I hereby claim:
- I am cshepherd on github.
- I am cshepherdfr (https://keybase.io/cshepherdfr) on keybase.
- I have a public key ASAoTA-wtihbyFwZ4PLJ13ArnDEVq-cSyZnmJnQg-6RHXwo
To claim this, I am signing this object:
Christopher SHEPHERD cshepherd
cshepherd
/ viewc1.asm
Created
August 22, 2018 14:59
Display Apple IIgs SHR image on IBM PC/AT (286 assembly + VGA card) - Me, 1993
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| P286 | |
| ; Code to view an Apple //GS 320x200x256 picture ($C1) | |
| ; Format is as follows: | |
| ; $0000-$7CFF Picture data, in nibbles. Each nibble has the value of | |
| ; 1-16, specifying a color in the palette assigned to that | |
| ; line. | |
| ; $7D00-$7DC7 Scanline Control Bytes. There are 200 of these, one for | |
| ; each scanline. They are byte values, and break down like this: | |
| ; Bits 0-3: Palette Number For Line (0-15) | |
| ; Bit 4 : Reserved (must be 0) |
cshepherd
/ keybase.md
Created
August 27, 2018 16:03
cshepherd
/ ppc-stack-attacks-1.txt
Last active
May 12, 2023 22:06
PowerPC Stack Attacks Part 1, 5/31/2000
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PowerPC Stack Attacks, Part 1 - May 31, 2000 | |
| Christopher A Shepherd <[email protected]> | |
| Introduction | |
| This assumes the reader's familiarity with buffer-overflow attacks on the Intel architecture, and introduces the reader to the possibility of doing the same on the PowerPC. If you're not familiar with this, have a look at Phrack 49. Essentially, the return address is saved at the top of the stack frame, and data written below the return address can overwrite the return address, allowing us to execute evil code. | |
| PowerPC Errata | |
| Buffer overflow attacks have been easy to write for the Intel architecture, in part because function calls are implemented with the 'call' opcode, which saves the calling address on the stack, to be retrieved later when the function exits. But as we see here, this may not actually be the case on the PPC. | |
| A typical ppc function call is executed with the 'blr' instruction, which saves the caller's return address to a special-purpose register called the 'link register.' If it wer |
cshepherd
/ ppc-stack-attacks-2.txt
Created
May 12, 2023 22:03
PowerPC Stack Attacks Part 2, 6/1/2000
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PowerPC Stack Attacks, Part 2 - June 1, 2000 | |
| Christopher A Shepherd <[email protected]> | |
| In the last episode, we showed that it was possible to overwrite the return address with careful stack manipulation and execute the code of our choice. In this installment, we'll dig a bit deeper and write our own PowerPC eggshell code. | |
| The first thing we want to do (and again folks, this really is a carbon copy of Aleph1's Intel-based explanation) is to run a sample program that spawns a shell, because presumably that's what our evil code will do. Thus: | |
| #include | |
| void main() { | |
| char *name[2]; |
cshepherd
/ ppc-stack-attacks-3.txt
Created
May 12, 2023 22:03
PowerPC Stack Attacks Part 3, 6/5/2000
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PowerPC Stack Attacks, Part 3 - June 5, 2000 | |
| Christopher A Shepherd <[email protected]> | |
| In the last installment, we got pretty close, developing our own eggshell code, with one lil problem! It had zeroes in it. Of course, strcpy(), gets(), and all our other favorite insecure functions are going to choke on those zeroes, so we must do what we can do to get around having zeroes in our code. The horrifying explanation follows here. | |
| First, a look at the original code: | |
| 100003e4: 48 00 00 30 b 10000414 <.ahead> | |
| 100003e8 <.back>: | |
| 100003e8: 7c 08 02 a6 mflr r0 | |
| 100003ec: 7c 01 03 78 mr r1,r0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| remapblock | |
| # EXTRA_F1 is macro below to take a screenshot | |
| EXTRA_F2 ESC | |
| EXTRA_F3 app | |
| LALT lgui # map both Alts to command keys | |
| RALT rgui # map both Alts to command keys | |
| LANG_4 lalt # center of dpad is option key | |
| EUROPE_1 backslash # backslash left of enter/field exit | |
| EUROPE_2 back_quote # extra backquote to right of shift button |