('binary' encoding is not supported, stored as-is) In-Reply-To: <Law15-F17rjbudzxxfY00026977at_private> > >The windows "Search for files and folders" utility will search binaries and >can often find the linkage names of functions and dlls they call. None *Lol*. I never would have thought to use the pretty GUI with the little doggie for anything like this. But of course, it's really just a not-so- good strings / objdump | grep. >Bah. That 0x104 in the size field of the result string from the >RtlUnicodeStringToAnsiString call not only protects the stack frame, it also >stops us feeding too long a string through the W version to the A version. >D'oh. Yeah, another obvious problem I realised after posting is that MAX_PATH on windows is 260 / 0x104. So the overflowable buffer is MAX_PATH characters long. There's some protection since applications that are well written probably won't call a file open sort of function with a filename longer than MAX_PATH. Of course we all know how many applications are actually well written... >So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe >and anything else that uses the IE browser engine. Font-face style tag >perhaps? > Hmm, that's a good analysis, thanks. I'll have to have a lookse at t2embed.dll the next time I sit down with IDA. Cheers, ~x
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 13:55:39 PDT