Re: What does msfencode BufferRegister option is used for?

[Peter Van Eeckhoutte <peter.ve () corelan be>]

One of the first things most payloads do, is retrieving its own position in memory, its absolute memory address. The 
routine to do this, is often called a "getpc" routine.

If you can't use a getpc routine (because it contains bad chars), or if you don't want/need to use a getPC routine 
(because you can make one of the registers point exactly at the first byte of the payload, at the time the payload 
starts to run), then you can use the BufferRegister option

Some encoders (especially the alpha_* encoders) actually expect you to provide a bufferregister. Without the 
bufferregister, the encoded payload will be prepended by an non-alpha-* getpc routine.


Not sure why your exe crashes after executing the payload. What exitfunc did you use ?






From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Jordan 
Trover
Sent: vrijdag 29 juli 2011 4:55
To: framework () spool metasploit com
Subject: [framework] What does msfencode BufferRegister option is used for?

I hope the question is not too stupid, but I just started learning masm and I have ported one of the functions from 
syringe.c to masm to execute payloads directly from code.


All the payloads I tested executed fine but they all crashed the exe that launched them with a memory access violation 
right after finishing executing the payload. So I added a SE handler, but still wasn't able to return to my code after 
the payload execution.


Then I tried encoding the payload, got the same result. But then I tried encoding and using the option 
BufferRegister=EAX, this time the payload throws an exception but I am able to catch it and return.


I read in metasploit website that BufferRegister is "The register that pointers to the encoded payload", but I don't 
fully understand why using that option allow me to catch the exception and without it I can't.


Could someone give me an explanation on the BufferRegister option is involved in the execution of the payload?

________________________________
This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you 
should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The 
information contained in this transmission may be confidential and/or privileged. If you have received this 
transmission in error, please notify the sender immediately and delete this transmission including any attachments.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework