https://tahadraidia.com/tags/asm/Recent content in ASM on Taha DraidiaHugo -- gohugo.ioen-usSun, 12 Dec 2021 13:34:28 +0000https://tahadraidia.com/posts/alternative-to-jmp-esp/Sun, 12 Dec 2021 13:34:28 +0000https://tahadraidia.com/posts/alternative-to-jmp-esp/When it comes to vanilla buffer overflow, JMP ESP instruction is the one you look for when you got control over EIP register. Now let’s assume that DEP is not enabled and due to ASLR and/or JMP ESP addresses contains bad characters, which make those address impossible to use. We can look for the following assembly instructions instead: PUSH ESP; RET (54C3) 0:012> u 77c73989 ntdll!ResCDirectoryValidateEntries+0x1805: 77c73989 54 push esp 77c7398a c3 ret CALL ESP; (FFD4) 0:012> u 77c77254 ntdll!