CodeJitsu targetted ForAllSecure running CROMU_00051 in round 71.


Type 1 POV

eip:0xe2c84008 - ebp:0x2ec26ca


Execution control corruption via return (return to: 0xbaaaac98).

Tracing data from eip: 0x804bb66 tracing source of memory: 0xbaaaac98 (value: 0xbaaaacf1)

0x804fef7 : receive syscall (return)
0x8049985 : mov al,byte ptr [ebp-0x29]
0x8049999 : mov byte ptr [edx+ecx],al
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804f6e7 : mov dl,byte ptr [eax]
0x804f6f7 : mov byte ptr [eax],dl
0x804bb66: ret // address: 0xbaaaac98 value: 0xbaaaacf1

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaacf1 tracing source of memory: 0xbaaaacf1 (value: 0xec26cabd)

0x804fef7 : receive syscall (return)
0x8049985 : mov al,byte ptr [ebp-0x29]
0x8049999 : mov byte ptr [edx+ecx],al
0xbaaaacf1: mov ebp,0x2ec26ca // address: 0xbaaaacf1 value: 0xec26cabd

Negotiated general register: ebp:0x2ec26ca

Tracing data from eip: 0xbaaaacfb tracing source of register: ebp (value: 0x2ec26ca)

0xbaaaacf1 : mov ebp,0x2ec26ca
0xbaaaacfb: jmp ebx // address: ebp value: 0x2ec26ca

Curated by Lunge Technology, LLC. Questions or comments? Send us email