Comments on: isX64 Gem http://www.ragestorm.net/blogs/?p=376 An Arkon Blog Sun, 19 May 2013 08:45:09 +0000 hourly 1 http://wordpress.org/?v=3.5 By: hatter http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-4375 hatter Sun, 01 Jul 2012 09:08:03 +0000 http://www.ragestorm.net/blogs/?p=376#comment-4375 Nice trick! Good for binary – if you need an alphanumeric one, check this out http://www.blackhatlibrary.net/Architecture_detection_shellcode – mind if I add your method to our shellcode page(s)?

]]> By: Brundle Lab | The result could be different as expected http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-4366 Brundle Lab | The result could be different as expected Sun, 29 Apr 2012 19:55:09 +0000 http://www.ragestorm.net/blogs/?p=376#comment-4366 [...] NOTE: This difference in the opcode translation is leveraged in a very neat trick in order to make your shellcode architecture independent. Read more here. [...]

]]> By: Noobieboobie http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3834 Noobieboobie Wed, 28 Sep 2011 13:10:56 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3834 Sounds cool, but i have some questions. (i’m pretty new to low-level fun)

How do you assemble this code? Can you decide to which instruction set it’s assembled? How can you write to 2 different instruction sets in one code?

It would make sense to me to also put the isX64 part under ‘bits 32′, is it?

Your blog is incredible, i wish you would update more frequently!
Thank you :)

]]> By: SkyLined http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3829 SkyLined Sun, 21 Aug 2011 22:15:20 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3829 Nice trick, thanks for sharing!

I’ve recently rewritten my x86 Windows shellcode that executes calc.exe on all versions of Windows, on all Service Packs using tips from Peter Ferrie. I created a x64 version as well and, using this trick, I created one shellcode that runs on all versions, Service Packs and architectures (x86 and x64) of Windows. See http://code.google.com/p/win-exec-calc-shellcode/ for source and binaries.

]]> By: Peter Ferrie http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3780 Peter Ferrie Sat, 16 Jul 2011 03:31:39 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3780 Yes, Ange used that trick in another context, but using it here would end up being longer than Arkon’s version because you’d need an explicit test afterwards.

]]> By: Myria http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3770 Myria Thu, 14 Jul 2011 00:20:40 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3770 A similar trick might also work with the “ARPL” “MOVSXD” instructions.

]]> By: ziggz http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3769 ziggz Wed, 13 Jul 2011 23:58:21 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3769 neat trick!

]]> By: arkon http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3768 arkon Wed, 13 Jul 2011 21:28:57 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3768 push cs; pop ax would work (0×23 and 0×33), but my code is platform independent.

]]> By: Myria http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3767 Myria Wed, 13 Jul 2011 21:24:41 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3767 @Ange
Well, if you’re willing to hardcode the expected segment values, yes. There are other ways, like using the “lar” instruction on the CS selector and checking for the “long” bit.

]]> By: Ange http://www.ragestorm.net/blogs/?p=376&cpage=1#comment-3766 Ange Wed, 13 Jul 2011 21:16:35 +0000 http://www.ragestorm.net/blogs/?p=376#comment-3766 (didn’t test) can’t CS value tell you the answer directly btw ?

]]>