0

I’m reading a book to learn hacking (it’s called “The art of exploitation” by Jon Erickson) and it starts by writing a C program that prints the “Hello World!” string 10 times, and then analyzing its assembly (intel syntax). In the book the instruction pointer is called “eip”, while on my laptop it’s called “rip”. The same is for many of the others registers (like “ebp -> rbp” and so on). Is there any difference?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Riccardo Zampieri
  • 13
  • 1
  • 4
  • 5
    eip is 32-bit, rip is 64-bit – Dee Sep 26 '22 at 07:12
  • 2
    Btw such books are usually very bad. – Michael Chourdakis Sep 26 '22 at 07:18
  • @MichaelChourdakis why? I read a lot of good reviews about it, and it doesn’t seem so bad. Of course I don’t expect a university book, but I think it’s a good book to start – Riccardo Zampieri Sep 26 '22 at 07:28
  • @MargaretBloom Ok, there was a misunderstanding. The book doesn’t talk only about the techniques to create exploits (there’s also a part about that, but it’s not the main topic). It’s written at the start that the book won’t turn you in an expert of hacking, but it will gives you the right dose of informations to begin to understand this world. I read (and I’m agree) that this book gives you the ability to think like a hacker (and it makes a distinction between hacker and cracker), and doesn’t teach the techniques, not the most complex at least. – Riccardo Zampieri Sep 26 '22 at 08:39
  • @MargaretBloom: Actually, the book assumed a 32-bit architecture in 2003, which is when it was written. That was quite reasonable back then. Its most recent revised edition is from 2008, when 64-bit was more prominent, but still 32-bit systems were widely used. I'd put the blame on whoever *recommended* this book as a good resource in 2022. – Nate Eldredge Sep 26 '22 at 12:05
  • @NateEldredge True, indeed – Margaret Bloom Sep 26 '22 at 17:15

1 Answers1

1

The book is written for the 32-bit x86 architecture, which had 32-bit registers named eax, ebp, eip, etc. Your computer, like most present-day x86 machines, is using the 64-bit amd64 (aka x86-64) architecture, which is designed to be similar to 32-bit x86, but among many other differences has 64-bit registers named rax, rbp, rip, etc.

Although the architectures are similar at a conceptual level, exploitation relies on very specific details. Issues like differences in calling conventions are going to mean that most of this book will not be applicable to 64-bit systems, and is thus obsolete.

If you want, you can test the book's examples on programs compiled for 32-bit mode (gcc -m32).

Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82
  • Not just calling conventions, but the fact that user-space addresses have zero bytes in x86-64 but often don't in 32-bit x86 is another significant difference for what kinds of payloads you can inject via a buffer overflow. For 32-bit it's fairly straightforward to see how a ROP attack can work, injecting a series of return addresses mixed with data via a typical `strcpy` vulnerability, with the lowest-address one overwriting an actual return address that a RET will pop into EIP (if the program leaked a valid stack addr to defeat ASLR). – Peter Cordes Sep 27 '22 at 02:41
  • Without being able to inject `00` bytes, IDK how that's possible for x86-64. (I haven't looked; there may be some workaround.) Of course a vulnerability with a function like `gets` that looks for a `\n` instead of a `00` would make it possible to inject 47-bit stack addresses like `0x00007fffffffe510`. (Or 56-bit with PML5 like presumably `0x00ffffffffe510`). Anyway, the basic concept of a ROP attack still makes sense, and understanding its concept of gadgets is even useful for stuff like Spectre. Even the basic code-injection attack is probably relevant to understand for background. – Peter Cordes Sep 27 '22 at 02:47