Uninformed: Informative Information for the Uninformed

Current v9 v8 v7 v6 v5 v4 v3 v2 v1 All About
Vol 2» 2005.Sept


Next: Case Study: Windows NT Up: Temporal Return Addresses Previous: IRC CTCP TIME   Contents

Determining the Return Address

Once all the preliminary work of calculating all of the viable opcode windows has been completed and a target machine's system time has been determined, the final step is to select the next available window for a compatible opcode group. For instance, if the next window for a jmp esp equivalent instruction is Sun Sep 25 22:37:28 CDT 2005, then the byte index to the start of the jmp esp equivalent must be determined based on the permutation that was generated. In this case, the permutation that would have been generated (assuming a 100nanosecond period since 1601) is 0x01c5c25400000000. This means that jmp esp equivalent is actually a push esp, ret which starts at byte index four. If the start of the temporal address was at 0x7ffe0014, then the return address that should be used in order to get the push esp, ret to execute would be 0x7ffe0018. This basic approach is common to all temporal addresses of varying capacity, period, and scale.