Comments (2)
.text:000FA5F7 E8 A4 8E F2 FF call sub_234A0
->
.plt.got:000234A0 FF A3 E0 01 00 00 jmp dword ptr [ebx+1E0h]
Crash because ebx+0x1E0 is null. Not sure why yet.
from unified.
So, GCC implements ASLR by:
- Call
__x86_get_pc_thunk_ax
(ax replaced with the register) at the start of each function, which simply moves [esp+0] into the register above. esp+0 at the start of a function call is the return address. So - what it's doing here is capturing the address of the next instruction after where the call is. - Add a magic number to this value, depending on the function in question. The function I'm looking at adds 0x37177E, for example.
- Generate thunks to call ASLRised functions - which takes the value above, and adds an offset, which equals the end function pointer. The crash I'm currently investigating adds the offset 0x1E0.
- It now has the function pointer, and can call it.
This is usually fine for us - but some functions have the call to __x86_get_pc_thunk_ax within the first five bytes of the function. Because of that, the call actually happens in a different memory location - the trampoline - and [esp+0] returns the next instruction in the trampoline - meaning resolving the ASLR causes a crash (in the best case).
I'm going to try to fix this by attempting to detect calls to the thunks in the trampoline, and if detected, rewrite the call to move the correct value into the register in question instead.
from unified.
Related Issues (20)
- NWNX_TWEAKS_* issue on .35 server HOT 13
- Segmentation fault related to AI / Henchman
- NWNXLib::API::Constants::SavingThrowType is missing a a value for "Paralysis" (=20) HOT 3
- NWNX_Events: ON_COMBAT_EXIT does not hook (Must sub to ON_COMBAT_ENTER) HOT 1
- Event on encumbered
- Event for excessive pathfinding instructions
- NWNX_Creature_SetSavingThrowModifier feature request
- Feature request: DM Chooser and Creator windows/data added to nwnx_events
- DAMAGE_TYPE_BASE_WEAPON doesn't propogate if added in ResolveDeathAttackHook HOT 2
- Add 'NWNX_Player_SetBicFileName' HOT 3
- nwnx func quastion HOT 1
- NWNX_Weapon hooks CNWSCreatureStats::GetWeaponFinesse and replaces it, so it ignores baseitem.2da values.
- 'development' folder not working with newest NWNX files? HOT 2
- FEATURE REQUEST: Text Label for NWNX_PLAYER_TIMING_BAR_CUSTOM()
- Core: _ZN7NWNXLib8Platform13GetStackTraceB5cxx11Eh
- NWNX 8193.36-9 (b12b114856) has crashed. Fatal error: Segmentation fault (11). HOT 15
- nwnx_signal_handler should print the nwscript context too
- NWNX_ON_DETECT_ENTER_* Events Get Signaled on Both Enter and Exit
- NWNX_Creature_GetSpecialAbilityCount doesn't count removed abilities (with id = -1) HOT 2
- Feature Request: Add a way to return Number of Inventory Pages a Store/Creature/Container Has
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unified.