| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Oct 2006 05:39:02 -0500 (CDT) From: Gadi Evron <ge@...uxbox.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: speaking of code crunching... (challenge) On Mon, 16 Oct 2006, Gadi Evron wrote: > sort of challenge to see if someone else can get there first (without, > say, making the URL shorter). :) Crunched further.... New binary at 384 bytes is here: http://ragestorm.net/tiny/tiny2.exe Blog entry on how this was done is here: http://blogs.securiteam.com/index.php/archives/679 The relevant text from the blog, a chat session log: Arkon: The problem with that URLDownloadToFileA is that it creates another thread, Arkon: and that thread never terminates for some unknown reason to me. Arkon: So I HAD to call ExitProcess and finish it, otherwise my process will hang. :( Arkon: But now what I'm going to do is raising a silent exception :x Matthew: Just blow away the SEH chain and trigger an INT3. Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress code for it as well. Matthew: MOV FS:[0], 0xFFFFFFFF INT3 Matthew: BAM! :) Instant process death... Arkon: This is too long. Matthew: PUSH 0 POP FS:[0] Arkon: Nah Matthew: XOR ESP, ESP might also do the trick :-) Arkon: LOL!!! Matthew: XOR ESP, ESP PUSH EAX Arkon: XCHG EAX, ESP PUSH 0 Arkon: Wait I'm stupid, push 0 is 2 bytes long. Arkon: XCHG EAX, ESP PUSH EAX Arkon: 2 bytes ExitProcess OMFG Matthew: You're a maniac Gadi. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists