XOR EAX __SECURITY_COOKIE
Issue #3
resolved
reiat.py will not rename the DWORD if the following code is encountered.
.text:0040ECAD mov edi, eax
.text:0040ECAF push offset aFlsalloc ; "FlsAlloc"
.text:0040ECB4 push edi ; hModule
.text:0040ECB5 call esi ; GetProcAddress
.text:0040ECB7 xor eax, ___security_cookie
.text:0040ECBD push offset aFlsfree ; "FlsFree"
.text:0040ECC2 push edi ; hModule
.text:0040ECC3 mov dword_4242E0, eax
.text:0040ECC8 call esi ; GetProcAddress
.text:0040ECCA xor eax, ___security_cookie
.text:0040ECD0 push offset aFlsgetvalue ; "FlsGetValue"
.text:0040ECD5 push edi ; hModule
.text:0040ECD6 mov dword_4242E4, eax
.text:0040ECDB call esi ; GetProcAddress
.text:0040ECDD xor eax, ___security_cookie
.text:0040ECE3 push offset aFlssetvalue ; "FlsSetValue"
.text:0040ECE8 push edi ; hModule
Comments (3)
-
repo owner
-
repo owner
def traceForwardRename(self, address, apiString): 'address is call GetProcAddress, apiString is the API name' currentAddress = NextHead(address) funcAddress = list(FuncItems(address)) var = 'eax' lastref = '' lastrefAddress = None while currentAddress in funcAddress: dism = GetDisasm(currentAddress)The above code solves the issue. Relying on the end address to be higher than the current address is flawed because the code can jump any where.
-
repo owner
- changed status to resolved
- Log in to comment
This is a bug in my logic assuming a function end follows the code.
I will need to figure out a better way to test boundaries.