Roland Postle wrote:
> B9 D0FEFD7F MOV ECX,7FFDFED0
> 8B01 MOV EAX,DWORD PTR DS:[ECX]
> C701 5B53C341 MOV DWORD PTR DS:[ECX],41C3535B
> E8 D8DFBD7F CALL 7FFDFED0
> 8901 MOV DWORD PTR DS:[ECX],EAX
Heh, nice solution, pretty similar to what we had once... as you
said, NT specific, but could be done in linux probably, using a fixed
address in the range 0x40xxxxxx... but then, the main problem is
that none of them will work (I'm sorry). The call 7ffdfed0 is relative
to your current location, so, either you already know your address,
or you can't do the call :-(
It's really a mind puzzle, really funny too
So... our real solution is not like this, but is also win specific.
> First thoughts on the second challenge: You can't use any of the call
> opcodes, but you might be able to setup a quick exception handler in
> the known mapped space. Cause a fault, and then find the address of
> your fault causing instruction in the structure that's passed. (Again
> I'm talking NT).
I'm not sure this could be done (same problem) but, keep this in mind anyway :-) [hint]
gera
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 15:39:04 PDT