Menu
These are all valid instructions up until 0x7fffffffdbe4, at which point the the program already calls the exit syscall.
gdb) x/20i $rip
=> 0x7fffffffdbb0: movabs rax,0x2168732f6e69622f
0x7fffffffdbba: push rax
0x7fffffffdbbb: lea rdi,[rsp]
0x7fffffffdbbf: xor rax,rax
0x7fffffffdbc2: mov BYTE PTR [rdi+0x7],al
0x7fffffffdbc5: mov QWORD PTR [rdi+0x8],rdi
0x7fffffffdbc9: mov BYTE PTR [rdi+0x10],al
0x7fffffffdbcc: mov rsi,QWORD PTR [rdi+0x8]
0x7fffffffdbd0: push rax
0x7fffffffdbd1: push rdi
0x7fffffffdbd2: mov rsi,rsp
0x7fffffffdbd5: add rax,0x3b
0x7fffffffdbd9: syscall
0x7fffffffdbdb: add rax,0x1
0x7fffffffdbdf: xor rdi,rdi
0x7fffffffdbe2: syscall
0x7fffffffdbe4: and DWORD PTR [rcx],esp
0x7fffffffdbe6: and DWORD PTR [rcx],esp
0x7fffffffdbe8: mov al,0xdb
0x7fffffffdbea: (bad)
unexpected behavior is seen after the 0x7fffffffdbb1 instruction is called, and that is beyond me to understand.
(gdb) nexti
0x00007fffffffdbba in ?? ()
(gdb) nexti
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x2168732f6e69622f
0x00007fffffffdbbb in ?? ()
(gdb) i r rsp
rsp 0x7fffffffdbe8 0x7fffffffdbe8
(gdb) i r rip
rip 0x7fffffffdbbb 0x7fffffffdbbb
(gdb) nexti
0x00007fffffffdbbf in ?? ()
(gdb) nexti
0x00007fffffffdbc2 in ?? ()
(gdb) nexti
0x00007fffffffdbc5 in ?? ()
(gdb) nexti
0x00007fffffffdbc9 in ?? ()
(gdb) nexti
0x00007fffffffdbcc in ?? ()
(gdb) nexti
0x00007fffffffdbd0 in ?? ()
(gdb) nexti
Warning:
Cannot insert breakpoint 0.
Cannot access memory at address 0x0
0x00007fffffffdbd1 in ?? ()
(gdb) nexti
Program received signal SIGILL, Illegal instruction.
0x00007fffffffdbd9 in ?? ()
(gdb)
I am posting output starting at 0x7fffffffdbba given gdb cannot seem to set a breakpoint at address (the value pushed into the stack) and then at address 0.
754
asked Oct 25 '25 04:10
As some people mentioned, you are smashing the code with the stack and your mov to [rdi]. However, the mov happen to rsp - 8 so it should be fine in regard to address0x7fffffffdbd0.
I think that the problem occurs because of that. You should look at the program (x/20i $rip) after each push and mov [rdi+x], ? to see what it becomes. It may be valid code... it may not and SIGILL as a result.
=> 0x7fffffffdbb0: movabs rax,0x2168732f6e69622f
0x7fffffffdbba: push rax
0x7fffffffdbbb: lea rdi,[rsp]
0x7fffffffdbbf: xor rax,rax
0x7fffffffdbc2: mov BYTE PTR [rdi+0x7],al
0x7fffffffdbc5: mov QWORD PTR [rdi+0x8],rdi
0x7fffffffdbc9: mov BYTE PTR [rdi+0x10],al
0x7fffffffdbcc: mov rsi,QWORD PTR [rdi+0x8]
0x7fffffffdbd0: push rax <-- after "push rdi" (0x7fffffffdbd0)
0x7fffffffdbd1: push rdi
0x7fffffffdbd2: mov rsi,rsp
0x7fffffffdbd5: add rax,0x3b
0x7fffffffdbd9: syscall <-- after 2nd "push rax" (0x7fffffffdbd8)
0x7fffffffdbdb: add rax,0x1
0x7fffffffdbdf: xor rdi,rdi
0x7fffffffdbe2: syscall <-- after 1st "push rax" (0x7fffffffdbe0)
0x7fffffffdbe4: and DWORD PTR [rcx],esp
0x7fffffffdbe6: and DWORD PTR [rcx],esp <-- mov [rdi+7] (0x7fffffffdbe7)
0x7fffffffdbe8: mov al,0xdb <-- stack starts here
0x7fffffffdbea: (bad)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
