SlideShare a Scribd company logo

Mac osx 64_rop_chains

Download as PPTX, PDF
Rahul Sasi
Rahul Sasi
Education
1 of 22
ROP Chains on Mac Osx x64 Bit
Who am I ?  Rahul Sasi  Security Researcher @ iSIGHT Partners .  Member Garage4Hackers.
Garage 4 Hackers Information Security professionals from Fortune 500, Security research and Consulting firms from all across the world. •Security Firms •Consulting Firms •Research Firms •Law Enforcements http://www.Garage4Hackers.com
X64 Intro X64 Instruction X64 Debugging Tools X64 Reversing Tools X64 Programing X64 Shell Codes
Mac / BSD System Arc What's new in mac 10.6 Mac Protection Mechanism Snow Leopard DEP ROP with dyld Examples :
X64 Supported Processors. AMD X86-64 AMD64
 Extension to 32 bit x86 - x64 “long mode”  Can address up to 64 bits (16EB) of virtual memory*  Can address up to 52 bits (4PB) of physical memory  64 bit general purpose registers - RAX, RBX, ...  8 new GP registers (R8-R15)  8 new 128 bit XMM registers (XMM8-XMM15) New 64 bit instructions: cdqe, lodsq, stosq, etc  New 64 bit instructions: cdqe, lodsq, stosq, etc  Ability to reference data relative to instruction pointer (rip)
Long mode  64 bit flat (linear) addressing  Segment base is always 0 except for FS and GS Stack (SS), Code (CS), Data (DS) always in the same  segment Default address size is 64 bits  Default operand size is 32 bits 64 bit operands (RAX, RBX, ...) are specified with “REX prefix” in the opcode encoding  64 bit instruction pointer (RIP)  64 bit stack pointer (RSP)
x64 registers  32 bit registers extended to 64 bits  eax → rax  ebx → rbx  esp → rsp  8 additional 64 bit registers  r8, r9, r10, ... r15  8 additional 128 bit XMM (SSE) registers  xmm8, xmm9, ... xmm15  Used for vector and floating point arithmetic
X64 Registers
Registers
X64 Registers
System V x64 ABI  Used by Linux, BSD, Mac, others Totally different than MS x64 ABI  Also totally different than GCC's x86 Linux ABI  Calling convention uses many registers:  6 registers for integer arguments  8 registers for float/double arguments  Some registers considered volatile and can change across function calls, others must be saved by the callee
Example  6 registers for integer parameters  RDI, RSI, RDX, RCX, R8, R9  8 registers for float/double/vector parameters  XMM0-XMM7  Examples!  int func1(int a, float b, int c) rax func1(rdi, xmm0, rsi)
The number of the syscall has to be passed in register rax.  rdi - used to pass 1st argument to functions  rsi - used to pass 2nd argument to functions  rdx - used to pass 3rd argument to functions  rcx - used to pass 4th argument to functions  r8 - used to pass 5th argument to functions  r9 - used to pass 6th argument to functions
X32 How it did stuffs.
X64 Bit How stuffs are done.
How it rolls in x64
Hints to Start with  Look here for mac System Call address  /usr/include/sys/syscall.h  Mac OS X or likely BSD has split up the system call numbers into several different “classes.”  The upper order bits of the syscall number represent the class of the system call, in the case of write and exit, it’s SYSCALL_CLASS_UNIX and hence the upper order bits are 2!  Thus, every Unix system call will be (0×2000000 + unix syscall #).
Debugging |Reversing Tools
Quick Shell Code Demo
Original Sources  http://thexploit.com/tag/assembly/  http://thexploit.com/secdev/51-byte-x86_64-os-x-null- free-shellcode/  http://lolcathost.org/b/introx86.pdf  http://gdtr.wordpress.com/2011/07/23/universal-rop- shellcode-for-os-x-x64/  http://reverse.put.as/wp- content/uploads/2011/06/breaking_mac_osx.ppt

Recommended

List of packages
List of packagesList of packages
List of packages
vijay kumar honnali
 
Standard libraries
Standard librariesStandard libraries
Standard libraries
divyalakshmi77
 
Moving NEON to 64 bits
Moving NEON to 64 bitsMoving NEON to 64 bits
Moving NEON to 64 bits
Chiou-Nan Chen
 
Intoroduction of py7zr
Intoroduction of py7zrIntoroduction of py7zr
Intoroduction of py7zr
Hiroshi Miura
 
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Anne Nicolas
 
8086 arch instns
8086 arch instns8086 arch instns
8086 arch instns
Ram Babu
 
What Does R7RS Change Programming in Scheme?
What Does R7RS Change Programming in Scheme?What Does R7RS Change Programming in Scheme?
What Does R7RS Change Programming in Scheme?
Kazuhiro Hishinuma
 
Implementing R7RS on R6RS Scheme
Implementing R7RS on R6RS SchemeImplementing R7RS on R6RS Scheme
Implementing R7RS on R6RS Scheme
Kato Takashi
 

Recommended

List of packages
List of packagesList of packages
List of packages
vijay kumar honnali
 
Standard libraries
Standard librariesStandard libraries
Standard libraries
divyalakshmi77
 
Moving NEON to 64 bits
Moving NEON to 64 bitsMoving NEON to 64 bits
Moving NEON to 64 bits
Chiou-Nan Chen
 
Intoroduction of py7zr
Intoroduction of py7zrIntoroduction of py7zr
Intoroduction of py7zr
Hiroshi Miura
 
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Kernel Recipes 2014 - x86 instruction encoding and the nasty hacks we do in t...
Anne Nicolas
 
8086 arch instns
8086 arch instns8086 arch instns
8086 arch instns
Ram Babu
 
What Does R7RS Change Programming in Scheme?
What Does R7RS Change Programming in Scheme?What Does R7RS Change Programming in Scheme?
What Does R7RS Change Programming in Scheme?
Kazuhiro Hishinuma
 
Implementing R7RS on R6RS Scheme
Implementing R7RS on R6RS SchemeImplementing R7RS on R6RS Scheme
Implementing R7RS on R6RS Scheme
Kato Takashi
 
64 bits for developers
64 bits for developers64 bits for developers
64 bits for developers
Roman Okolovich
 
AMD64 (EM64T) architecture
AMD64 (EM64T) architectureAMD64 (EM64T) architecture
AMD64 (EM64T) architecture
PVS-Studio
 
Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil KawareAdvanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Pentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil KawarePentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Session01_Intro.pdf
Session01_Intro.pdfSession01_Intro.pdf
Session01_Intro.pdf
RahnerJames
 
x86 architecture
x86 architecturex86 architecture
x86 architecture
i i
 
Introduction to arm architecture
Introduction to arm architectureIntroduction to arm architecture
Introduction to arm architecture
Zakaria Gomaa
 
Visual Studio를 이용한 어셈블리어 학습 part 2
Visual Studio를 이용한 어셈블리어 학습 part 2Visual Studio를 이용한 어셈블리어 학습 part 2
Visual Studio를 이용한 어셈블리어 학습 part 2
YEONG-CHEON YOU
 
80x86_2.pdf
80x86_2.pdf80x86_2.pdf
80x86_2.pdf
rajinooka
 
Lesson 1. What 64-bit systems are
Lesson 1. What 64-bit systems areLesson 1. What 64-bit systems are
Lesson 1. What 64-bit systems are
PVS-Studio
 
The microprocessor and it's architecture
The microprocessor and it's architectureThe microprocessor and it's architecture
The microprocessor and it's architecture
samaa ali
 
Instruction set.pptx
Instruction set.pptxInstruction set.pptx
Instruction set.pptx
ssuser000e54
 
Chapter2d
Chapter2dChapter2d
Chapter2d
MaeEstherMaguadMaralit
 
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
rangerdan275
 
arm.pptx
arm.pptxarm.pptx
arm.pptx
Siddharth2001213
 
Arm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingArm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefing
Merck Hung
 
Co&al lecture-05
Co&al lecture-05Co&al lecture-05
Co&al lecture-05
AbdulKarim563520
 
The reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryThe reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memory
PVS-Studio
 
X86 Architecture
X86 Architecture X86 Architecture
X86 Architecture
IGZ Software house
 
CloudSeK COCON POC Talk
CloudSeK COCON POC TalkCloudSeK COCON POC Talk
CloudSeK COCON POC Talk
Rahul Sasi
 
Hacking cable TV Networks Like Die hard Movie
Hacking cable TV Networks Like Die hard MovieHacking cable TV Networks Like Die hard Movie
Hacking cable TV Networks Like Die hard Movie
Rahul Sasi
 

More Related Content

Similar to Mac osx 64_rop_chains

Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil KawareAdvanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Pentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil KawarePentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 
Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
Prof. Swapnil V. Kaware
 

Similar to Mac osx 64_rop_chains (20)

64 bits for developers
64 bits for developers64 bits for developers
64 bits for developers
 
AMD64 (EM64T) architecture
AMD64 (EM64T) architectureAMD64 (EM64T) architecture
AMD64 (EM64T) architecture
 
Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil KawareAdvanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
 
Pentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil KawarePentium (80586) Microprocessor By Er. Swapnil Kaware
Pentium (80586) Microprocessor By Er. Swapnil Kaware
 
Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware Advanced Microprocessors By Er. Swapnil Kaware
Advanced Microprocessors By Er. Swapnil Kaware
 
Session01_Intro.pdf
Session01_Intro.pdfSession01_Intro.pdf
Session01_Intro.pdf
 
x86 architecture
x86 architecturex86 architecture
x86 architecture
 
Introduction to arm architecture
Introduction to arm architectureIntroduction to arm architecture
Introduction to arm architecture
 
Visual Studio를 이용한 어셈블리어 학습 part 2
Visual Studio를 이용한 어셈블리어 학습 part 2Visual Studio를 이용한 어셈블리어 학습 part 2
Visual Studio를 이용한 어셈블리어 학습 part 2
 
80x86_2.pdf
80x86_2.pdf80x86_2.pdf
80x86_2.pdf
 
Lesson 1. What 64-bit systems are
Lesson 1. What 64-bit systems areLesson 1. What 64-bit systems are
Lesson 1. What 64-bit systems are
 
The microprocessor and it's architecture
The microprocessor and it's architectureThe microprocessor and it's architecture
The microprocessor and it's architecture
 
Instruction set.pptx
Instruction set.pptxInstruction set.pptx
Instruction set.pptx
 
Chapter2d
Chapter2dChapter2d
Chapter2d
 
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
64bit_Linux-Myths_and_Facts_for AMD_Processors.pdf
 
arm.pptx
arm.pptxarm.pptx
arm.pptx
 
Arm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefingArm v8 instruction overview android 64 bit briefing
Arm v8 instruction overview android 64 bit briefing
 
Co&al lecture-05
Co&al lecture-05Co&al lecture-05
Co&al lecture-05
 
The reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryThe reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memory
 
X86 Architecture
X86 Architecture X86 Architecture
X86 Architecture
 

More from Rahul Sasi

Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasi
Rahul Sasi
 

More from Rahul Sasi (6)

CloudSeK COCON POC Talk
CloudSeK COCON POC TalkCloudSeK COCON POC Talk
CloudSeK COCON POC Talk
 
Hacking cable TV Networks Like Die hard Movie
Hacking cable TV Networks Like Die hard MovieHacking cable TV Networks Like Die hard Movie
Hacking cable TV Networks Like Die hard Movie
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .
 
APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.APT Targeting Indian Police Agencies.
APT Targeting Indian Police Agencies.
 
Fuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasiFuzzing usb modems rahu_sasi
Fuzzing usb modems rahu_sasi
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptxExploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 

Mac osx 64_rop_chains

  • 1. ROP Chains on Mac Osx x64 Bit
  • 2. Who am I ?  Rahul Sasi  Security Researcher @ iSIGHT Partners .  Member Garage4Hackers.
  • 3. Garage 4 Hackers Information Security professionals from Fortune 500, Security research and Consulting firms from all across the world. •Security Firms •Consulting Firms •Research Firms •Law Enforcements http://www.Garage4Hackers.com
  • 4. X64 Intro X64 Instruction X64 Debugging Tools X64 Reversing Tools X64 Programing X64 Shell Codes
  • 5. Mac / BSD System Arc What's new in mac 10.6 Mac Protection Mechanism Snow Leopard DEP ROP with dyld Examples :
  • 7.  Extension to 32 bit x86 - x64 “long mode”  Can address up to 64 bits (16EB) of virtual memory*  Can address up to 52 bits (4PB) of physical memory  64 bit general purpose registers - RAX, RBX, ...  8 new GP registers (R8-R15)  8 new 128 bit XMM registers (XMM8-XMM15) New 64 bit instructions: cdqe, lodsq, stosq, etc  New 64 bit instructions: cdqe, lodsq, stosq, etc  Ability to reference data relative to instruction pointer (rip)
  • 8. Long mode  64 bit flat (linear) addressing  Segment base is always 0 except for FS and GS Stack (SS), Code (CS), Data (DS) always in the same  segment Default address size is 64 bits  Default operand size is 32 bits 64 bit operands (RAX, RBX, ...) are specified with “REX prefix” in the opcode encoding  64 bit instruction pointer (RIP)  64 bit stack pointer (RSP)
  • 9. x64 registers  32 bit registers extended to 64 bits  eax → rax  ebx → rbx  esp → rsp  8 additional 64 bit registers  r8, r9, r10, ... r15  8 additional 128 bit XMM (SSE) registers  xmm8, xmm9, ... xmm15  Used for vector and floating point arithmetic
  • 13. System V x64 ABI  Used by Linux, BSD, Mac, others Totally different than MS x64 ABI  Also totally different than GCC's x86 Linux ABI  Calling convention uses many registers:  6 registers for integer arguments  8 registers for float/double arguments  Some registers considered volatile and can change across function calls, others must be saved by the callee
  • 14. Example  6 registers for integer parameters  RDI, RSI, RDX, RCX, R8, R9  8 registers for float/double/vector parameters  XMM0-XMM7  Examples!  int func1(int a, float b, int c) rax func1(rdi, xmm0, rsi)
  • 15. The number of the syscall has to be passed in register rax.  rdi - used to pass 1st argument to functions  rsi - used to pass 2nd argument to functions  rdx - used to pass 3rd argument to functions  rcx - used to pass 4th argument to functions  r8 - used to pass 5th argument to functions  r9 - used to pass 6th argument to functions
  • 16. X32 How it did stuffs.
  • 17. X64 Bit How stuffs are done.
  • 18. How it rolls in x64
  • 19. Hints to Start with  Look here for mac System Call address  /usr/include/sys/syscall.h  Mac OS X or likely BSD has split up the system call numbers into several different “classes.”  The upper order bits of the syscall number represent the class of the system call, in the case of write and exit, it’s SYSCALL_CLASS_UNIX and hence the upper order bits are 2!  Thus, every Unix system call will be (0×2000000 + unix syscall #).
  • 22. Original Sources  http://thexploit.com/tag/assembly/  http://thexploit.com/secdev/51-byte-x86_64-os-x-null- free-shellcode/  http://lolcathost.org/b/introx86.pdf  http://gdtr.wordpress.com/2011/07/23/universal-rop- shellcode-for-os-x-x64/  http://reverse.put.as/wp- content/uploads/2011/06/breaking_mac_osx.ppt