At 06:57 PM 11/22/1999 -0600, Solar Eclipse wrote:
>Mnemonix wrote that the shell code is not lowercased on Win2K. Are there
>any other restrictions? Can you use characters > 128 ?
>
>What about Win9x?
>
>Are there any DLLs loaded in the 6161616-7A7A7A7A range on there
>machines?
Only alphabetic characters seem to be allowed, but neither Win2K nor
Win98 changes the case. I couldn't find any code loaded at useful
addresses in Win98, but in my Win2K it seems to load SHELL32.DLL at
775A1000. There are useful RETs at the following addresses:
775A6267 gbZw: RET
775A7A73 szZw: RET 4
775A706D mpZw: RET 10
775A7156 VqZw: RET 14
775A7249 IrZw: RET 18
There are additional complications, though, in the form of stack variables
between the corrupted frame and the desired address. These variables must
be worked around. I haven't yet found a satisfactory combination of
RETs to get to the goal, but I've been within a DWORD of it.
--
Ron Parker
GW Micro, Inc.
Voice 219-489-3671
Fax 219-489-2608
