After long period of being absent, here i am again. From now on I will try to send my posts in english and turkish according to my mood at that time. I apologise for my gramatical errors in advance :p
Anyway, while I was digging some metasploit shellcodes, i find out this strange opcodes:
D9 EE fldz
D9 74 24 F4 fnstenv byte ptr [esp-0Ch]
5B pop ebx
After little search, I find out metasploit use this opcodes for retrieving the value of "EIP".
-fldz loads current float register with zeros.
-fnstenv stores a structure about float processing unit status to given address.
-and pop pops :)
The structure includes:
24 -> fpu operand pointer selector
20 -> fpu operand pointer offset
16 -> fpu instruction pointer selector
12 -> fpu instruction pointer offset
08 -> tag word
04 -> status word
00 -> control word
So with loading the struct to [esp-0C], esp points to last executed code address on fpu which is "fldz" in this case.
Actually it does not give us the current eip but metasploit use this opcodes for first three of shellcode so they can save where the shellcode really begins.
To retrieve current eip, this kind of code can be used:
call label1
label1:
pop ebx.
30 Eylül 2009 Çarşamba
Kaydol:
Kayıtlar (Atom)
