I have the following piece of assembly for x86_64 shellcode:
call writer
writestring db "ABCD",0x0d0a
writer:
pop rsi
When this is compiled, objdump -d shows (snipped some for brevity):
4000a4: e8 06 00 00 00 callq 4000af <writer>
00000000004000a9 <writestr>:
4000a9: 42 rex.X
4000aa: 42 rex.X
4000ab: 42 rex.X
4000ac: 42 0a 0d 5e 48 31 d2 rex.X
00000000004000af <writer>:
4000af: 5e pop %rsi
I would like to remove the three nulls from the back of callq. call near, call far etc. aren't doing it. Can anyone provide a suggestion?
Sorry, I wasn't really clear. I'm using call so that it saves the address of the writestr that I can pop into rsi immediately after. I can't access rip (or can I?) to figure out the offsets by hand.
You should be able to eliminate the null bytes by using a JMP (or similar) instruction instead. For instance something like :
jmp $+8
writestring db "BBBB",0x0d, 0x0a
writer:
pop rsi
Produce the following machine code using nasm -f elf64 :
0000000000000000 <writestring-0x2>:
0: eb 06 jmp 8 <writer>
0000000000000002 <writestring>:
2: 42 rex.X
3: 42 rex.X
4: 42 rex.X
5: 42 rex.X
6: 0d .byte 0xd
7: 0a .byte 0xa
0000000000000008 <writer>:
8: 5e pop %rsi
You probably noticed that I didn't setup anything for a RET instruction. But if you need such an instruction you can easily do the procedure prologue yourself.