CodeJitsu targetted DeepRed running NRFIN_00063 in round 54.

Type 2 POV

Reading from protected address: 0x4347c000

0x805243b : int 128

Tracing data from eip: 0x805243b tracing source of register: ecx (value: 0x4347c000)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x805242f : mov ecx,dword ptr [esp+0x18]
0x805243b: int 128 // address: ecx value: 0x4347c000

Execution control corruption via return (return to: 0xb7f4bf14).

Tracing data from eip: 0x804e970 tracing source of memory: 0xb7f4bf14 (value: 0x8052422)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804e970: ret // address: 0xb7f4bf14 value: 0x8052422

Curated by Lunge Technology, LLC. Questions or comments? Send us email