ForAllSecure targetted TECHx running CROMU_00073 in round 22.

Type 1 POV

eip:0x7742df18 - ebx:0x3c3a22f0

Execution control corruption via return (return to: 0xbaaaaf28).

Tracing data from eip: 0x80482c6 tracing source of memory: 0xbaaaaf28 (value: 0xbaaaaef3)

0x805027d : receive syscall (return)
0x80483b7 : mov dl,byte ptr [ecx+eax]
0x80483c7 : mov byte ptr [ecx+eax],dl
0x80482c6: ret // address: 0xbaaaaf28 value: 0xbaaaaef3

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaef3 tracing source of memory: 0xbaaaaef3 (value: 0xc3f4628b)

0x805027d : receive syscall (return)
0x80483a3 : mov dl,byte ptr [ecx+eax]
0x80483ad : mov byte ptr [ecx+eax],dl
0xbaaaaef3: mov esp,dword ptr [edx-0xc] // address: 0xbaaaaef3 value: 0xc3f4628b

Negotiated general register: ebx:0x3c3a22f0

Tracing data from eip: 0x804d544 tracing source of register: ebx (value: 0x3c3a22f0)

0x805027d : receive syscall (return)
0x80483a3 : mov dl,byte ptr [ecx+eax]
0x80483ad : mov byte ptr [ecx+eax],dl
0x804d542 : pop ebx
0x804d544: ret // address: ebx value: 0x3c3a22f0

Curated by Lunge Technology, LLC. Questions or comments? Send us email