Re: win32 call dword ptr [eax] help needed

From: Gerardo Richarte (gera_at_corest.com)
Date: 09/10/03

  • Next message: PLANZ: "Re: Ethernet ( MAC ) Address Reliability"
    Date: Wed, 10 Sep 2003 12:28:54 -0300
    To: wirepair <wirepair@roguemail.net>
    
    

    wirepair wrote:

    > Thank you very very much for taking the time to respond. Unfortunately
    > I have Zero C++ knowledge. I only code in C, and for the most part
    > just *nix. I am kind of unsure as to how one would tell if this is in
    > the heap or the stack. In Unix (linux anyways) it is very easy because
    > the addresses are easily identifiable 0xbfffxxxx , stack ect.

        Well... erm... to know if what I said will work, check the stack
    after the call to
    recv(). Better check if the data pointed to by EBP has been altered by
    your bytes
    or not. If it was altered, then you may probably do 4 in my previous
    mail (use the
    ret at the end of the function to jmp). If the data pointed to by EBP is
    not changed,
    increse the amount of bytes sent, if this doesn't work, then you'll
    probably have to
    think different, and as 3 (using the exception handler) didn't work,
    then, you may
    want to try either Dave's or James' idea.
        Now, if you are going to use James' let me say something about it,
    nothing really
    serious, but it may help.

        As James said, it may be a good idea to build an "Address Cushion",
    but I think
    it's not necesary to use a "Nops Cushion" or not even needed to
    guess/bruteforce
    two different addresses.

        So, what can we do?

        We can controll eax, and then use a call [eax+4]
        We can put our buffer in memory, not in a fixed place.

        Questions:

        Can we put another buffer in memory using any other mean?
        How much does the address of our bytes in memory vary?

        What do we need?
        We need to set eax to point to a pointer to our egg (delta +4)

        Although we will probably need to use the same buffer to set eax and
    to send our
    addresses I will treat this two actions as different things, you'll have
    to figure out how
    put them together if needed... I don't think this will be a major
    challenge :-)

        Let's say I know the buffer will be at address 00001000, in this
    case I could set eax to 1000
    and make the buffer be:

        xxxx|00001008|egg

       so, [eax+4] is 1008 and the egg is at 1008 (as the buffer starts in 1000)

        now, suppose the buffer may move around a little bit, lets say a max
    of 0x20 bytes,
    so I could make eax still be 1000, but make the buffer:

        1024|1020|101c|1018|1014|1010|100c|1008|1004|egg

        eax = 1000

        buffer address [eax+4] egg address
        1000 1020 1020
        0ffc 101c 101c
        etc

        The key is: We set eax to a fixed value (1000), we don't really know
    which of
    the addresses we are going to hit, but we can compute the distance
    between each
    address and the egg, because we know the structure of the buffer. So,
    for each
    address we send in the buffer we think "If this address is in memory at
    1000, what
    would be the address of my egg?" and the answer to that question is what we
    put in the buffer in the right place, as in the previous example.

        What we do is send as many possible addresses and then our egg. This
    will maximize
    our chances of hitting one of the addresses. In this example I'm
    assuming you know the
    buffer will be aligned to 4 bytes, but you can usually assume that, or
    pad with the right
    number of bytes. If this is not your case you will need to try the
    different alignments or
    find another way.
        Of course we may make eax vary on every try, changing it by the
    number of addresses
    we are sending times 4 [bytes].

        With this we reduced the problem from having to bruteforce two
    addresses, to having
    to bruteforce just one, which is way better.

        gera


  • Next message: PLANZ: "Re: Ethernet ( MAC ) Address Reliability"

    Relevant Pages

    • Re: Discovering variable types...
      ... >- but I suppose MS expect us to use wrappers ... memory allocations for your variables from disk as well. ... >They most certainly are of fixed size, changing the size of a String ... >>me to keep buffer size and current postion right in the memory block. ...
      (comp.lang.pascal.delphi.misc)
    • Re: UMA caches draining
      ... system is quite low on memory. ... Will, for example, buffer cache allocate buffers ... then interrupt threads and i/o path should try hard to avoid allocations ...
      (freebsd-hackers)
    • Re: Discovering variable types...
      ... >memory it points to is on the heap. ... sequentially reading data, if one is randomly reading records, then a ... >project is what's prompting me to improve disk access. ... from a memory buffer I can do it in about a second. ...
      (comp.lang.pascal.delphi.misc)
    • Re: Multicast Directshow Graph Bridging, COW Rustling, & the Use of Portable Holes in Cartoon Ph
      ... memory to share buffer pools across processes and works pretty well. ... You get two basic Direct Show filters, ... issue each GMF-source a virtual memory alias with COW ...
      (microsoft.public.win32.programmer.directx.video)
    • Re: PCI bus-master and large contiguous memory buffers
      ... I built my scatter gather list in SRAM that was on my device, ... could have done it in system memory had I needed to. ... interrupt when a buffer was filled, the application would save the buffer to ... beginning of the recording I made a device IO control call to my driver. ...
      (microsoft.public.development.device.drivers)