"""
> First thoughts on the second challenge: You can't use any of the call
> opcodes, but you might be able to setup a quick exception handler in
> the known mapped space. Cause a fault, and then find the address of
> your fault causing instruction in the structure that's passed. (Again
> I'm talking NT).
I'm not sure this could be done (same problem) but, keep this in mind
anyway :-
) [hint]
gera
"""
i have spend good 20 minutes on this, i don't have the solution yet due to
lack of time but i thought this might be interesting for the list.
basicly, i'm simulating a floating point exception (division by zero) and
then grabbing the EIP(pc) from the exception record. PC is the location of
the fdivs instruction since that instruction created the exception
condition so we add 11 on top to make %eax point to the nop instruction.
(ATT syntax)
xor %eax, %eax
push %eax
fdivs (%esp)
fnstenv (%esp)
mov 0xc(%esp), %eax
add $0xd, %eax
nop
- noir
sup mate ? ;)
This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 13:42:02 PDT