On Thu, 26 Jun 2003 11:46:33 -0300, Gerardo Richarte wrote: >Ok, first challenge: create a Get PC code with no zeros and no 0xff >in it. sounds easy? hehe, it's not. However, we know it's possible, >at least sometimes. Not so generic, it's only for Windows NT, but I imagine similar things could be done on other platforms if some guaranteed mapped space could be found without null or 0xFF in it's address. B9 D0FEFD7F MOV ECX,7FFDFED0 8B01 MOV EAX,DWORD PTR DS:[ECX] C701 5B53C341 MOV DWORD PTR DS:[ECX],41C3535B E8 D8DFBD7F CALL 7FFDFED0 8901 MOV DWORD PTR DS:[ECX],EAX First thoughts on the second challenge: You can't use any of the call opcodes, but you might be able to setup a quick exception handler in the known mapped space. Cause a fault, and then find the address of your fault causing instruction in the structure that's passed. (Again I'm talking NT). - Blazde
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 13:01:15 PDT