Comments (5)
ForceBru
commented on May 30, 2024
At address 0x531d there's a mov instruction whose source operand appears to be merely 0x4, which will read data at exactly that address of the code section! This instruction probably has an override?
[0x531d]: 0x8b
mov ecx, 0x4=83e4f050
[0x5320]: 0x8b
mov esi, 0x15994=50e80000
[0x5324]: 0x29
sub esi=59472, ecx=1357964419
[0x5326]: 0x89
mov 0x15998, ecx=83e4f050
[0x532a]: 0x89
mov ecx, esi=cd0310af
[0x532c]: 0xc1
sar ecx=-1357904947, imm8=31 (ecx := 4294967295)
[0x532f]: 0x29
sub ebp=3899401284, edi=1
[0x5331]: 0x19
sub edx=3988, ebx=0
[0x5333]: 0x39
cmp ebp=3899401283, esi=2937062349
[0x5335]: 0x19
sub edx=3988, ecx=4294967295
[0x5337]: 0x7d
jmp rel8 0x538a
[0x538a]: 0x8b
mov esi, 0x159b0=505b0100
[0x538e]: 0x8b
mov ebp, 0x15998=83e4f050
[0x5392]: 0x8b
mov ecx, 0x15994=50e80000
[0x5396]: 0x89
mov 0x15bb8, ecx=50e80000
[0x5399]: 0x8b
mov ecx, 0x15b7c=905c0100
[0x539c]: 0x29
sub ecx=89232, ebp=1357964419
[0x539e]: 0x89
mov edx, ecx=0d7810af
[0x53a0]: 0xc1
sar edx=-1357875187, imm8=31 (edx := 4294967295)
[0x53a3]: 0x01
add edi=1, ecx=2937092109
[0x53a5]: 0x11
add ebx=0, edx=4294967295
[0x53a7]: 0x89
mov 0x15bc4, edi=0e7810af
[0x53aa]: 0x89
mov 0x15bc8, ebx=ffffffff
[0x53ad]: 0xfb6
from pyvm.
ForceBru
commented on May 30, 2024
Nope, the instruction is mov ecx,DWORD PTR [esi+0x4], so esi must be zero at this point.
from pyvm.
ForceBru
commented on May 30, 2024
Apparently, __uflow at 0xb98 doesn't restore registers properly? At the beginning it pushes:
push ebx ; 0x00
push edi ; 0x00
push esi; 0x00015b50
And then pops different data:
pop esi ; 0x00 (!!)
pop edi ; 0x00
pop ebx ; 0x00
But it still returns to the correct address (0x5300). So, the top of the stack got corrupted somehow? Or is it intentional? Probably not, because these registers are supposed to be restored after a function call.
from pyvm.
ForceBru
commented on May 30, 2024
Basically, a bunch of stosd instructions (probably from address 0x7486) overwrite the first 3 bytes of esi that's stored on the stack. WTF?! Also, shouldn't there be some protection against overwriting the stack?
from pyvm.
ForceBru
commented on May 30, 2024
Looks like there was a bug in the C code
from pyvm.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyvm.