Wednesday, August 3, 2011

ROP: How to make comparisons ?

Folks, a quick and dirty post on how to compare using Return Oriented Programming.
Lets say we simply want to compare two operands:

cmp %ax, %cx


Doing it by using a simple compare is pretty easy, but when we are dealing with ROP it's pretty rare having a straight cmp %ax, %cx. So what is the alternative ? cmp (like many other commands) once compared the two operands sets a number of flags in the EFLAGS register. Luckily many other instructions set flags as side effect !!

For example we can use an instruction called neg. neg %ax calculates two's complements and sets a carry flag (CF) is the argument is not zero. So, do you want test for equality ? neg is your guy ! Another great example comes from the function sub. sub %ax, %cx subtraces the source (%cx) operator from the destiny (%ax) and sets the Carry Flag once destiny is bigger then source. You might use it to compare if a number is greater then another.

Of course these are only a couple of ways to perform comparisons but are the most frequent ones. By searching on the imported libraries you will find a lot of neg and/or sub. Now you know how to use them ;).

1 comment:

sagrada familia said...

The chap is completely right, and there's no skepticism.