Full Disclosure mailing list archives
Re: speaking of code crunching... (challenge)
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 17 Oct 2006 05:39:02 -0500 (CDT)
On Mon, 16 Oct 2006, Gadi Evron wrote:
sort of challenge to see if someone else can get there first (without, say, making the URL shorter). :)
Crunched further.... New binary at 384 bytes is here: http://ragestorm.net/tiny/tiny2.exe Blog entry on how this was done is here: http://blogs.securiteam.com/index.php/archives/679 The relevant text from the blog, a chat session log: Arkon: The problem with that URLDownloadToFileA is that it creates another thread, Arkon: and that thread never terminates for some unknown reason to me. Arkon: So I HAD to call ExitProcess and finish it, otherwise my process will hang. :( Arkon: But now what I'm going to do is raising a silent exception :x Matthew: Just blow away the SEH chain and trigger an INT3. Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress code for it as well. Matthew: MOV FS:[0], 0xFFFFFFFF INT3 Matthew: BAM! :) Instant process death... Arkon: This is too long. Matthew: PUSH 0 POP FS:[0] Arkon: Nah Matthew: XOR ESP, ESP might also do the trick :-) Arkon: LOL!!! Matthew: XOR ESP, ESP PUSH EAX Arkon: XCHG EAX, ESP PUSH 0 Arkon: Wait I'm stupid, push 0 is 2 bytes long. Arkon: XCHG EAX, ESP PUSH EAX Arkon: 2 bytes ExitProcess OMFG Matthew: You're a maniac Gadi. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- speaking of code crunching... (challenge) Gadi Evron (Oct 16)
- <Possible follow-ups>
- Re: speaking of code crunching... (challenge) Gadi Evron (Oct 17)
- Re: speaking of code crunching... (challenge) vile (Oct 18)