Using encoded payload in executable

[c0r31mp4ct at gmail.com (C0r3 1mp4ct)]

You were right! The article says that it is important to have ecx
point to the base of decoder stub.
With that 5 extra instruction esp is popped into ecx. That is right.

But the payload still doesn't work:
"Access violation when reading 0xFFFFFFFF"

The last instruction which causes the error is POP SS after INC ESP.

On 6/8/07, mmiller at hick.org <mmiller at hick.org> wrote:
> On Fri, Jun 08, 2007 at 08:11:53AM +0200, C0r3 1mp4ct wrote:
> > Yes! The software that I am trying to exploit, converts the chars to
> > lowercase, just like with the ActiveX component mentioned in the
> > articlcle about this encoder.
> >
> > "The decoder stub is hardcoded to assume that ecx will hold the address."
> > Does it mean, that i have to put the address of the encoded payload
> > into ecx before the control transfers to it? I mean it isn't enough to
> > transfer to control with a JMP ESP, i need to have ECX store the
> > address too.
>
> There's a trick you can do to set ECX to ESP using pusha/popa.  Check
> out this paper for more details:
>
> http://uninformed.org/index.cgi?v=5&a=3&p=12
>
> Let me know if you still have problems getting it to work.