.hello guys ..
during research on a ftp server .. i come across a piece of code which is like this .
1---> lea eax,[ebp+var_8] ; it can be address ebp-8
2---> add eax,[ebp+var_220] ; [ebp+var_220] holds input integer value, i can vary it between 1h to 200h ..
3---> sub eax,211h ;
4---> mov byte ptr [eax],0
so we can make the equation like this after 3rd code
(ebp-8)+(my_input_data)-211h ------- say it a
now its maximum value can be when my_input_data=200h
ebp-8+200h-211h = ebp-19h
now its minimum value can be when my_input_data=1h
ebp-8+1-211h = ebp-217h
so after code 3 we can vary value of eax register from
ebp-217 to ebp-19 ..
then after code 4 (mov byte ptr[eax] ,0 ) we can make 0 to any byte which ranges from
[ebp-217] to [ebp-19] , which can be exploited accordingly ..
I hope you understand what i try to explain .. may be i'll wrong , if so , then correct me please before i move forward
in my research :) :)
Thank you
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}