SHOW:
|
|
- or go back to the newest paste.
1 | Vulnerable function | |
2 | 017449B0 /$ 81EC 0C010000 SUB ESP,10C | |
3 | 017449B6 |. A1 9400AC01 MOV EAX,DWORD PTR DS:[1AC0094] | |
4 | 017449BB |. 33C4 XOR EAX,ESP | |
5 | 017449BD |. 898424 080100 MOV DWORD PTR SS:[ESP+108],EAX ; Set stack Cookie | |
6 | 017449C4 |. 8B8424 180100 MOV EAX,DWORD PTR SS:[ESP+118] | |
7 | 017449CB |. 53 PUSH EBX | |
8 | 017449CC |. 8B9C24 140100 MOV EBX,DWORD PTR SS:[ESP+114] | |
9 | 017449D3 |. 55 PUSH EBP | |
10 | 017449D4 |. 56 PUSH ESI | |
11 | 017449D5 |. 8BB424 200100 MOV ESI,DWORD PTR SS:[ESP+120] | |
12 | 017449DC |. 57 PUSH EDI | |
13 | 017449DD |. 68 38709D01 PUSH OFFSET 019D7038 | |
14 | 017449E2 |. 6A 03 PUSH 3 | |
15 | 017449E4 |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX | |
16 | 017449E8 |. E8 43F9FEFF CALL 01734330 ; Ignore | |
17 | 017449ED |. 8B16 MOV EDX,DWORD PTR DS:[ESI] | |
18 | 017449EF |. 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18] | |
19 | 017449F2 |. 83C4 08 ADD ESP,8 | |
20 | 017449F5 |. 6A 04 PUSH 4 | |
21 | 017449F7 |. 8BCE MOV ECX,ESI | |
22 | 017449F9 |. FFD0 CALL EAX ; Read 4 bytes from file | |
23 | 017449FB |. 8B16 MOV EDX,DWORD PTR DS:[ESI] | |
24 | 017449FD |. 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18] | |
25 | 01744A00 |. 6A 02 PUSH 2 | |
26 | 01744A02 |. 8BCE MOV ECX,ESI | |
27 | 01744A04 |. FFD0 CALL EAX ; Read 2 bytes from file | |
28 | 01744A06 |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX] | |
29 | 01744A09 |. 66:0FB650 01 MOVZX DX,BYTE PTR DS:[EAX+1] | |
30 | 01744A0E |. 8B06 MOV EAX,DWORD PTR DS:[ESI] | |
31 | 01744A10 |. 66:C1E1 08 SHL CX,8 | |
32 | 01744A14 |. 66:03CA ADD CX,DX | |
33 | 01744A17 |. 8B50 18 MOV EDX,DWORD PTR DS:[EAX+18] | |
34 | 01744A1A |. 0FB7F9 MOVZX EDI,CX | |
35 | 01744A1D |. 6A 02 PUSH 2 | |
36 | 01744A1F |. 8BCE MOV ECX,ESI | |
37 | 01744A21 |. FFD2 CALL EDX ; Read 2 bytes from file | |
38 | 01744A23 |. 66:0FB608 MOVZX CX,BYTE PTR DS:[EAX] | |
39 | 01744A27 |. 66:0FB640 01 MOVZX AX,BYTE PTR DS:[EAX+1] | |
40 | 01744A2C |. 66:C1E1 08 SHL CX,8 | |
41 | 01744A30 |. 66:03C8 ADD CX,AX | |
42 | 01744A33 |. 66:83C1 01 ADD CX,1 | |
43 | 01744A37 |. 66:890B MOV WORD PTR DS:[EBX],CX ; palette size in CX | |
44 | 01744A3A |. 0FB7C9 MOVZX ECX,CX | |
45 | 01744A3D |. 51 PUSH ECX | |
46 | 01744A3E |. 8D5424 1C LEA EDX,[ESP+1C] | |
47 | 01744A42 |. 68 24709D01 PUSH OFFSET 019D7024 | |
48 | 01744A47 |. 52 PUSH EDX | |
49 | 01744A48 |. FF15 AC409701 CALL DWORD PTR DS:[<&MSVCR80.sprintf>] | |
50 | 01744A4E |. 8D4424 24 LEA EAX,[ESP+24] | |
51 | 01744A52 |. 50 PUSH EAX | |
52 | 01744A53 |. 6A 02 PUSH 2 | |
53 | 01744A55 |. E8 D6F8FEFF CALL 01734330 ; Ignore | |
54 | 01744A5A |. 68 10709D01 PUSH OFFSET 019D7010 | |
55 | 01744A5F |. 6A 03 PUSH 3 | |
56 | 01744A61 |. E8 CAF8FEFF CALL 01734330 ; Ignore | |
57 | 01744A66 |. 33ED XOR EBP,EBP | |
58 | 01744A68 |. 83C4 1C ADD ESP,1C | |
59 | 01744A6B |. 66:392B CMP WORD PTR DS:[EBX],BP | |
60 | 01744A6E |. 0F86 B4000000 JBE 01744B28 | |
61 | 01744A74 |. 81E7 00800000 AND EDI,00008000 | |
62 | 01744A7A |. 897C24 14 MOV DWORD PTR SS:[ESP+14],EDI | |
63 | 01744A7E |. 8BFF MOV EDI,EDI | |
64 | 01744A80 |> 8B16 /MOV EDX,DWORD PTR DS:[ESI] | |
65 | 01744A82 |. 8B42 18 |MOV EAX,DWORD PTR DS:[EDX+18] | |
66 | 01744A85 |. 6A 02 |PUSH 2 | |
67 | 01744A87 |. 8BCE |MOV ECX,ESI | |
68 | 01744A89 |. FFD0 |CALL EAX ; Read 2 bytes from file (index) | |
69 | 01744A8B |. 66:0FB608 |MOVZX CX,BYTE PTR DS:[EAX] | |
70 | 01744A8F |. 66:0FB650 01 |MOVZX DX,BYTE PTR DS:[EAX+1] | |
71 | 01744A94 |. 66:C1E1 08 |SHL CX,8 | |
72 | 01744A98 |. 66:03CA |ADD CX,DX ; Index is in CX | |
73 | 01744A9B |. 66:837C24 14 |CMP WORD PTR SS:[ESP+14],0 | |
74 | 01744AA1 |. 0FB7F9 |MOVZX EDI,CX | |
75 | 01744AA4 |. 74 03 |JE SHORT 01744AA9 ; Check if Size is Zero | |
76 | 01744AA6 |. 0FB7FD |MOVZX EDI,BP ; BP,EDI: counter | |
77 | 01744AA9 |> 66:3B3B |CMP DI,WORD PTR DS:[EBX] ; Check if counter is less than size | |
78 | 01744AAC |. 72 0F |JB SHORT 01744ABD | |
79 | 01744AAE |. 68 E46F9D01 |PUSH OFFSET 019D6FE4 | |
80 | 01744AB3 |. 6A 02 |PUSH 2 | |
81 | 01744AB5 |. E8 D6F9FEFF |CALL 01734490 ; Ignore | |
82 | 01744ABA |. 83C4 08 |ADD ESP,8 | |
83 | 01744ABD |> 8B06 |MOV EAX,DWORD PTR DS:[ESI] | |
84 | 01744ABF |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18] | |
85 | 01744AC2 |. 6A 02 |PUSH 2 | |
86 | 01744AC4 |. 8BCE |MOV ECX,ESI | |
87 | 01744AC6 |. FFD2 |CALL EDX ; Read 2 bytes from file (R) | |
88 | 01744AC8 |. 8B5424 10 |MOV EDX,DWORD PTR SS:[ESP+10] | |
89 | 01744ACC |. 0FB7CF |MOVZX ECX,DI | |
90 | 01744ACF |. 8D3C8A |LEA EDI,[ECX*4+EDX] ;Pointer in the palette where to write | |
91 | 01744AD2 |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX] | |
92 | 01744AD5 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] | |
93 | 01744AD9 |. 66:C1E1 08 |SHL CX,8 | |
94 | 01744ADD |. 66:03CA |ADD CX,DX | |
95 | 01744AE0 |. 886F 02 |MOV BYTE PTR DS:[EDI+2],CH ; Write byte to pointer+2 | |
96 | 01744AE3 |. 8B06 |MOV EAX,DWORD PTR DS:[ESI] | |
97 | 01744AE5 |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18] | |
98 | 01744AE8 |. 6A 02 |PUSH 2 | |
99 | 01744AEA |. 8BCE |MOV ECX,ESI | |
100 | 01744AEC |. FFD2 |CALL EDX ; Read 2 bytes from file (G) | |
101 | 01744AEE |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX] | |
102 | 01744AF1 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] | |
103 | 01744AF5 |. 66:C1E1 08 |SHL CX,8 | |
104 | 01744AF9 |. 66:03CA |ADD CX,DX | |
105 | 01744AFC |. 886F 01 |MOV BYTE PTR DS:[EDI+1],CH ; Write byte to pointer+1 | |
106 | 01744AFF |. 8B06 |MOV EAX,DWORD PTR DS:[ESI] | |
107 | 01744B01 |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18] | |
108 | 01744B04 |. 6A 02 |PUSH 2 | |
109 | 01744B06 |. 8BCE |MOV ECX,ESI | |
110 | 01744B08 |. FFD2 |CALL EDX ; Read 2 bytes from file (B) | |
111 | 01744B0A |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX] | |
112 | 01744B0D |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] | |
113 | 01744B11 |. 66:C1E1 08 |SHL CX,8 | |
114 | 01744B15 |. 66:03CA |ADD CX,DX | |
115 | 01744B18 |. 882F |MOV BYTE PTR DS:[EDI],CH ; Write byte to pointer | |
116 | 01744B1A |. 0FB703 |MOVZX EAX,WORD PTR DS:[EBX] | |
117 | 01744B1D |. 83C5 01 |ADD EBP,1 ; Increment counter | |
118 | 01744B20 |. 3BE8 |CMP EBP,EAX ; get out if counter > size | |
119 | 01744B22 |.^ 0F8C 58FFFFFF \JL 01744A80 | |
120 | 01744B28 |> 8B8C24 180100 MOV ECX,DWORD PTR SS:[ESP+118] | |
121 | 01744B2F |. 5F POP EDI | |
122 | 01744B30 |. 5E POP ESI | |
123 | 01744B31 |. 5D POP EBP | |
124 | 01744B32 |. 5B POP EBX | |
125 | 01744B33 |. 33CC XOR ECX,ESP | |
126 | 01744B35 |. E8 C2CD1800 CALL 018D18FC ; Check stack cookie | |
127 | 01744B3A |. 81C4 0C010000 ADD ESP,10C | |
128 | 01744B40 \. C2 0C00 RETN 0C | |
129 | 01744B43 CC INT3 |