Re: GetPC code (was: Shellcode from ASCII)

[noir <noir () gsu linux org tr>]

"""
> First thoughts on the second challenge: You can't use any of the call
> opcodes, but you might be able to setup a quick exception handler in
> the known mapped space. Cause a fault, and then find the address of
> your fault causing instruction in the structure that's passed. (Again
> I'm talking NT).

    I'm not sure this could be done (same problem) but, keep this in mind 
anyway :-
) [hint]

    gera
"""

i have spend good 20 minutes on this, i don't have the solution yet due to 
lack of time but i thought this might be interesting for the list.

basicly, i'm simulating a floating point exception (division by zero) and 
then grabbing the EIP(pc) from the exception record. PC is the location of 
the fdivs instruction since that instruction created the exception 
condition so we add 11 on top to make %eax point to the nop instruction.
(ATT syntax)

        xor     %eax, %eax
        push    %eax
        fdivs   (%esp)
        fnstenv (%esp)
        mov     0xc(%esp), %eax
        add     $0xd, %eax
        nop


- noir

sup mate ? ;)