Root cause analysis on unusual stack writing functions with IDA.

Nope, it's not that easy
This looks promising
Main basic block for this function
Enabling function tracing after our breakpoint is hit.
Only a few functions have been traced, this will save us time
our offending stack writing gadget
  • copy {ecx} to eax register (one byte copy)
  • Increment the ecx register (iterating over our input bytes)
  • move eax into [edx] (this is our destination (the stack))
  • test al,al will continue until a null byte is tested.
We’ll find strcpy anyway, deal with it

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chris Hernandez

Chris Hernandez

26 Followers

Red Teamer — Security Researcher — Breaking things is fun, except when its not