Last active
May 19, 2017 00:28
-
-
Save hugsy/9775813 to your computer and use it in GitHub Desktop.
simple trick to disable rand() on x64
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * enferex trick to disable rand() on x64 | |
| * @_hugsy_ | |
| */ | |
| #include <stdlib.h> | |
| #include <time.h> | |
| #include <dlfcn.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| unsigned long get_rdi(void){ | |
| unsigned long x; | |
| __asm__( | |
| "mov %%rdi, %0" | |
| : "=r"(x) | |
| ); | |
| return x; | |
| } | |
| void rand_many_times(void) | |
| { | |
| int i; | |
| for (i=0; i<3; i++) { | |
| printf("Calling rand(): ret = %#x\n", rand()); | |
| } | |
| return; | |
| } | |
| int main(int argc, char** argv, char** envp) | |
| { | |
| void *p; | |
| unsigned long *unsafe_state; | |
| unsigned long randtbl; | |
| srand(time(NULL)); | |
| unsafe_state = (unsigned long *)get_rdi(); | |
| randtbl = (*unsafe_state)-0x10; | |
| printf("unsafe_state @%#lx\n", (unsigned long)unsafe_state); | |
| printf("randtbl @%#lx\n", randtbl); | |
| printf("Before wipe\n"); | |
| rand_many_times(); | |
| printf("Erasing randtbl\n"); | |
| memset((void*)randtbl, 0, 0x80); | |
| printf("After wipe\n"); | |
| rand_many_times(); // rand() will always return 0 | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment