0

I am trying to print the address 0x004007ad to the terminal for the purposes of a buffer overflow assignment. I have to do it in little endian because of my processor. However when I try print the address the \x00 is not being included. Below is the code for my python program: 

hex_string = "\xad\x07\x40\x00"
print "\x01" * 28 + hex_string

How can I print it so that the \x00 is included?

Keagansed
  • 183
  • 1
  • 1
  • 13

2 Answers2

1

escape all of your backslashes by putting another backslash in front of them...

hex_string = "\\xad\\x07\\x40\\x00"
print "\x01" * 28 + hex_string

that should do the trick!

enter image description here

EDIT: regarding your question...

import re
hex_string = "\\xad\\x07\\x40\\x00"
other_string = 28*"\\x01"
hex_string = re.sub("\\\\", "", hex_string)
other_string = re.sub("\\\\", "", other_string)
print(other_string + hex_string)

gives... enter image description here

Cut7er
  • 1,209
  • 9
  • 24
  • I need it to print the address, not the string value of the address. It should be returning to another function which is at address 0x004007ad but instead the \x00 is being ignored and the address is being shown as 0x004007b6 @Cut7er – Keagansed Sep 11 '18 at 14:56
  • That's the string value though. I need it to be an address, as in my original code – Keagansed Sep 11 '18 at 15:04
  • take a look at this question as well, where the problem of a backslash escaping is described very good! https://stackoverflow.com/questions/10585349/python-how-to-replace-backslash-with-re-sub – Cut7er Sep 11 '18 at 15:04
  • if it is in your adress, you need to replace one backslash with two and then do the `re.sub` of your whole adress before printing it! – Cut7er Sep 11 '18 at 15:05
  • I used the "\xad\x07\x40\\x00" but when I re.sub it it still doesn't pad the address with zeros. I goes to the address: 0x784007ad – Keagansed Sep 11 '18 at 15:11
  • ok, now look again, i adapted my code to your complete example! – Cut7er Sep 11 '18 at 15:21
  • That still prints a string. I need it to be an address with 00 in the front – Keagansed Sep 11 '18 at 15:22
  • if you convert it to a number, the `00` will be lost. that's why you need it to be a string! – Cut7er Sep 11 '18 at 15:23
  • When it gets used as a string it loses the address, as with one of my previous comments it goes to the address 0x784007ad because it is the string value and not the address – Keagansed Sep 11 '18 at 15:26
  • well then i'm kinda lost what the question is. you wanted the `\x00` to be printed as well. how is your adress really looking, so that we can fix your issue? – Cut7er Sep 11 '18 at 15:27
  • Because its for a buffer overflow I need the address to be 0x004007ad but in little endian, but it is being interpreted as 0x784007ad or whatever I use to try put in for the value of 00. Essentially what is happening is the 00 is not being added to the address in order for me to return to the address of another program's pointer in memory. – Keagansed Sep 11 '18 at 15:29
  • well, when I type `print("0x004007ad")` in my console, it just works. why you need it to be hex? – Cut7er Sep 11 '18 at 15:32
  • Because it is a memory address! If I print that simply as a string it goes to some weird memory location such as 0x30307830 because it is converting it to be a hex. It needs to return to another function's location in memory! – Keagansed Sep 11 '18 at 15:34
  • well, I'm not that proficient in CS so I cannot help you solve this problem! all the material for converting characters to hex and escaping backslashes is shown above – Cut7er Sep 11 '18 at 15:36
0

Not sure if I'm answering too late.

My understanding is you got a string buffer of raw address and you want to dump it in human convention to stdout.

Unfortunately python doesn't have very good handling of hex formatting. One way of doing it is to convert the raw value into proper Python int and formatting it using %x and manually prepend 0x at the front.

Sample code follows

import struct
hex_string = "\xad\x07\x40\x00"
v, = struct.unpack('<I', hex_string)
print ('0x' + '%08x' % v)
Shi B.
  • 5,653
  • 1
  • 12
  • 7