Quote:
|
Originally Posted by Satyric0n
This may be stating the obvious, but here goes...
A "PUSH $address" followed by a RETN is functionally identical to "JMP $address". The instructions are different, but they accomplish the exact same thing, since RETN basically just does what can be thought of as "POP EIP".
If the purpose of examing the difference between the two was to try to find a pattern of some sort (i.e. the PUSH, RETN is there when there are stolen bytes, the JMP is there when there aren't), then my comment has no relevance.
But, since it appears there is no such pattern (as evidenced by the fact that the VCD app has the PUSH, RETN), the difference between the two seems irrelevant to me. Maybe ASPR just generates one or the other randomly, to try to confuse people?  |
And it seemed to have worked.
I believe you may be correct. If there is a pattern then it is not very evident. I just thought it odd when this jump shows up after all the other ASPR programs i tried had returns. If someone happens to see it again in another program let me know because I still find it interesting.
Seems we needed a extra voice of reason to get us focused again.
