At 06:57 PM 11/22/1999 -0600, Solar Eclipse wrote: >Mnemonix wrote that the shell code is not lowercased on Win2K. Are there >any other restrictions? Can you use characters > 128 ? > >What about Win9x? > >Are there any DLLs loaded in the 6161616-7A7A7A7A range on there >machines? Only alphabetic characters seem to be allowed, but neither Win2K nor Win98 changes the case. I couldn't find any code loaded at useful addresses in Win98, but in my Win2K it seems to load SHELL32.DLL at 775A1000. There are useful RETs at the following addresses: 775A6267 gbZw: RET 775A7A73 szZw: RET 4 775A706D mpZw: RET 10 775A7156 VqZw: RET 14 775A7249 IrZw: RET 18 There are additional complications, though, in the form of stack variables between the corrupted frame and the desired address. These variables must be worked around. I haven't yet found a satisfactory combination of RETs to get to the goal, but I've been within a DWORD of it. -- Ron Parker GW Micro, Inc. Voice 219-489-3671 Fax 219-489-2608
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:59 PDT