Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quick question #9

Closed
scmanjarrez opened this issue May 21, 2018 · 2 comments
Closed

Quick question #9

scmanjarrez opened this issue May 21, 2018 · 2 comments

Comments

@scmanjarrez
Copy link

scmanjarrez commented May 21, 2018
edited

Hi, I'm trying to understand the substitutions but I don't understand whats the meaning in assembly of "jmp 3" (get_nops, size=3, bits=32)? or why it's considered a nop. Also, why you pop from the stack? Wouldn't it destroy the stack? (for example, if the executable tries to access some already pop'd variable)

return "jmp %s; pop %s" % (3 + prev_ins_size, random.choice(regs))

Thanks in advance.
@a0rtega
Copy link
Owner

a0rtega commented May 21, 2018

Hello there!

That return is returning a 3 bytes size NOP sequence (as requested in the function parameter size). To do this, it creates a jmp+3 and inserts a random 1 byte instruction that will never be executed (because of the jmp).

For example, lets consider the random 1 byte instruction is 'pop eax'. The sequence would be as follows:

image

As we can see, when the code reaches the jmp, it will go directly to the nops, without executing the pop, giving us a 3 bytes NOP sequence (jmp + pop) because it doesn't affect any value in our execution context (registers, flags ...).

@scmanjarrez
Copy link
Author

I got it, thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a0rtega @scmanjarrez