On Wed, 5 Feb 2003, David Litchfield wrote:
> For example assume an image base for an exe is 0x00400000 and the c code
> does printf("hello"); This will generate something like
>
> push 0x0042001C // push pointer to hello
> call 0x00401060 // call printf
>
> If I then make the image base 0x00410000 and I also change /.../ to
> become
>
> push 0x0043001C
> call 0x00411060
First of all, no, you do not change the call, on Intel, it's likely to be
a relative 32-bit call (E8 .. .. .. ..) within the code, and it's
relocable without any changes.
Also, what if I wanted to pass a value 4325404 (0x42001c) to this
function, and it is not a pointer, only looks this way? For example, some
FOO_ASYNC flag is defined as 0x400000, FOO_LOCK as 0x020000, and voila, OR
them and you have "a pointer".
In other cases, say, with register calls, it is getting even nastier,
because even if, one way or another, you managed to find out how every
single function is going to use its parameters (not likely), register
calls are still black magic.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-02-05 12:24 --
