Undefined Bits

To write interesting shellcode for Mac OS X, you need to use system calls. One of the first problems encountered with the PowerPC platform is that the system call instruction assembles to 0x44000002, which contains two NULL bytes. If we take a look at the IBM PowerPC reference for the 'sc' instruction, we see that the bit layout is as follows:

010001 00000 00000 0000 0000000 000 1 0
------ ----- ----- ---- ------- --- - -
  A      B     C     D     E     F  G H

These 32 bits are broken down into eight specific fields. The first field (A), which is 5 bits wide, must be set to the value 17. The bits that make up B, C, and D are all marked as undefined. Field E is must either be set to 1 or 0. Fields F and H are undefined, and G must always be set to 1. We can modify the undefined bits to anything we like, in order to make the corresponding byte values NULL-free. The first step is to reorder these bits along byte boundaries and mark what we are able to change.

? = undefined
# = zero or one
[010001??] [????????] [????0000] [00#???1?]

The first byte of this instruction can be either 68, 69, 70, or 71 (DEFG). The second byte can be any character at all. The third byte can either be 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, or 240 (which contains '0', 'P', and 'p', among others). The fourth value can be any of the following values: 2, 3, 6, 7, 10, 11, 14, 15, 18, 19, 22, 23, 26, 27, 30, 31, 34, 35, 38, 39, 42, 43, 46, 47, 50, 51, 54, 55, 58, 59, 62, 63. As you can see, it is possible to create thousands of different opcodes that are all treated by the processor as a system call. The same technique can be applied to almost any other instruction that has undefined bits.^4.1

;;
;; Patching the undefined bits in the 'sc' opcode
;;
main:
	li r0, 1         ; sys_exit
	li r3, 0         ; exit status
	.long 0x45585037 ; sc patched as "EXP7"