3

I'm trying to move values from al and bl into effective memory, but I keep getting segmentation faults. What my program does is it takes the value located [esi] and [esi+1], it then rotates these bytes and puts them back. However when putting them back [esi] and [esi+1] need to be swapped (so bl into [esi] and al into [esi+1]) and this is where I'm getting a segmentation fault.

mov al,  [esi]
mov bl,  [esi+1]
rol bl,4
ror al,2
mov [esi],bl
mov [esi+1],al

Can anyone shed some light as to why these segmentation faults are occurring?

My current complete code:

global _start

section .text
_start:
        jmp short call_shellcode

decoder:
        pop esi
        xor ecx, ecx

        xor eax,eax
        xor ebx,ebx

        mov cl, 25

decode:

        lea edi, [esi]
        mov al, byte  [edi]
        mov bl, byte [esi+1]
        ror al,2
        rol bl,4
        mov byte [esi], al
        mov byte [esi+1],bl
        add esi,2
        loop decode
        jmp short EncodedShellcode

call_shellcode:

        call decoder

        EncodedShellcode: db 0x13,0x3,0x5,0xa1,0xf2,0xbc,0x37,0xa1,0x86,0xbc,0x26,0xa5,0xe6,0x26,0x3e,0x41,0x98,0x8b,0x35,0x26,0x1e,0xc2,0xb0,0x37,0x8
Lucas Kauffman
  • 6,789
  • 15
  • 60
  • 86

1 Answers1

3

The code doesn't have anything wrong. But because it fails on writing to esi but succeeds in reading esi it must mean that the destination address is valid, but write protected.

Most likely the value of esi is originated from .text segment, which is read-only.

An unlikely possibility is that the code segment is writable and that the esi points to the next instruction, which is then modified to contain an invalid instruction.

Aki Suihkonen
  • 19,144
  • 1
  • 36
  • 57
  • I'll post my complete code which I have at the moment, it's actually a piece of shellcode which uses the jump,call,pop technique – Lucas Kauffman Apr 29 '13 at 08:10
  • I think you are probably right, the .text section isn't writable probably – Lucas Kauffman Apr 29 '13 at 08:13
  • You can verify this by omitting `jmp short EncodedShellcode` and placing the Shellcode to `.data`. Then to overcome this issue the text segment must be reprogrammed as writable (through some system call) Check details here: http://stackoverflow.com/questions/4169417/self-modifying-code – Aki Suihkonen Apr 29 '13 at 08:27