lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0610170538210.25033-100000@linuxbox.org>
Date: Tue, 17 Oct 2006 05:39:02 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: speaking of code crunching... (challenge)

On Mon, 16 Oct 2006, Gadi Evron wrote:
> sort of challenge to see if someone else can get there first (without, 
> say, making the URL shorter). :)

Crunched further....

New binary at 384 bytes is here:
http://ragestorm.net/tiny/tiny2.exe

Blog entry on how this was done is here:
http://blogs.securiteam.com/index.php/archives/679

The relevant text from the blog, a chat session log:

Arkon: The problem with that URLDownloadToFileA is that it creates another
thread,
Arkon: and that thread never terminates for some unknown reason to me.
Arkon: So I HAD to call ExitProcess and finish it, otherwise my process
will hang. :(
Arkon: But now what I'm going to do is raising a silent exception :x
Matthew: Just blow away the SEH chain and trigger an INT3.
Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress
code for it as well.
Matthew:
MOV FS:[0], 0xFFFFFFFF
INT3
Matthew: BAM! :) Instant process death...
Arkon: This is too long.
Matthew:
PUSH 0
POP FS:[0]
Arkon: Nah
Matthew: XOR ESP, ESP might also do the trick :-)
Arkon: LOL!!!
Matthew:
XOR ESP, ESP
PUSH EAX
Arkon:
XCHG EAX, ESP
PUSH 0
Arkon: Wait I'm stupid, push 0 is 2 bytes long.
Arkon:
XCHG EAX, ESP
PUSH EAX
Arkon: 2 bytes ExitProcess OMFG
Matthew: You're a maniac

	Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ