CodeJitsu targetted TECHx running NRFIN_00063 in round 51.

Type 2 POV

Reading from protected address: 0x4347c000

0x805243b : int 128

Tracing data from eip: 0x805243b tracing source of register: ecx (value: 0x4347c000)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x805242f : mov ecx,dword ptr [esp+0x18]
0x805243b: int 128 // address: ecx value: 0x4347c000

Execution control corruption via return (return to: 0xbaaaaef4).

Tracing data from eip: 0x804ebae tracing source of memory: 0xbaaaaef4 (value: 0x8052422)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804ebae: ret // address: 0xbaaaaef4 value: 0x8052422

Curated by Lunge Technology, LLC. Questions or comments? Send us email