Shellcode Tutorial 5: Function Hash Generation
Submitted by RingZzer0 on Fri, 04/16/2010 - 09:30
Tagged:
Hi,
In the stated tutorial, I could not get the intention of following instruction:
"add esi, 9 ;move pointer over these commands"
I understand at this moment the register esi contains the current address, but could not figure out the logic behind adding 9. Hence could not proceed with rest of the code.
Thanks & regards
RingZ
Comments
Shellcode Tutorial 5: Function Hash Generation
Hey RingZzer0,
This is the code that you are referring to:
call get_current_address ;find current location in memory
pop esi ;esi is pointer to function strings
add esi, 9 ;move pointer over these commands
jmp short locate_constants_return ;return to our main code
;Function String
db "LoadLibraryA" ;result hash = 0x8e4e0eec
db 0x00
db "WriteFile" ;result hash = 0x1f790ae8
db 0x00
As you mentioned, "call get_current_address" and "pop esi" obviously gets the current memory location and places it into register ESI.
ESI actually points to the memory location of instruction "call get_current_address", rather than to the start of the function strings below it.
Therefore, we need to adjust this pointer so that it points to the memory location of the function strings. The size of the commands between "call get_current_address" and the first function string is 9 bytes. You can check that out in OllyDbg or in an opcode manual if you like.
This is what the "add esi, 9" instruction does.
Hope this helps.
Ty