------------------------------------------ [*] findjmp3.c - t1g3r @t sapheads d.t org ------------------------------------------ [+] CPU: GenuineIntel (type:0xb) [+] Target file: sftpd [+] File size: 9764 bytes ------------------------------------------ [+] Searching for stack jugglers.. (pop,add,ret) ------------------------------------------ - [ret] @ 0x804857a - [ret] @ 0x804859b - [pop ebp] [pop ebx] [ret] @ 0x8048722 - [ret] @ 0x8048752 - [ret] @ 0x8048783 - [ret] @ 0x80488ee - [ret] @ 0x80489f1 - [pop ebp] [pop ebx] [ret] @ 0x8048a48 - [ret] @ 0x8048a9a - [ret] @ 0x8048ccc - [ret] @ 0x8048da2 - [ret] @ 0x8048e2d - [ret] @ 0x8048e81 - [pop ebp] [ret] @ 0x8048e96 - [ret] @ 0x8048ef8 - [ret] @ 0x8048fde - [ret] @ 0x8049211 - [pop ebp] [pop ebx] [ret] @ 0x804933d - [ret] @ 0x8049486 - [pop ebp] [ret] @ 0x8049493 - [ret] @ 0x80494ac - [pop ebp] [pop edi] [pop esi] [pop ebx] [ret] @ 0x80494f5 - [ret] @ 0x80494fd - [pop ebp] [pop ebx] [ret] @ 0x8049527 - [ret] @ 0x804953a - [ret] @ 0x8049547 ------------------------------------------ [+] Searching for jmp & call.. ------------------------------------------ - [jmp ****] @ 0x80485a2 (oper: fc af 04 08 ) - [jmp ****] @ 0x80485ac (oper: 00 b0 04 08 ) - [jmp (-) ****] @ 0x80485b7 (oper: e0 ff ff ff ) - [jmp ****] @ 0x80485bc (oper: 04 b0 04 08 ) - [jmp (-) ****] @ 0x80485c7 (oper: d0 ff ff ff ) - [jmp ****] @ 0x80485cc (oper: 08 b0 04 08 ) - [jmp (-) ****] @ 0x80485d7 (oper: c0 ff ff ff ) - [jmp ****] @ 0x80485dc (oper: 0c b0 04 08 ) - [jmp (-) ****] @ 0x80485e7 (oper: b0 ff ff ff ) - [jmp ****] @ 0x80485ec (oper: 10 b0 04 08 ) - [jmp (-) ****] @ 0x80485f7 (oper: a0 ff ff ff ) - [jmp ****] @ 0x80485fc (oper: 14 b0 04 08 ) - [jmp (-) ****] @ 0x8048607 (oper: 90 ff ff ff ) - [jmp ****] @ 0x804860c (oper: 18 b0 04 08 ) - [jmp (-) ****] @ 0x8048617 (oper: 80 ff ff ff ) - [jmp ****] @ 0x804861c (oper: 1c b0 04 08 ) - [jmp (-) ****] @ 0x8048627 (oper: 70 ff ff ff ) - [jmp ****] @ 0x804862c (oper: 20 b0 04 08 ) - [jmp (-) ****] @ 0x8048637 (oper: 60 ff ff ff ) - [jmp ****] @ 0x804863c (oper: 24 b0 04 08 ) - [jmp (-) ****] @ 0x8048647 (oper: 50 ff ff ff ) - [jmp ****] @ 0x804864c (oper: 28 b0 04 08 ) - [jmp (-) ****] @ 0x8048657 (oper: 40 ff ff ff ) - [jmp ****] @ 0x804865c (oper: 2c b0 04 08 ) - [jmp (-) ****] @ 0x8048667 (oper: 30 ff ff ff ) - [jmp ****] @ 0x804866c (oper: 30 b0 04 08 ) - [jmp (-) ****] @ 0x8048677 (oper: 20 ff ff ff ) - [jmp ****] @ 0x804867c (oper: 34 b0 04 08 ) - [jmp (-) ****] @ 0x8048687 (oper: 10 ff ff ff ) - [jmp ****] @ 0x804868c (oper: 38 b0 04 08 ) - [jmp (-) ****] @ 0x8048697 (oper: 00 ff ff ff ) - [call eax] @ 0x804874f - [jmp (-) ****] @ 0x80487e7 (oper: 01 01 00 00 ) - [jmp (-) ****] @ 0x8048828 (oper: c0 00 00 00 ) - [jmp (-) ****] @ 0x8048845 (oper: a3 00 00 00 ) - [jmp (-) ****] @ 0x8048aac (oper: ce 01 00 00 ) - [jmp (-) ****] @ 0x8048b98 (oper: d5 00 00 00 ) - [jmp (-) ****] @ 0x8048bc7 (oper: a6 00 00 00 ) - [jmp (-) ****] @ 0x8048d4f (oper: f8 ff ff 8b ) - [jmp (-) ****] @ 0x8048f2b (oper: ad 00 00 00 ) - [jmp (-) ****] @ 0x8048ff0 (oper: ac 00 00 00 ) - [call eax] @ 0x804951b ------------------------------------------ [v] Thank you, come again! uh-heung! r0ar!