Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call register. Ex. FFD6 call esi Would anyone be able to give me some pointers or an example in assembly of how to get a resulting FFD6?
I'm messing around with an exploit, and having a hard time moving backwards in the stack due to bad characters. I need to move back ~460 bytes to get to the start of my buffer.
Here is a list of the bad characters:
\x0a\x0d\x1a\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
I'm limited to x86\alpha_mixed with a couple exceptions like x81 & x8d. The only way I've been able to move back in the stack is \x74\x81 (which are allowed characters), but I'd have to do that 4 times to get back the ~460. That wouldn't be the biggest deal, except that will also make it very difficult for me to segment my shellcode when I'm already having to encode it to alpha_mixed.
I'm not an assembly master, so is there any other way that I'm missing that I might be able to move directly back without jmp or call (FF)?
\x81
allowed? What are the list of bad characters then? :) - Jester