Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May

Next: Undefined Bits Up: Mac OS X PPC Previous: L1 Cache   Contents

Avoiding NULLs

One of the most common problems encountered with shellcode development in general and RISC processors in particular is avoiding NULL bytes in the assembled code. On the IA32 platform, NULL bytes are fairly easy to dodge, mostly due to the variable-length instruction set and multiple opcodes available for a given task. Fixed-width opcode architectures, like PowerPC, have fixed field sizes and often pad those fields with all zero bits. Instructions that have a set of undefined bits often set these bits to zero as well. The result is that many of the available opcodes are impossible to use with NULL-free shellcode without modification.

On many platforms, self-modifying code can be used to work around NULL byte restrictions. This technique is not useful for single-instruction patching on PowerPC, since the instruction pre-fetch and instruction cache can result in the non-modified instruction being executed instead.