Hacker News new | past | comments | ask | show | jobs | submit login
Polyglot Assembly – assembly code that runs on multiple architectures (vojtechkral.github.io)
73 points by pabs3 15 days ago | hide | past | favorite | 5 comments



This gets really fun when you add in more architectures. If I recall correctly Midnight Sun CTF had a challenge that asked for shellcode that worked on x86/x86-64/ARM/ARM64/MIPSLE. The technique is the same, if more difficult: a header that quickly peels off and branches to an architecture-specific block, but also doesn’t encode something invalid or likely to crash. I’ll have to see if I have that header somewhere…

Edit: found it, it's \xeb\x16\x00\x32\x10\x00\x00\x3a\x0f\x00\x00\x2a\x19\x00\x00\x14\x31\x00\x01\x04\x00\x00\x00\x00. Here's how it looks on each architecture:

x86/x86-64:

  0x0000000000000000:  EB 16       jmp  0x18
  0x0000000000000002:  00 32       add  byte ptr [edx], dh
  0x0000000000000004:  10 00       adc  byte ptr [eax], al
  0x0000000000000006:  00 3A       add  byte ptr [edx], bh
  0x0000000000000008:  0F 00 00    sldt word ptr [eax]
  0x000000000000000b:  2A 19       sub  bl, byte ptr [ecx]
  0x000000000000000d:  00 00       add  byte ptr [eax], al
  0x000000000000000f:  14 31       adc  al, 0x31
  0x0000000000000011:  00 01       add  byte ptr [ecx], al
  0x0000000000000013:  04 00       add  al, 0
  0x0000000000000015:  00 00       add  byte ptr [eax], al
ARM:

  0x0000000000000000:  EB 16 00 32    andlo r1, r0, #0xeb00000
  0x0000000000000004:  10 00 00 3A    blo   #0x4c
  0x0000000000000008:  0F 00 00 2A    bhs   #0x4c
  0x000000000000000c:  19 00 00 14    strne r0, [r0], #-0x19
  0x0000000000000010:  31 00 01 04    streq r0, [r1], #-0x31
  0x0000000000000014:  00 00 00 00    andeq r0, r0, r0
ARM64:

  0x0000000000000000:  EB 16 00 32    orr  w11, w23, #0x3f
  0x0000000000000004:  10 00 00 3A    adcs w16, w0, w0
  0x0000000000000008:  0F 00 00 2A    orr  w15, w0, w0
  0x000000000000000c:  19 00 00 14    b    #0x70
MIPSLE:

  0x0000000000000000:  EB 16 00 32    andi $zero, $s0, 0x16eb
  0x0000000000000004:  10 00 00 3A    xori $zero, $s0, 0x10
  0x0000000000000008:  0F 00 00 2A    slti $zero, $s0, 0xf
  0x000000000000000c:  19 00 00 14    bnez $zero, 0x74
  0x0000000000000010:  31 00 01 04    bgez $zero, 0xd8
  0x0000000000000014:  00 00 00 00    nop
For x86/x86-64 you'll notice the code is identical; we had a separate polyglot specifically for it to detect 64-bit and branch away. (0x40 is inc eax on x86, and a REX prefix on x86-64.)


This was also a feature of the DEFCON 26 finals in doublethink


Indeed:

> @here anyone working on polyshell it is a spin off of from doublethink of DEFCON last year

> we need 5 architecture ready shellcode


Oh hey, I did something like this for DEF CON CTF one year, with eight architectures all slammed together: https://www.robertxiao.ca/hacking/defcon2018-assembly-polygl...

That was definitely fun to put together.


This seems perfect to combine with αcτµαlly pδrταblε εxεcµταblε and cosmopolitan libc [1].

[1] https://justine.lol/cosmopolitan/index.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: