Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
x86_64 dirty hack to get syscall table address,
mov ecx, 0xc0000082
rdmsr ; eax = low, edx = high
sal rdx, 32
or rax, rdx ; rax = guess
mov rcx, rax
add rcx, 500
jmp .loop_body
add rax, 1
cmp rcx, rax
je .fail
cmp byte [rax], 0xff
jne .loop_
cmp byte [rax + 1], 0x14
jne .loop_
cmp byte [rax + 2], 0xc5
jne .loop_
mov rcx, 0xffffffff00000000
mov eax, dword [rax + 3]
or rax, rcx ; 0xffffffff00000000 | *(int*)(guess+3)
xor rax, rax
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment