Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: speaking of code crunching... (challenge)
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 17 Oct 2006 05:39:02 -0500 (CDT)

On Mon, 16 Oct 2006, Gadi Evron wrote:
sort of challenge to see if someone else can get there first (without, 
say, making the URL shorter). :)

Crunched further....

New binary at 384 bytes is here:
http://ragestorm.net/tiny/tiny2.exe

Blog entry on how this was done is here:
http://blogs.securiteam.com/index.php/archives/679

The relevant text from the blog, a chat session log:

Arkon: The problem with that URLDownloadToFileA is that it creates another
thread,
Arkon: and that thread never terminates for some unknown reason to me.
Arkon: So I HAD to call ExitProcess and finish it, otherwise my process
will hang. :(
Arkon: But now what I'm going to do is raising a silent exception :x
Matthew: Just blow away the SEH chain and trigger an INT3.
Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress
code for it as well.
Matthew:
MOV FS:[0], 0xFFFFFFFF
INT3
Matthew: BAM! :) Instant process death...
Arkon: This is too long.
Matthew:
PUSH 0
POP FS:[0]
Arkon: Nah
Matthew: XOR ESP, ESP might also do the trick :-)
Arkon: LOL!!!
Matthew:
XOR ESP, ESP
PUSH EAX
Arkon:
XCHG EAX, ESP
PUSH 0
Arkon: Wait I'm stupid, push 0 is 2 bytes long.
Arkon:
XCHG EAX, ESP
PUSH EAX
Arkon: 2 bytes ExitProcess OMFG
Matthew: You're a maniac

        Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]