the other day i was reading an eZine in DevCpp 4.9.9.2 - don't ask me why...
when i came accross this little critter:
#include lines with more than 0x8007 chars trigger it.
loc_401CC4: ; CODE XREF: sub_401C6C+1Ej
CODE:00401CC4 mov eax, [eax]
CODE:00401CC6 mov [edx], eax
CODE:00401CC8 mov [eax+4], edx
CODE:00401CCB
CODE:00401CCB loc_401CCB: ; CODE XREF: sub_401C6C+39j
CODE:00401CCB pop ebx
CODE:00401CCC retn
CODE:00401CCC sub_401C6C endp
|
because we control eax and edx at this point we can write
an arbitrary 4 bytes to anywhere in mem.
so i chose to just alter the return addr on the stack and
let the retn do the rest.
because of the instruction @00401CC8 we must take care
what addr to use, since we will 'execute' its bytes upon
redirection.