One way to write memory independent shellcode is called the jmp-call-pop technique. The reason this technique works is that a
call instruction places the address of the following instruction onto the stack. In the skeleton below, after
call shellcode executes, RSP will point to
shell_string. Then the address of
shell_string can easily be popped off the stack and stored in a register without having a hard-coded memory address.
1global _start 2 3section .text 4_start: 5 jmp get_address 6 7shellcode: 8 xor rax, rax 9 pop rdi 10 11get_address: 12 call shellcode 13 shell_string: db "/bin//sh"