Reversing : The Hacker's Guide to Reverse Engineering

but there are other, far more subtle mistakes that can create potential buffer over- flow bugs. One technique that aims to autom ...

00401098 lea edx,[esp+0x4] 0040109c mov [edi],eax 0040109e push edx 0040109f mov [edi+0x4],cl 004010a2 call Chapter7!system (004 ...

/* * Do nothing if the global cookie has already been initialized. */ if (security_cookie && security_cookie != DEFAULT_ ...

take over the program in question) before the function reaches the cookie verifi- cation code. There are several different trick ...

overcome the hurdles imposed by nonexecutable memory systems, as long as a vulnerable piece of code is found [Designer, Wojtczuk ...

It should be noted that heap overflows are usually less common than stack overflows because the sizes of heap blocks are almost ...

push esi push 100 ; /size = 100 (256.) call Chapter7.malloc ; \malloc mov esi,eax add esp,4 test esi,esi je short Chapter7.00401 ...

Arithmetic Operations on User-Supplied Integers Integer overflows come in many flavors. Consider, for example, another case wher ...

the lea edi,[eax+0x18]). The return value is the pointer of the newly allo- cated block. Clearly, the idea is that an object is ...

00401048 mov [eax+0x10],ecx 0040104b mov [eax+0x14],ecx 0040104e mov ecx,esi 00401050 mov esi,[esp+0xc] 00401054 mov edx,ecx 004 ...

00401042 mov [eax+0xc],ecx 00401045 mov [eax+0x10],ecx 00401048 mov [eax+0x14],ecx 0040104b mov ecx,esi 0040104d mov esi,[esp+0x ...

be back with the same overflow situation caused by the lea edi,[esi+0x18] instruction. The solution to these problems is to simp ...

In order to illustrate what this problem actually looks like in the code, I have listed parts of the vulnerable code here. These ...

6e9007c3 mov esi,eax 6e9007c5 pop ecx 6e9007c6 test esi,esi 6e9007c8 pop ecx 6e9007c9 je 6e9008d2 6e9007cf sub eax,edi 6e9007d1 ...

6e900843 cmp [ebp-0x20],ecx 6e900846 jnz 6e900861 6e900848 mov eax,0x80040e14 6e90084d push 0x6e9071b8 6e900852 mov [ebp-0x44],e ...

6e9008d6 inc edi 6e9008d7 push 0x26 6e9008d9 push edi 6e9008da call dword ptr [idq!_imp__strchr (6e8f111c)] 6e9008e0 pop ecx 6e9 ...

the string (this is done in 6e9007cf). This distance is stored in [ebp-0x20], and is essentially the length of the string I’m ar ...

68cc69b8 and dword ptr [ebp-0x34],0x0 68cc69bc cmp bx,0x2b 68cc69c0 jne query!DecodeURLEscapes+0xdf (68cc6a5d) 68cc69c6 push 0x2 ...

68cc6a36 sub edi,[ebp+0x10] 68cc6a39 mov eax,[ebp+0xc] 68cc6a3c push dword ptr [ebp-0x3c] 68cc6a3f or dword ptr [ebp-0x4],0xffff ...

characters. The buffer can only hold 200 Unicode characters, but the check is going to allow 400 characters. As with many buffer ...