on 32-bit x86 the RET instructions are 0xC3 and 0xCB. Any other instruction cont... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kevin_thibedeau on June 26, 2015 \| parent \| context \| favorite \| on: LLVM merges SafeStack on 32-bit x86 the RET instructions are 0xC3 and 0xCB. Any other instruction containing these bytes can be subverted into a return if you can make the processor read the preceding instructions from the wrong starting point.

tptacek on June 26, 2015 | [–]

Sure; the authors in the Roemer paper found a couple of those. The best place to get a sense of how this works is the "Gadget Catalog" section of that paper.

pbsd on June 26, 2015 | [–]

Don't forget the variants with a stack-adjusting immediate, 0xC2 and 0xCA. Those can also come in handy.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact