API tools faq
paste
View difference between Paste ID: VSQBU8ZQ and MWrB2zrx
SHOW: | | - or go back to the newest paste.
1
Vulnerable function
2
017449B0  /$  81EC 0C010000 SUB ESP,10C
3
017449B6  |.  A1 9400AC01   MOV EAX,DWORD PTR DS:[1AC0094]
4
017449BB  |.  33C4          XOR EAX,ESP
5
017449BD  |.  898424 080100 MOV DWORD PTR SS:[ESP+108],EAX           ; Set stack Cookie
6
017449C4  |.  8B8424 180100 MOV EAX,DWORD PTR SS:[ESP+118]
7
017449CB  |.  53            PUSH EBX
8
017449CC  |.  8B9C24 140100 MOV EBX,DWORD PTR SS:[ESP+114]
9
017449D3  |.  55            PUSH EBP
10
017449D4  |.  56            PUSH ESI
11
017449D5  |.  8BB424 200100 MOV ESI,DWORD PTR SS:[ESP+120]
12
017449DC  |.  57            PUSH EDI
13
017449DD  |.  68 38709D01   PUSH OFFSET 019D7038
14
017449E2  |.  6A 03         PUSH 3
15
017449E4  |.  894424 18     MOV DWORD PTR SS:[ESP+18],EAX
16
017449E8  |.  E8 43F9FEFF   CALL 01734330                            ; Ignore
17
017449ED  |.  8B16          MOV EDX,DWORD PTR DS:[ESI]
18
017449EF  |.  8B42 18       MOV EAX,DWORD PTR DS:[EDX+18]
19
017449F2  |.  83C4 08       ADD ESP,8
20
017449F5  |.  6A 04         PUSH 4
21
017449F7  |.  8BCE          MOV ECX,ESI
22
017449F9  |.  FFD0          CALL EAX                                 ; Read 4 bytes from file
23
017449FB  |.  8B16          MOV EDX,DWORD PTR DS:[ESI]
24
017449FD  |.  8B42 18       MOV EAX,DWORD PTR DS:[EDX+18]
25
01744A00  |.  6A 02         PUSH 2
26
01744A02  |.  8BCE          MOV ECX,ESI
27
01744A04  |.  FFD0          CALL EAX                                 ; Read 2 bytes from file
28
01744A06  |.  0FB608        MOVZX ECX,BYTE PTR DS:[EAX]
29
01744A09  |.  66:0FB650 01  MOVZX DX,BYTE PTR DS:[EAX+1]
30
01744A0E  |.  8B06          MOV EAX,DWORD PTR DS:[ESI]
31
01744A10  |.  66:C1E1 08    SHL CX,8
32
01744A14  |.  66:03CA       ADD CX,DX
33
01744A17  |.  8B50 18       MOV EDX,DWORD PTR DS:[EAX+18]
34
01744A1A  |.  0FB7F9        MOVZX EDI,CX
35
01744A1D  |.  6A 02         PUSH 2
36
01744A1F  |.  8BCE          MOV ECX,ESI
37
01744A21  |.  FFD2          CALL EDX                                 ; Read 2 bytes from file
38
01744A23  |.  66:0FB608     MOVZX CX,BYTE PTR DS:[EAX]
39
01744A27  |.  66:0FB640 01  MOVZX AX,BYTE PTR DS:[EAX+1]
40
01744A2C  |.  66:C1E1 08    SHL CX,8
41
01744A30  |.  66:03C8       ADD CX,AX
42
01744A33  |.  66:83C1 01    ADD CX,1
43
01744A37  |.  66:890B       MOV WORD PTR DS:[EBX],CX                 ; palette size in CX
44
01744A3A  |.  0FB7C9        MOVZX ECX,CX
45
01744A3D  |.  51            PUSH ECX
46
01744A3E  |.  8D5424 1C     LEA EDX,[ESP+1C]
47
01744A42  |.  68 24709D01   PUSH OFFSET 019D7024
48
01744A47  |.  52            PUSH EDX
49
01744A48  |.  FF15 AC409701 CALL DWORD PTR DS:[<&MSVCR80.sprintf>]
50
01744A4E  |.  8D4424 24     LEA EAX,[ESP+24]
51
01744A52  |.  50            PUSH EAX
52
01744A53  |.  6A 02         PUSH 2
53
01744A55  |.  E8 D6F8FEFF   CALL 01734330                            ; Ignore
54
01744A5A  |.  68 10709D01   PUSH OFFSET 019D7010
55
01744A5F  |.  6A 03         PUSH 3
56
01744A61  |.  E8 CAF8FEFF   CALL 01734330                            ; Ignore
57
01744A66  |.  33ED          XOR EBP,EBP
58
01744A68  |.  83C4 1C       ADD ESP,1C
59
01744A6B  |.  66:392B       CMP WORD PTR DS:[EBX],BP
60
01744A6E  |.  0F86 B4000000 JBE 01744B28
61
01744A74  |.  81E7 00800000 AND EDI,00008000
62
01744A7A  |.  897C24 14     MOV DWORD PTR SS:[ESP+14],EDI
63
01744A7E  |.  8BFF          MOV EDI,EDI
64
01744A80  |>  8B16          /MOV EDX,DWORD PTR DS:[ESI]
65
01744A82  |.  8B42 18       |MOV EAX,DWORD PTR DS:[EDX+18]
66
01744A85  |.  6A 02         |PUSH 2
67
01744A87  |.  8BCE          |MOV ECX,ESI
68
01744A89  |.  FFD0          |CALL EAX                                ; Read 2 bytes from file (index)
69
01744A8B  |.  66:0FB608     |MOVZX CX,BYTE PTR DS:[EAX]
70
01744A8F  |.  66:0FB650 01  |MOVZX DX,BYTE PTR DS:[EAX+1]
71
01744A94  |.  66:C1E1 08    |SHL CX,8
72
01744A98  |.  66:03CA       |ADD CX,DX                               ; Index is in CX
73
01744A9B  |.  66:837C24 14  |CMP WORD PTR SS:[ESP+14],0
74
01744AA1  |.  0FB7F9        |MOVZX EDI,CX
75
01744AA4  |.  74 03         |JE SHORT 01744AA9                       ; Check if Size is Zero
76
01744AA6  |.  0FB7FD        |MOVZX EDI,BP                            ; BP,EDI: counter
77
01744AA9  |>  66:3B3B       |CMP DI,WORD PTR DS:[EBX]                ; Check if counter is less than size
78
01744AAC  |.  72 0F         |JB SHORT 01744ABD
79
01744AAE  |.  68 E46F9D01   |PUSH OFFSET 019D6FE4
80
01744AB3  |.  6A 02         |PUSH 2
81
01744AB5  |.  E8 D6F9FEFF   |CALL 01734490                           ; Ignore
82
01744ABA  |.  83C4 08       |ADD ESP,8
83
01744ABD  |>  8B06          |MOV EAX,DWORD PTR DS:[ESI]
84
01744ABF  |.  8B50 18       |MOV EDX,DWORD PTR DS:[EAX+18]
85
01744AC2  |.  6A 02         |PUSH 2
86
01744AC4  |.  8BCE          |MOV ECX,ESI
87
01744AC6  |.  FFD2          |CALL EDX                                ; Read 2 bytes from file (R)
88
01744AC8  |.  8B5424 10     |MOV EDX,DWORD PTR SS:[ESP+10]
89
01744ACC  |.  0FB7CF        |MOVZX ECX,DI
90
01744ACF  |.  8D3C8A        |LEA EDI,[ECX*4+EDX]                     ;Pointer in the palette where to write
91
01744AD2  |.  0FB608        |MOVZX ECX,BYTE PTR DS:[EAX]
92
01744AD5  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
93
01744AD9  |.  66:C1E1 08    |SHL CX,8
94
01744ADD  |.  66:03CA       |ADD CX,DX
95
01744AE0  |.  886F 02       |MOV BYTE PTR DS:[EDI+2],CH              ; Write byte to pointer+2
96
01744AE3  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
97
01744AE5  |.  8B50 18       |MOV EDX,DWORD PTR DS:[EAX+18]
98
01744AE8  |.  6A 02         |PUSH 2
99
01744AEA  |.  8BCE          |MOV ECX,ESI
100
01744AEC  |.  FFD2          |CALL EDX                                ; Read 2 bytes from file (G)
101
01744AEE  |.  0FB608        |MOVZX ECX,BYTE PTR DS:[EAX]
102
01744AF1  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
103
01744AF5  |.  66:C1E1 08    |SHL CX,8
104
01744AF9  |.  66:03CA       |ADD CX,DX
105
01744AFC  |.  886F 01       |MOV BYTE PTR DS:[EDI+1],CH              ; Write byte to pointer+1
106
01744AFF  |.  8B06          |MOV EAX,DWORD PTR DS:[ESI]
107
01744B01  |.  8B50 18       |MOV EDX,DWORD PTR DS:[EAX+18]
108
01744B04  |.  6A 02         |PUSH 2
109
01744B06  |.  8BCE          |MOV ECX,ESI
110
01744B08  |.  FFD2          |CALL EDX                                ; Read 2 bytes from file (B)
111
01744B0A  |.  0FB608        |MOVZX ECX,BYTE PTR DS:[EAX]
112
01744B0D  |.  0FB650 01     |MOVZX EDX,BYTE PTR DS:[EAX+1]
113
01744B11  |.  66:C1E1 08    |SHL CX,8
114
01744B15  |.  66:03CA       |ADD CX,DX
115
01744B18  |.  882F          |MOV BYTE PTR DS:[EDI],CH                ; Write byte to pointer
116
01744B1A  |.  0FB703        |MOVZX EAX,WORD PTR DS:[EBX]
117
01744B1D  |.  83C5 01       |ADD EBP,1                               ; Increment counter
118
01744B20  |.  3BE8          |CMP EBP,EAX                             ; get out if counter > size
119
01744B22  |.^ 0F8C 58FFFFFF \JL 01744A80
120
01744B28  |>  8B8C24 180100 MOV ECX,DWORD PTR SS:[ESP+118]
121
01744B2F  |.  5F            POP EDI
122
01744B30  |.  5E            POP ESI
123
01744B31  |.  5D            POP EBP
124
01744B32  |.  5B            POP EBX
125
01744B33  |.  33CC          XOR ECX,ESP
126
01744B35  |.  E8 C2CD1800   CALL 018D18FC                            ; Check stack cookie
127
01744B3A  |.  81C4 0C010000 ADD ESP,10C
128
01744B40  \.  C2 0C00       RETN 0C
129
01744B43      CC            INT3
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!