> >And you convinced yourself that the patch and the source matched, > >how, > >exactly? :) >
XP sp1 orig 6B703AA9 66:C785 74FFF>MOV WORD PTR SS:[EBP-8C],0 6B703AB2 . 6A 00 PUSH 0 6B703AB4 . 8B4B 48 MOV ECX,DWORD PTR DS:[EBX+48] patched 6B703AA9 /E9 76EA0600 JMP jscript.6B772524 6B703AAE ? |FFFF ??? ; Unknown command 6B703AB0 ? |0000 ADD BYTE PTR DS:[EAX],AL 6B703AB2 . 6A 00 PUSH 0 6B703AB4 . 8B4B 48 MOV ECX,DWORD PTR DS:[EBX+48] orig lots of NULLs, unused space patched 6B772524 60 PUSHAD 6B772525 8DBC25 74FFFF>LEA EDI,DWORD PTR SS:[EBP-8C] 6B77252C 33C0 XOR EAX,EAX 6B77252E AB STOS DWORD PTR ES:[EDI] 6B77252F AB STOS DWORD PTR ES:[EDI] 6B772530 61 POPAD 6B772531 ^ E9 7A15F9FF JMP jscript.6B703AB2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
