103 lines
1.4 KiB
NASM
103 lines
1.4 KiB
NASM
.intel_syntax
|
|
push eax
|
|
mov eax,[esp+0x04]
|
|
push ebx
|
|
pushfd
|
|
mov eax,[eax] # get a byte after the call this procedure to analyze what register holds cr ptr
|
|
jmptbl:
|
|
cmp al,0x81
|
|
jz regC
|
|
cmp al,0x82
|
|
jz regD
|
|
cmp al,0x83
|
|
jz regB
|
|
cmp al,0x85
|
|
jz regBP
|
|
cmp al,0x86
|
|
jz regESI
|
|
cmp al,0x87
|
|
jz regEDI
|
|
cmp al,0x88
|
|
jz regA
|
|
cmp al,0x8A
|
|
jz regD
|
|
cmp al,0x8B
|
|
jz regB
|
|
cmp al,0x8D
|
|
jz regBP
|
|
cmp al,0x8E
|
|
jz regESI
|
|
cmp al,0x8F
|
|
jz regEDI
|
|
cmp al,0x90
|
|
jz regA
|
|
cmp al,0x91
|
|
jz regC
|
|
cmp al,0x93
|
|
jz regB
|
|
cmp al,0x95
|
|
jz regBP
|
|
cmp al,0x96
|
|
jz regESI
|
|
cmp al,0x97
|
|
jz regEDI
|
|
jmp fail
|
|
regA:
|
|
mov eax, [esp+0x8]
|
|
mov eax, [eax+0x8c]
|
|
jmp compare
|
|
regC:
|
|
mov eax, [ecx+0x8c]
|
|
jmp compare
|
|
regB:
|
|
mov eax, [ebx+0x8c]
|
|
jmp compare
|
|
regD:
|
|
mov eax, [edx+0x8c]
|
|
jmp compare
|
|
regBP:
|
|
mov eax, [ebp+0x8c]
|
|
jmp compare
|
|
regESI:
|
|
mov eax, [esi+0x8c]
|
|
jmp compare
|
|
regEDI:
|
|
mov eax, [edi+0x8c]
|
|
#jmp compare
|
|
compare:
|
|
push ecx
|
|
mov ebx,0xDEADBEEF #write a pointer to the list of allowed races
|
|
mov ecx,2000 #write a number of allowed races
|
|
loop1:
|
|
cmp word[ebx+ecx*2],ax
|
|
jz endok
|
|
dec ecx
|
|
cmp ecx ,-1
|
|
jnz loop1
|
|
pop ecx
|
|
popfd
|
|
jmp fail
|
|
endok:
|
|
pop ecx
|
|
popfd
|
|
cmp eax,eax
|
|
jmp endfinal
|
|
fail:
|
|
|
|
xor ebx,ebx
|
|
xor eax,eax
|
|
inc eax
|
|
cmp eax,ebx
|
|
endfinal:
|
|
|
|
pop ebx
|
|
pop eax
|
|
mov [0xFEEDBEEF],eax #write a pointer to safe location (usually after this)
|
|
pop eax
|
|
pushfd
|
|
inc eax #skip one instruction
|
|
popfd
|
|
push eax
|
|
mov eax,[0xFEEDBEEF] #write a pointer to safe location (same as above)
|
|
ret
|