('binary' encoding is not supported, stored as-is) I'm practicing developing Windows Buffer Overflows and have run into a slight snag. When I overwrite EIP with the address of "jmp ESP" I land below my shellcode instead of where the top of the stack used to be: <-----------400 bytes--------> [NOP's........Shellcode...EIP..*<-code jumps here**] This didn't seem right but I figured that I'd use an offset from ESP to hop back to my shellcode. xor eax,eax xor ebp,ebp mov ebp,esp mov eax,ebp - 190H jump eax What I'm trying is loading esp into ebp and then moving that value into eax followed by a jump eax. Tried straight from esp to eax but figured out that wasn't allowed. I know that the .printer exploit(jill.c) does something similar (uses eax and ebx to make the jump). Any ideas? Thanks, Dave
This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 10:27:02 PDT