Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shellcraft.amd64.mov does not work for 32-bit unsigned values > 0x7fffffff #841

Closed
david942j opened this issue Jan 10, 2017 · 6 comments
Closed

shellcraft.amd64.mov does not work for 32-bit unsigned values > 0x7fffffff #841

david942j opened this issue Jan 10, 2017 · 6 comments
Assignees
@zachriggle
Labels
bug
Milestone
2.3

Comments

@david942j
Copy link
Contributor 

> context.arch = 'amd64'
> print shellcraft.mov('rax',0xffffffff)
    push 0xffffffff
    pop rax

> asm(shellcraft.mov('rax',0xffffffff))
...
/tmp/pwn-asm-EtF_gt/step1:7: Error: operand type mismatch for `push'

Looks like push 0xffffffff is an invalid instruction, should be push -1 in this case?
@zachriggle
Copy link
Member

zachriggle commented Jan 10, 2017
edited
Loading

Looks like this is a regression introduced in v3.0.0, v2.3.0 works fine.

@zachriggle zachriggle self-assigned this Jan 10, 2017
@zachriggle zachriggle added the bug label Jan 10, 2017
@zachriggle zachriggle added this to the 3.3.0 milestone Jan 10, 2017
@zachriggle
Copy link
Member

Which is very odd, because v.3.0.0 works for...

$ shellcraft -f asm amd64.push 0xffffffff
    /* push 4294967295 */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0xffffffff
    xor [rsp], rax

But then does...

$ shellcraft -f asm amd64.mov rax 0xffffffff
    push 0xffffffff
    pop rax

@zachriggle
Copy link
Member

It looks like 2.3.0 doesn't throw an exception, but is just "wrong".

If we run the code via shellcraft --debug amd64.mov rax 0xffffffff, we get the following:

   0x400078    push   -1
   0x40007a    pop    rax
...
pwndbg> i r rax
rax            0xffffffffffffffff	0xffffffffffffffff

Which is clearly incorrect.

@zachriggle
Copy link
Member

It looks like v.2.2.0 is correct:

mov eax, 0xffffffff

Which gets us

pwndbg> i r eax
eax            0xffffffff	0xffffffff

@zachriggle zachriggle mentioned this issue Jan 10, 2017
Merged
@zachriggle zachriggle changed the title operand type mismatch for push' of shellcraft output of mov` instruction shellcraft.amd64.mov does not work for 32-bit unsigned values > 0x7fffffff Jan 10, 2017
@zachriggle zachriggle modified the milestones: 2.3, 3.3.0 Jan 10, 2017
@zachriggle
Copy link
Member

Root cause is #504 (9ca377c)

zachriggle added a commit to zachriggle/pwntools that referenced this issue Jan 10, 2017
@zachriggle
Fix regression in amd64.mov with 32-bit values >= 0x80000000
1a67a4a 
Fixes Gallopsled#841
Caused by: Gallopsled#504 (9ca377c)
zachriggle added a commit that referenced this issue Jan 10, 2017
@zachriggle
Fix regression in amd64.mov with 32-bit values >= 0x80000000 (#843)
cb4991c 
Fixes #841
Caused by: #504 (9ca377c)
@zachriggle
Copy link
Member

zachriggle commented Jan 10, 2017
edited
Loading

Closed via #843, this will be fixed in v3.3.3

Kyle-Kyle pushed a commit to Kyle-Kyle/pwntools that referenced this issue Apr 25, 2021
@disconnect3d
Fixes Gallopsled#841
979d330
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zachriggle zachriggle

Labels
bug
Projects
None yet
Milestone
2.3
Development

No branches or pull requests
2 participants
@zachriggle @david942j