Re: speaking of code crunching... (challenge)

[vile <vileone () gmail com>]

you all are furry faggots.

On 10/17/06, Gadi Evron <ge () linuxbox org> wrote:
> On Mon, 16 Oct 2006, Gadi Evron wrote:
> > sort of challenge to see if someone else can get there first (without,
> > say, making the URL shorter). :)
>
> Crunched further....
>
> New binary at 384 bytes is here:
> http://ragestorm.net/tiny/tiny2.exe
>
> Blog entry on how this was done is here:
> http://blogs.securiteam.com/index.php/archives/679
>
> The relevant text from the blog, a chat session log:
>
> Arkon: The problem with that URLDownloadToFileA is that it creates another
> thread,
> Arkon: and that thread never terminates for some unknown reason to me.
> Arkon: So I HAD to call ExitProcess and finish it, otherwise my process
> will hang. :(
> Arkon: But now what I'm going to do is raising a silent exception :x
> Matthew: Just blow away the SEH chain and trigger an INT3.
> Arkon: It will eliminate the string "ExitProcess" and the GetProcAddress
> code for it as well.
> Matthew:
> MOV FS:[0], 0xFFFFFFFF
> INT3
> Matthew: BAM! :) Instant process death...
> Arkon: This is too long.
> Matthew:
> PUSH 0
> POP FS:[0]
> Arkon: Nah
> Matthew: XOR ESP, ESP might also do the trick :-)
> Arkon: LOL!!!
> Matthew:
> XOR ESP, ESP
> PUSH EAX
> Arkon:
> XCHG EAX, ESP
> PUSH 0
> Arkon: Wait I'm stupid, push 0 is 2 bytes long.
> Arkon:
> XCHG EAX, ESP
> PUSH EAX
> Arkon: 2 bytes ExitProcess OMFG
> Matthew: You're a maniac
>
>        Gadi.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/