 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
In-Reply-To: <[EMAIL PROTECTED]>
Greetings,
I just did some experimenting with the idea of simply entering an ASCII characters as NOP sleds.
Using capital letters is dangerous because the first bunch are INC and DEC's, which may affect the shellcode. The latter capitals are PUSH and POPs, which will surely mess up the stack... this may or may not matter some of the time, but I'm sure it would be unpredictably buggy at best. How 'leet is a buggy hack? (I've always been amused by the fact that viruses and worms seem to be better debugged than most other software out in the wild)
But there *is* a good ASCII range: abcdefghijklmno they dno't map to anything. Don't use p or beyond since they map to opcodes again.
I created a file called alpha.com with only the contents 'abcdefghijklmno' in it, and ran it. It exited without crashing, and EAX EBX ECX EDX etc are unchanged. Tracing it didn't expose anything that would mess up dataflow either. So now we have at least 1 real and 15 virtual NOPs that can be used safely and easily.
Too bad 's' maps to JNB, or I would use ksaj to brand my nop sleds.
I propose 'blindjoghack' as a new improved NOP sled, since it is self-referential, and won't crash the system. :)
Karsten Johansson
www.PENETRATIONTEST.com
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.