I'm not an asm programmer, but there is a very good description of this problem in  the book Sockets, Shellcode, Porting and Coding by James C. Foster. Not much help if you don't have the book I know, but it's a good resource for learning to write shellcode.

Jimbob

Hi Nubie - I'm also new at writing shellcode, but it is my understanding that you should look at the actual opcodes to determine where the null byte is coming from.

Use objdump -d on the compiled file and identify which commands have null bytes - for example:

80483a5:       b8 11 00 00 00          mov    $0x11,%eax

Has three null bytes, but you can fix this by changing to use the low 8 bit register:
mov $0x11, %al

Which will remove the null bytes from the shellcode but still perform the same function.

Does this assist at all?

Hi all,

Thanks a lot for all your replies and sorry just post this reply now, cause
i had a problem internet connection( in my country it's so difficult to find a good and cheap provider). And about code above that i' had compiled theoritically
i had understand that but why/or it is true when i compiled same code in different pc with different operating systems the results i've compiled had different cause i had use suse and cygwin for compiled that code to assembly code and the result seem different although if i read carefully the null byte is different .
And i still try to rid that null in different OS like that cause i want to full understanding about this matter . Thank's a lot again for your kind help
and sorry for this post 

Thank you NickFnord for your support and your help  ,
and i'm really like/glad if you want to help me.

regards,
nubie 

Hi again,

I was going to try to type out an excerpt from the shellcoder's handbook, but it is multiple pages long.  This was a Good Thing because it forced me to understand it prior to posting here :-)  I havn't done so previously because I'm focusing on the reversing course that I'm doing at the moment.

Anyway, In summary:

We want to spawn a shell by calling


So first we write what we want to do in c (this is code from the book): 


Next we disassemble it and take a look at the execve call (this is cut down to show the parameters and the call itself, but it's good to look at the entire function):

As you can see, int 80 performs the syscall which is stored in eax (execve is 0xb)  and takes three arguments, passed in via the registers ebx, ecx and edx (fastcall convention). 

The problem with simply taking the disassembly and removing null bytes is that there are a lot of hard-coded addresses in there - which, as you've found, are difficult to deal with.

So we need a way to make it so we can reference everything via relative addressing.

The simplest way to do this is to have our shellcode execute in it's own stack frame that we can control.  The idea is that we start the shellcode off with a call and then go from there.

Here's the assembly code from the book (sorry for the intel syntax):


When the call instruction is executed, the instruction immediately following is placed on the stack.  We've included some padding in the db (define byte) instruction in order to make room for the extra parameters in our call to execve.

Next we pop esi to get the address of our '/bin/shABBBBCCCC' string into the ESI register - now we can reference this as offsets from ESI.

sets eax to null.


places a null over the 7th byte in our string the "A"


places our string into ebx


moves our string into the address at esi+8.  our string now should look like: '/bin/sh./bin/shCCCC'  with the "." representing a null

This moves null (eax was xor'd previously) into the last part of our string

Now we set up ready for the interrupt 80:


At this point - EAX will contain 00 00 00 0b
EBX will contain a pointer to the string '/bin/sh'
Ecx will also contain a pointer to the string '/bin/sh'
And edx will contain a pointer to a null

Then we execute the interrupt.


So you merely have to compile that assembly and extract the opcodes.

hope that helps -

I'm by no means an expert, just learning, like yourself so I may be very wrong, (please someone stop me if I am!) but I'm almost certain that for the most part when writing shellcode yourself you're not going to be  able to simply manipulate the existing assembly to remove the nulls, you're going to have to analyse the code that you're wanting to execute and break it down into its essential components and then re-write as efficiently as you can.

Even when you do a simple exit as below:


you're still going to have to figure out what is being loaded into ebx (0 apparently).
 
and determine whether you need both int 80's. (one is exit_group() and one is exit())
 
The resulting assembly would be

   
which doesn't really bear a lot of resemblence to the original disassembly   
 

nubie, have u tried that asm code NickFnord posted on reply #9? been trying to run it but it keeps segfaulting on me. NickFnord, any thoughts? m running ubuntu 8.10, also tried on debian 4 and fedora 10 but i got the same result, if that matters.