same codebytes, different meaning ?! [Archive] - RCE Messageboard's Regroupment

View Full Version : same codebytes, different meaning ?!

0rp

April 3rd, 2004, 18:23

if i compile this function

Code:



void foo()

{

        printf("bar\n";

}

the compiler produces this:

Code:



00401090 55               push        ebp  

00401091 8B EC            mov         ebp,esp 

00401093 68 10 71 40 00   push        407110h   <--- "bar\n"

00401098 E8 73 01 00 00   call        00401210   <-- printf

0040109D 83 C4 04         add         esp,4 

004010A0 5D               pop         ebp  

004010A1 C3               ret

if VirtualAlloc new memory, and cpy all this codebytes to this memory (55, 8B, EC, ... C3), the debugger shows this:

Code:



00340000 55               push        ebp  

00340001 8B EC            mov         ebp,esp 

00340003 68 10 71 40 00   push        407110h 

00340008 E8 73 01 00 00   call        00340180     <---- wtf?

0034000D 83 C4 04         add         esp,4 

00340010 5D               pop         ebp  

00340011 C3               ret

my question: why does the call gets 00340180 and not 00401210 ?

doug

April 3rd, 2004, 18:41

note that the printf function has been injected into your code (that's ok).

now, if you look carefully, the instruction used to call printf uses EIP-relative addressing.

Code:



00401098 E8 73 01 00 00   call        00401210   <-- printf

0040109D 83 C4 04         add         esp,4

the destination (401210) is calculated as follows:
-> 40109D (next instruction) + 173 = 401210

in your valloc'd code:

Code:



00340008 E8 73 01 00 00   call        00340180     <---- wtf?

0034000D 83 C4 04         add         esp,4

-> 34000D + 173 = 340180.

there are many workarounds for this.
Ex: Patch the dword after E8 with (00401210 - 34000D = C1203). You can compute these offsets at runtime.

0rp

April 3rd, 2004, 18:42

ah EIP relative, ok
thx