From 4eaf1ace814ee8a5afc3669280b89bbeb79125ed Mon Sep 17 00:00:00 2001
From: Matthias Ganz <gaenzele@gmail.com>
Date: Mon, 2 Nov 2015 16:56:07 +0100
Subject: [PATCH] Bugfix loading address of library path into rcx

The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero.
---
 .../shellcode/windows/x64/src/single/single_loadlibrary.asm     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm b/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm
index 5ba96f0f7d..c8f9832713 100644
--- a/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm
+++ b/external/source/shellcode/windows/x64/src/single/single_loadlibrary.asm
@@ -15,7 +15,7 @@ delta:                   ;
 %include "./src/block/block_api.asm" ; 
 start:                   ;
   pop rbp                ; Pop off the address of 'api_call' for calling later.
-  lea rcx, [ebp+libpath-delta]
+  lea rcx, [rbp+libpath-delta]
   mov r10d, 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
   call rbp               ; LoadLibraryA( &libpath );
 	; Finish up with the EXITFUNK.