01.08.06
Metasploit info
a friend posted me this stuff, which is a snippet of code used to retrieve the eip of the first instruction line. This is a common shellcode used in metasploit
D9 EE FLDZ
D9 74 24 F4 FNSTENV BYTE PTR [ESP - 0C]
5B POP EBX
fldz loads a zero into the first fpu stack register (st(0)). Then the FNSTENV is executed, which loads the fpu environment status, in which there is also the pointer to the last fpu instruction that was executed. The memory layout of the environment structure is
00: control word
04: status word
08: tag word
12: fpu instruction pointer offset
16: fpu instruction pointer selector
20: fpu operand pointer offset
24: fpu operand pointer selector
(some reserved bits are missing, see intel maunals for more details)
in struct+12 there is the pointer to the last fpu instruction that was executed. So after the fnstenv [esp-c] we will have in [esp] the pointer to the fldz instruction.
Nothing strange for now, its just like a standard
call @@2
@@2: pop ebx
however the interesting part is that if you trace the fpu code with olly you will not get the address of the fldz in ebx, but you will get 0 or some garbage address. This probably happen because if you execute a single step the int01 is invoked and the kernel executes some code, so for you the single step is transparent but the for the fpu its not.
So in one word this could be a nice anti tracing trick 
Byez!
AndreaGeddon