7
0x40060b <main+16>: 0xc0 0x01 0x00 0x00 0x00 0x48 0xc7 0xc7
0x400613 <main+24>: 0x01 0x00 0x00 0x00 0x48 0xc7 0xc2 0x37
0x40061b <main+32>: 0x00 0x00 0x00 0x0f 0x05 0x48 0xc7 0xc0
0x400623 <main+40>: 0x3c 0x00 0x00 0x00 0xbf 0x00 0x00 0x00
0x40062b <main+48>: 0x00 0x0f 0x05 0xe8 0xd5 0xff 0xff 0xff
0x400633 <main+56>: 0x52 0x65 0x63 0x6f 0x6e 0x63 0x69 0x6c
0x40063b <main+64>: 0x65 0x20 0x77 0x69 0x74 0x68 0x20 0x6d
0x400643 <main+72>: 0x79 0x20 0x66 0x61 0x74 0x68 0x65 0x72
0x40064b <main+80>: 0x20 0x61 0x6e 0x64 0x20 0x68 0x61 0x76
0x400653 <main+88>: 0x65 0x20 0x6d 0x79 0x20 0x6f 0x77 0x6e
0x40065b <main+96>: 0x20 0x69 0x6e 0x64 0x69 0x76 0x69 0x64
0x400663 <main+104>: 0x75 0x61 0x6c 0x69 0x74 0x79 0x0a
asm(".section .text\n"
".byte 0xe9\n" // fool linker to enable relative addressing
".long 0x26\n" // relative JMP call to 0x1e or "call" instruction below
Expand All @@ -112,7 +50,7 @@ static unsigned char inception_thoughts[] = {
"syscall\n"
".byte 0xe8\n"
".long -0x2b\n"//"call -0x23\n"
".string \"Reconcile with my father and have my own individuality\\n\"");
".string \n");
*/

Expand All @@ -134,8 +72,44 @@ static unsigned char inception_thoughts[] = {

#endif

/*
* Fill the inception target Fischers dream buffer to return with x86 instruction NOP op-code
* This is the target buffer to be filled with the actual thoughts by the guys planting the inception in
* Fischers dream
*/

static unsigned char fischers_thoughts[] = { [ 0 ... sizeof(inception_thoughts)-1] = 0x90,
0xb8, 0x1, 0x00, 0x00,
0x00, 0xbb, 0x00, 0x00, 0x00, 0x00,0xcd, 0x80,
};

#elif defined(__APPLE__)

static unsigned char inception_thoughts[] = {
0xe9,0x24,0x00,0x00,0x00,0x59,0xb8,0x04
,0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00
,0xba,0x37,0x00,0x00,0x00,0x52,0x51,0x53
,0x50,0xcd,0x80,0xb8,0x01,0x00,0x00,0x00
,0xbb,0x00,0x00,0x00,0x00,0x53,0x50,0xcd
,0x80,0xe8,0xd7,0xff,0xff,0xff,0x52,0x65
,0x63,0x6f,0x6e,0x63,0x69,0x6c,0x65,0x20
,0x77,0x69,0x74,0x68,0x20,0x6d,0x79,0x20
,0x66,0x61,0x74,0x68,0x65,0x72,0x20,0x61
,0x6e,0x64,0x20,0x68,0x61,0x76,0x65,0x20
,0x6d,0x79,0x20,0x6f,0x77,0x6e,0x20,0x69
,0x6e,0x64,0x69,0x76,0x69,0x64,0x75,0x61
,0x6c,0x69,0x74,0x79,0x0a
};

static unsigned char fischers_thoughts[] = { [ 0 ... sizeof(inception_thoughts)-1] = 0x90,
0xbb, 0x00, 0x00, 0x00, 0x00, 0x53, 0xb8, 0x01
,0x00, 0x00, 0x00, 0x50, 0xcd, 0x80,
};

#else

#error "Unsupported Arch. Force compilation errors"

#endif


0 comments on commit d0e148c

Please sign in to comment.