https://tahadraidia.com/tags/assembly-x86/Recent content in Assembly x86 on Taha DraidiaHugo -- gohugo.ioen-usWed, 22 Dec 2021 07:27:39 +0000https://tahadraidia.com/posts/a_brief_dive_into_windows_structured_exception_handeling/Wed, 22 Dec 2021 07:27:39 +0000https://tahadraidia.com/posts/a_brief_dive_into_windows_structured_exception_handeling/When it comes to handle exceptions in programming, we are all familiar with try/catch and it’s other variant syntax sugar. For example below is a divide by zero error raised as an exception in python. PS C:\Users\tahai\code\blog> python Python 3.6.4 (v3.6.4:d48eceb, Dec 19 2017, 06:54:40) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> d = 9 // 0 Traceback (most recent call last): File "<stdin>", line 1, in <module> ZeroDivisionError: integer division or modulo by zero >>> The exception name is called ZeroDivisionError, in this case we didn’t catch the error but the system did for us.https://tahadraidia.com/posts/alternative-to-jmp-esp/Sun, 12 Dec 2021 13:34:28 +0000https://tahadraidia.com/posts/alternative-to-jmp-esp/When it comes to vanilla buffer overflow, JMP ESP instruction is the one you look for when you got control over EIP register. Now let’s assume that DEP is not enabled and due to ASLR and/or JMP ESP addresses contains bad characters, which make those address impossible to use. We can look for the following assembly instructions instead: PUSH ESP; RET (54C3) 0:012> u 77c73989 ntdll!ResCDirectoryValidateEntries+0x1805: 77c73989 54 push esp 77c7398a c3 ret CALL ESP; (FFD4) 0:012> u 77c77254 ntdll!