This question is related to crackmes.de’s k1 by xtfusion. I’m trying to add custom shellcode through stack overflow.
The shellcode works perfect under Windows XP (without ASLR) when the program is attached in the debugger. But when I run the program with double click, the program only exits quietly and no window pops up.
Full alphanumeric shellcode (and the screenshot above):
; no need to LoadLibraryA manually push eax ; eax should be 0 now push 0x646E7770 ; 'pwnd' push esp pop ecx ; address of 'pwnd' push esp pop eax push esp pop edx ; address of 'pwnd', backup for later use sub eax,0x55555521 ; only `sub eax, xxx` is allowed for Alphanumeric shellcode sub eax,0x55555421 sub eax,0x55555648 push eax pop esp push 0x7E and eax,0x554E4D4A and eax,0x2A313235 sub eax,0x55555555 sub eax,0x55555555 sub eax,0x334D556E ; encode intruction e8070822 push eax ; write to memory on the fly push edx pop esp push esi ; 0, esi should be 0 now push ecx ; address of string 'pwnd', 4 bytes to save life push esi ; 0 push esi ; 0 jne 0x22FFE6 ; jump to the generated instruction `call USER32.MessageBoxA`
I’m not quite familiar with Windows API.
What does the window do when the program exits? Do I need to migrate the window to another existed process?
Why the window does not show up without the debugger?
Thanks in advance.