heya all,
i was wondering if there is other way to change EIP except a Jxx instruction (if possible)
i.e:

jmp start
jmp end
mov eax,ebx
nop
nop <---
start: <---
mov ecx,12 <-- EIP (i want to trace backward)
end:

now i want to go up, to the nop instruction insted of down .
such is possible ?
Posted on 2003-08-09 04:52:27 by wizzra
I can think of jmp, call, ret, but the almost do the same as jxx. :/
Posted on 2003-08-09 05:10:32 by scientica
Hi,

When you do a call instruction, the return adress is pushed on the stack. If you modify it, the next ret instruction will set EIP to the modified address.

For example :




jmp start
jmp enda
mov eax,ebx
nop
a:
nop
start:
mov ecx,12
call b
b: ; eip is on the stack

sub DWORD PTR [esp], b-a ; modify the return adress on the stack to point to a
ret
enda:

Posted on 2003-08-09 12:25:31 by Dr. Manhattan
That's why I said almost, the modify EIP, call and ret modifies the stack in addition to that.
Posted on 2003-08-09 12:54:16 by scientica
there was once a thread here about it, called "How can i read and write to the EIP Reg", that I've saved to my hdd. Here are quotes:

>
A way of doing mov eip, something:

push eax
ret
>
mov eip,reg <==> JMP reg
>
These simple ways entered my mind for "writing" to EIP:
jmp AnyAdress
jcc AnyAndress
call AnyAdress

push AnyAddress
ret
>
To read EIP, you could use:
call t
t:
pop eax ;address of this instruction in eax





Posted on 2003-08-09 13:16:41 by Ultrano
thnx all :)
Posted on 2003-08-09 14:31:03 by wizzra
ah! I remember another, non-standard, that doesn't involve jmp/call/ret :)
You put a exception-handler , and the "safe point" will be the destination. Then make some error like xor ecx,ecx/ div ecx and you'll have an error-handling function (you have to write it!) called, that will read where to go, and after it exits, the OS will set the EIP to that :). You can use this method as protection against crack.
Posted on 2003-08-10 00:25:31 by Ultrano