I was wondering how to crash an application in C++, nice and clean.
An example code with some explanation would be very helpful.

Originally posted by idq000@Jul 31 2005, 08:07 PM
I was wondering how to crash an application in C++, nice and clean.
An example code with some explanation would be very helpful.


More details of what you're trying to accomplish would be helpful.
What kind of crash do you want? Why is it important that it's C++?

You can always do something like this (C code but C++ compatible):


main() { // x86-specific
* *((void(*)())("\x0F\x0B"))();
}


0F 0B is, of course, UD1 (http://www.sandpile.org/ia32/opc_2.htm).

517A5D out.

See...I was coding a crackme in C++ and I was thinking...If I had detected a debugger...how would I get rid of it? Then it popped in my mind to either crash the program by either overwriting the rest of the program and then continue running (causing a crash), write to an address reserved by the OS or another program, or something I haven't though of. Maybe a few suggestions would be nice...


Thanks.

Originally posted by idq000@Aug 1 2005, 07:24 AM
See...I was coding a crackme in C++ and I was thinking...If I had detected a debugger...how would I get rid of it?* Then it popped in my mind to either crash the program by either overwriting the rest of the program and then continue running (causing a crash), write to an address reserved by the OS or another program, or something I haven't though of.* Maybe a few suggestions would be nice...


Overwriting the program code is a bit tricky, as you need to fiddle with memory protections. Search on VirtualProtect. Alternately you can use an EXE editor to change the flags of your program's code segment to allow writing.

Overwriting another program or OS memory is even trickier.


Here's some quick crashes.

Invalid instruction:
__asm { __emit 0Fh; __emit 0Bh; }

Dereference a NULL or otherwise invalid pointer:
char *p = NULL;
*p = 'a';

Divide by zero:
int a = 1, b = 0;
a = a / b;

Jump to random address:
__asm { rdtsc; jmp eax; }
or __asm { __emit 0Fh; __emit 31h; __emit 0FFh; __emit 0E0h; }

Access invalid interrupt:
__asm { int 0FFh; }
or __asm { __emit 0CDh; __emit 0FFh; }


517A5D out.

Thank you 0x517A5D. Your efforts are appreciated! :)

((void(*)())("\x0F\x0B"))();



just curious ... i've never seen that method of embedding bytes directly in C code before... can you describe why this syntax works in C ??

Erk. You should have asked me at the time, while it was fresh in my mind.

Basically it's casting a string pointer into a code pointer, then invoking it.

((void(*)())("\x0F\x0B"))();

Work from inside to outside. Start with the string.

("\x0F\x0B")

A standard 3-byte C string. Remember that a C string is, depending on context, some characters terminated by a null character, or a pointer to those characters. The compiler sorts out what's needed.

That string is preceeded by a cast:

(...)("\x0F\x0B")

Which makes the compiler treat the string as some other data type. It if was

(int)("\x0F\x0B")

It would treat the string as an integer. But it is

(void(*)())("\x0F\x0B")

So it's treating the string as... what? What is void(*)() ?

Well, what is (*)? It's a pointer. What kind of pointer? We don't have a normal type qualifier, do we? Actually we do, it's the empty pair of parenthesis (). That tells the compiler that we're dealing with a pointer to a function.

So we have a pointer to a function which takes an unspecified number of unspecified arguments, and doesn't return anything.

The unspecified arguments comes from the empty (), which is old K&R syntax. In ANSI/ISO C, you can't do this, but compilers still support the old syntax. In ANSI C you could write

void(*)(void)

which is a pointer to a function which takes no parameters and returns nothing. You could also write

double(*)(int, unsigned char)

which is a pointer to a function which takes an int and a byte, and returns a floating point number.

So we have

(void(*)())

which casts some data into a function pointer. The data happens to be the string. The trailing () then invokes it.

( (void(*)()) ("\x0F\x0B") ) ();

Note that if we had used that other cast, we would have needed parameters inside the trailing ().

The string then happens to contain something that will cause a little hiccup (invalid opcode exception) on x86 processors.

(Note that on DEP-capable processors and operating systems, this code might cause a general protection fault for an entirely different reason, as the OS traps the attempt to execute code out of a data segment.)

Fun, huh?

So how does this one work?

main(){((int(*)())05417)();}

0x517A5D

thanks 0x517A5D, that's what i needed, a nice simple breakdown of the statement, showing its constituents.


So how does this one work?

main(){((int(*)())05417)();}



mmm I'm guessing it creates a function main() that contains the same 0x0F 0x0B opcode sequence as above, right?

(except this function is expected to return an int... that's a lot to ask of that one instruction haha)


main(void)
{
* *( ( int(*)(void) ) 0xB0F )(void);
}




or is it that the 0xB0F is cast as the pointer to the function and therefore a call to address 0x00000B0F is made? trick question?

Originally posted by idq000@Aug 1 2005, 04:07 AM
I was wondering how to crash an application in C++, nice and clean.
An example code with some explanation would be very helpful.
1128


maybe int 0x2e or RtlRaiseException()

other indirect ways, infinite loop?
void func(void){ func(); }

my personal fav would be to start writing random jmps into the code section, so the program keeps jumping randomly arround. hehe.

just some silly thoughts :)

hmm is int 0x2e breakpoint?
int 0x03 maybe?
oh i don't even know :/