and the XP SP2 english: File Version: 0x000500010a280884 Product Version: 0x000500010a280884 File Flags: File OS: NT WINDOWS32 File Type: DLL File Subtype: Not currently supported File Date: 0x0000000000000000
Translation table: ----------------- 0409 04b0 CompanyName: Microsoft Corporation FileDescription: Windows NT BASE API Client DLL FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) InternalName: kernel32 LegalCopyright: © Microsoft Corporation. All rights reserved. OriginalFilename: kernel32 ProductName: Microsoft® Windows® Operating System ProductVersion: 5.1.2600.2180 ------------------------------------------------------------- class101 Jr. Researcher Hat-Squad.com ------------------------------------------------------------- ----- Original Message ----- From: "class 101" <[EMAIL PROTECTED]> To: "Dave Korn" <[EMAIL PROTECTED]>; "Full-Disclosure" <Full-Disclosure@lists.grok.org.uk> Sent: Friday, March 11, 2005 12:07 AM Subject: re: [Full-disclosure] 2 nice pop/pop/ret :) (update) > sorry, got a problem to copy paste > > as I have said I think we have 2 different versions, mine is > > File Version: 0x000500010a280452 > Product Version: 0x000500010a280452 > File Flags: > File OS: NT WINDOWS32 > File Type: DLL > File Subtype: Not currently supported > File Date: 0x0000000000000000 > > Translation table: > ----------------- > 0409 04b0 > > CompanyName: Microsoft Corporation > FileDescription: Windows NT BASE API Client DLL > FileVersion: 5.1.2600.1106 (xpsp1.020828-1920) > InternalName: kernel32 > LegalCopyright: © Microsoft Corporation. All rights reserved. > OriginalFilename: kernel32 > ProductName: Microsoft® Windows® Operating System > ProductVersion: 5.1.2600.1106 > > ------------------------------------------------------------- > class101 > Jr. Researcher > Hat-Squad.com > ------------------------------------------------------------- > ----- Original Message ----- > From: "class 101" <[EMAIL PROTECTED]> > To: "Dave Korn" <[EMAIL PROTECTED]>; "Full-Disclosure" > <Full-Disclosure@lists.grok.org.uk> > Sent: Thursday, March 10, 2005 11:33 PM > Subject: Re: [Full-disclosure] 2 nice pop/pop/ret :) (update) > > > > > I had the same problem with that universal w2k offset you posted about > on > > > 9th Feb (Subject: Nice call to ebx found). I went and looked for it on > my > > > W2k Pro Sp2 system at home. It wasn't there :-( > > > > Yep normal, because if I remember , I have mentionned that it was for w2k > > pro&srv , SP4's series for all langages, but I guess its not the same for > > sp3-2-1-0 > > > > > but the kernel32 one just isn't there: > > > > > > 0:003> u 0x77E7F69E > > > kernel32!BasepShimCacheSearch+0x1d: > > > 77e7f69e c02802 shr byte ptr [eax],0x2 > > > > ha shit ;( but looks like we have 2 different versions, the one where I > have > > tried is: > > > > File Version: 0x000500010a280452 > > Product Version: 0x000500010a280452 > > File Flags: > > File OS: NT WINDOWS32 > > File Type: DLL > > File Subtype: Not currently supported > > File Date: 0x0000000000000000 > > > > Translation table: > > ----------------- > > 0409 04b0 > > > > CompanyName: Microsoft Corporation > > > > ------------------------------------------------------------- > > class101 > > Jr. Researcher > > Hat-Squad.com > > ------------------------------------------------------------- > > ----- Original Message ----- > > From: "Dave Korn" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <Full-Disclosure@lists.grok.org.uk> > > Sent: Thursday, March 10, 2005 8:05 PM > > Subject: RE: [Full-disclosure] 2 nice pop/pop/ret :) (update) > > > > > > > >From: "class 101" Date: Wed, 9 Mar 2005 10:01:57 +0100 > > > > > > Hi there class 101! > > > > > > > Here is the result of comparing some huge list of pop/pop/ret of XP > > SP1, > > > >SP1a, SP2 ENGLISH > > > > > > > >I got 2 universal offsets accross those 3 Os > > > > > > > >SP2 ENGLISH > > > > > > > >0x71ABE325 pop esi - pop - retbis - WS2_32.DLL > > > >0x77E7F69E pop ebx - pop - retbis - RPCRT4.DLL > > > > > > > >SP1a ENGLISH > > > > > > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL > > > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL > > > > > > > >SP1 ENGLISH > > > > > > > >0x71ABE325 pop edi - pop - retbis - WS2_32.DLL > > > >0x77E7F69E pop ebx - pop - retbis - KERNEL32.DLL > > > > > > > > > > > >enjoy :) > > > > > > > > > That's interesting: on my sp1 english system, only one of those > > addresses > > > works. The winsock one is good: > > > > > > 0:003> u 0x71ABE325 > > > WS2_32!CopyBlobIndirect+0x71: > > > 71abe325 5f pop edi > > > 71abe326 5e pop esi > > > 71abe327 c20400 ret 0x4 > > > > > > but the kernel32 one just isn't there: > > > > > > 0:003> u 0x77E7F69E > > > kernel32!BasepShimCacheSearch+0x1d: > > > 77e7f69e c02802 shr byte ptr [eax],0x2 > > > 77e7f6a1 0000 add [eax],al > > > 77e7f6a3 03442414 add eax,[esp+0x14] > > > 77e7f6a7 66833800 cmp word ptr [eax],0x0 > > > 77e7f6ab 7415 jz kernel32!BasepShimCacheSearch+0x3d > > > (77e7f6c2) > > > 77e7f6ad 50 push eax > > > 77e7f6ae ff74241c push dword ptr [esp+0x1c] > > > > > > I had the same problem with that universal w2k offset you posted about > > on > > > 9th Feb (Subject: Nice call to ebx found). I went and looked for it on > my > > > W2k Pro Sp2 system at home. It wasn't there :-( > > > > > > What do you suppose could be the reason why we find different results? > > > Hotfixes perhaps? How does the version info look like from _your_ copy > of > > > kernel32.dll? Mine says > > > > > > 0:003> lm v mkernel32 > > > start end module name > > > 77e60000 77f46000 kernel32 (pdb symbols) > > > C:\symcache\kernel32.pdb\40D1D0C52\kernel32.pdb > > > Loaded symbol image file: C:\WINDOWS\system32\kernel32.dll > > > Image path: C:\WINDOWS\system32\kernel32.dll > > > Image name: kernel32.dll > > > Timestamp: Thu Jun 17 18:58:35 2004 (40D1DBCB) > > > CheckSum: 000EC3A9 > > > ImageSize: 000E6000 > > > File version: 5.1.2600.1560 > > > Product version: 5.1.2600.1560 > > > File flags: 0 (Mask 3F) > > > File OS: 40004 NT Win32 > > > File type: 2.0 Dll > > > File date: 00000000.00000000 > > > Translations: 0409.04b0 > > > CompanyName: Microsoft Corporation > > > ProductName: Microsoft® Windows® Operating System > > > InternalName: kernel32 > > > OriginalFilename: kernel32 > > > ProductVersion: 5.1.2600.1560 > > > FileVersion: 5.1.2600.1560 (xpsp2_gdr.040517-1325) > > > FileDescription: Windows NT BASE API Client DLL > > > LegalCopyright: © Microsoft Corporation. All rights reserved. > > > > > > > > > cheers, > > > DaveK > > > -- > > > Can't think of a witty .sigline today.... > > > > > > > > > > > > > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/