MS IE OBJECT tag exploit'


              


OllyDbg, "options" "just-in-time debugging" "make OllyDbg just-in-time debugger" "confirm before attaching". IEdie2-3 IE.

, - (.. 8). ""  IE, ""  just-in-time .

 8  just-in-time

, 75ACC4DAh (.  6, 9 10). IE , , GetDocPtr(), GetDocPtr(). ?

EAX 00000000 EBX 000BA14C ECX FFFFFFFF EDX 00E50764 ESP 0006DB9C

EBP 0006DBCC ESI 00E552B0 EDI 00E552B0 EIP 75A92128 mshtml.75A92128

75A9211D 8B41 10 MOV EAX,DWORD PTR DS:[ECX+10]

75A92120 8B49 1C MOV ECX,DWORD PTR DS:[ECX+1C]

75A92123 F6C1 02 TEST CL,2

75A92126 74 03 JE SHORT mshtml.75A9212B

75A92128 8B40 0C MOV EAX,DWORD PTR DS:[EAX+0Ch] ; ß

75A9212B F6C1 01 TEST CL,1

75A9212E 74 03 JE SHORT mshtml.75A92133

75A92130 8B40 2C MOV EAX,DWORD PTR DS:[EAX+2C]

75A92133 C3 RETN

00E552B0 00000000

à 0006DB9C 75ACC4C8 RETURN to mshtml.75ACC4C8

00E552B4 00000000 0006DBA0 00E552B0

00E552B8 00000001 0006DBA4 75ACC889 RETURN to mshtml.75ACC889

00E552BC FFFFFFFF 0006DBA8 00E552B0

00E552C0 00000000 0006DBAC 000BA054

00E552C4 00000000 ß 0006DBB0 75A9BFD3 RETURN to mshtml.75A9BFD3

00E552C8 00000000 0006DBB4 00000004