The pertainent part is:
unsigned char c[]={0x00,0x00,0x00,0x00,0xc3};
unsigned long *punch;
punch = (unsigned long *) c;
for(;;)
{
*punch += (unsigned long) rand();
fprintf(stdout, "Trying %02X %02X %02X %02X %02X\n",
c[0], c[1], c[2], c[3], c[4]);
}
}
I have removed the fork() for brevity. After this executes many times
for about 30 minutes, each time forking a child that actually executes
the string, the contents of the string settle down into a fixed
pattern!
E1 96 1A D1 C3
XX XX XX XX C3
E1 96 1A D1 C3
XX XX XX XX C3
E1 96 1A D1 C3
XX XX XX XX C3
E1 96 1A D1 C3
XX XX XX XX C3
E1 96 1A D1 C3
XX XX XX XX C3
Note that even if the child wrote to its copy of the parent's data, it
should not have touched the parent's data regardless of what bad things
it does.
The code created by E1 96 1A D1 C3 is:
lll.o: file format elf32-i386
Disassembly of section .text:
Disassembly of section .data:
00000000 <main>:
0: e1 96 loope ffffff98 <gcc2_compiled.+ffffff98>
2: 1a d1 sbbb %cl,%dl
4: c3 ret
This would likely produce a "forever" loop because of the modification
of the ECX register, therefore it is probably stopped by the timer
signal in the real code.
Nevertheless there is nothing that should have touched the parent's
data since no memory is modified.
If I just execute this program snippet, it will execute "forever" with
bytes sequences that still look random.
Cheers,
Dick Johnson
Richard B. Johnson
Project Engineer
Analogic Corporation
Penguin : Linux version 2.1.63 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.