## Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$al < 2^{5}$
$bl < 2^{3}$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

#### Packing

```; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or  dl, bl  ; xor would also work fine
```

#### Unpacking

```mov cl, dl   ; Make a copy of dl
and dl, 111b ; Extract lowest 3 bits (b)
mov bl, dl
shr cl, 3    ; Extract highest 5 bits (a)
mov al, cl
```

## Birthday Crackme Part 1

I am very thankful to her for making my birthday so special 🙂
This crackme is a bootloader written in 16-bit assembly. This is how this look like.

## Shellcode Extractor

This tool will extract the opcodes from the .text section and display in different hex formats for different syntaxes. Works only with valid PE files. Coded in C++Builder XE5.

## Hiding Data Inside Memory Addresses

This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C 🙂 I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this let’s begin from a simple approach.

```#include <stdio.h>

int main() {

unsigned int var  = 100;
unsigned int var2 = 200;

printf("%u\n",var);
printf("%u\n",var2);

}
```

## Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

```.section .text
.global _start

_start:

.code 32
# Thumb-Mode on
bx  r6

.code   16
# _write()
mov     r2, #7
mov r1, pc
mov     r0, \$0x1
mov     r7, \$0x4
svc     0

# _exit()
sub r0, r0, r0
mov     r7, \$0x1
svc 0

.ascii "Osanda\n"
```

## Solving Root-me Ptrace challenge

You can find the challenge from here. The challenge is to find the password for the elf 32 binary. This is how this looks at a glance.

Let’s fire up GDB and check this out. I’ll break main and run. We can see that arguments to ptrace() function is being pushed on the stack and ptrace is being called.

```=> 0x080483fe <+14>:	sub    esp,0x14
0x08048401 <+17>:	mov    DWORD PTR [ebp-0xc],0x80c2888
0x08048408 <+24>:	push   0x0
0x0804840a <+26>:	push   0x1
0x0804840c <+28>:	push   0x0
0x0804840e <+30>:	push   0x0
0x08048410 <+32>:	call   0x8058a70 <ptrace>
```

## Egg Hunting Fun

In this vacation I thought of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreter reverse_tcp shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief  write up.  The offset is at 515 bytes . Our plan is to overwrite the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside the memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.