📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  Process escapes step in?

Topic created on: November 8, 2011 02:22 CST by pank4j .

I'm trying to debug a program which apparently escapes the step in thing in windbg.

Its is a hello world program, which prints "hi" if no command line arguments are passed to it, and "hello" otherwise. The program is compiled with gcc that is shipped with Dev-C++.

Steps to reproduce the problem:
1. Load test4.exe in windbg.
2. Put a breakpoint at 7789fbc8 (bu 7789fbc8).
3. Let it run and hit the breakpoint (g).
4. Once it hits the breakpoint, remove the breakpoint (bc *).
5. Step in a few instructions till it reaches 778901c4 (mov dword ptr [esp+4],eax ss:002b:0028fff4=00401220).
6. Stepping in this instruction runs the program and it prints "hi". This can be confirmed by installing a breakpoint at 401291 which lies in main( ).

A new thread is created just when it executes the instruction at 778901c4. But isn't it supposed to break when stepping in?

How can I intercept it in windbg?

Here's the exe:
http://uploadbin.net/d076aaa65b32102f8831d42f70a4e48c/test4.exe

  PeterFerrie     November 9, 2011 11:15.46 CST
You could start by telling us the exact platform, since those addresses are meaningless without context because they are not inside the module, but inside some DLL.

  anonymouse     November 9, 2011 21:54.38 CST
Like Peter Posted those addresses are meaningless

since they are inside dll they can be meaningless even if you said it was xp sp3  as dll load address can be randomized by ASLR


bu in windbg is for setting a bp with symbol do not use it for setting bu Address

set bu like this bu ntdll!LdrInitializeThunk+0x18
this bp will let windbg resolve the symbol whereever the dll is loaded and set the correct bp when the module is loaded (BU works on defered / delayed / demand loads also)

also the sequence you posted does not seem to exist in any meaningful position on xpsp3



0:000> u eip l2
ntdll!DbgBreakPoint:
7c90120e cc              int     3
7c90120f c3              ret
0:000> a eip
7c90120e mov dword ptr [esp+4],eax
mov dword ptr [esp+4],eax
7c901212

0:000> u eip l2
ntdll!DbgBreakPoint:
7c90120e 89442404        mov     dword ptr [esp+4],eax
ntdll!DbgUserBreakPoint:
7c901212 cc              int     3
0:000> # "89442404" ntdll L?b2000
ntdll!LdrInitializeThunk+0x4:
7c90116a 89442404        mov     dword ptr [esp+4],eax
ntdll!DbgBreakPoint:
7c90120e 89442404        mov     dword ptr [esp+4],eax
ntdll!_fload_withFB+0x2d:
7c90e2a3 89442404        mov     dword ptr [esp+4],eax
                                
0:000> # "89442404" kernel32 L?f0000
                                  

0:000> lm
start    end        module name
00400000 00406000   image00400000   (no symbols)          
77c10000 77c68000   msvcrt     (pdb symbols) \msvcrt.pdb
7c800000 7c8f6000   kernel32   (pdb symbols) \kernel32.pdb
7c900000 7c9b2000   ntdll      (pdb symbols) \ntdll.pdb
0:000> # "89442404" msvcrt L?f0000
msvcrt!_fload_withFB+0x2d:
77c50c52 89442404        mov     dword ptr [esp+4],eax
                                


for me your exe stops on 401291 without problems in windbg



0:000> .restart
CommandLine: "C:\Documents and Settings\Admin\Desktop\test4.exe"
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00406000   image00400000
ModLoad: 7c900000 7c9b2000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
(c5c.cc4): Break instruction exception - code 80000003 (first chance)
eax=00361eb4 ebx=7ffdd000 ecx=00000004 edx=00000010 esi=00361f48 edi=00361eb4
eip=7c90120e esp=0023fb20 ebp=0023fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> bp 401291
*** ERROR: Module load completed but symbols could not be loaded for image00400000
0:000> g
ModLoad: 5cb70000 5cb96000   C:\WINDOWS\system32\ShimEng.dll
Breakpoint 0 hit
eax=00000001 ebx=00004000 ecx=00492dc0 edx=00492450 esi=016bf784 edi=016bf6ee
eip=00401291 esp=0023ff78 ebp=0023ffb0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
image00400000+0x1291:
00401291 89e5            mov     ebp,esp
windbg> .hh s -a
0:000> s -a 403000 403030 "h"
00403000  68 65 6c 6c 6f 0a 00 68-69 0a 00 00 00 00 00 00  hello..hi.......
00403007  68 69 0a 00 00 00 00 00-00 2d 4c 49 42 47 43 43  hi.......-LIBGCC
0:000> ln poi(poi(401822))
(77c4186a)   msvcrt!printf   |  (77c418d5)   msvcrt!puts
Exact matches:
    msvcrt!printf = <no type information>
0:000> uf eip
image00400000+0x1291:
00401291 89e5            mov     ebp,esp
00401293 83ec08          sub     esp,8
00401296 83e4f0          and     esp,0FFFFFFF0h
00401299 b800000000      mov     eax,0
0040129e 83c00f          add     eax,0Fh
004012a1 83c00f          add     eax,0Fh
004012a4 c1e804          shr     eax,4
004012a7 c1e004          shl     eax,4
004012aa 8945fc          mov     dword ptr [ebp-4],eax
004012ad 8b45fc          mov     eax,dword ptr [ebp-4]
004012b0 e87b040000      call    image00400000+0x1730 (00401730)
004012b5 e816010000      call    image00400000+0x13d0 (004013d0)
004012ba 837d0802        cmp     dword ptr [ebp+8],2
004012be 750e            jne     image00400000+0x12ce (004012ce)

image00400000+0x12c0:
004012c0 c7042400304000  mov     dword ptr [esp],offset image00400000+0x3000 (00403000)
004012c7 e854050000      call    image00400000+0x1820 (00401820)
004012cc eb0c            jmp     image00400000+0x12da (004012da)

image00400000+0x12ce:
004012ce c7042407304000  mov     dword ptr [esp],offset image00400000+0x3007 (00403007)
004012d5 e846050000      call    image00400000+0x1820 (00401820)

image00400000+0x12da:
004012da b800000000      mov     eax,0
004012df c9              leave
004012e0 c3              ret

  pank4j   November 13, 2011 20:39.01 CST
I have tried it on Win7 SP1 (64-bit) and WinXP SP3 (32-bit).
For XP SP3, here's how to reproduce it.
1. Load the exe and setup a breakpoint at ntdll!ZwContinue
2. Continue till it hits the breakpoint. Now remove the breakpoint.
3. Step in a few instruction till you reach sysenter instruction.
4. Stepping in here, Windbg runs the program till it terminates.


Executable search path is:
ModLoad: 00400000 00406000   image00400000
ModLoad: 7c900000 7c9af000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
(840.65c): Break instruction exception - code 80000003 (first chance)
eax=00341eb4 ebx=7ffdd000 ecx=00000004 edx=00000010 esi=00341f48 edi=00341eb4
eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> bu ntdll!ZwContinue
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=7ffdd000 ecx=7c91b00a edx=7c90e4f4 esi=00000000 edi=0022fd30
eip=7c90d040 esp=0022fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!ZwContinue:
7c90d040 b820000000      mov     eax,20h
0:000> bc *
0:000> t
eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7c90e4f4 esi=00000000 edi=0022fd30
eip=7c90d045 esp=0022fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!ZwContinue+0x5:
7c90d045 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> t
eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7ffe0300 esi=00000000 edi=0022fd30
eip=7c90d04a esp=0022fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!ZwContinue+0xa:
7c90d04a ff12            call    dword ptr [edx]      ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e4f0)}
0:000> t
eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=7ffe0300 esi=00000000 edi=0022fd30
eip=7c90e4f0 esp=0022fd20 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCall:
7c90e4f0 8bd4            mov     edx,esp
0:000> t
eax=00000020 ebx=7ffdd000 ecx=7c91b00a edx=0022fd20 esi=00000000 edi=0022fd30
eip=7c90e4f2 esp=0022fd20 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCall+0x2:
7c90e4f2 0f34            sysenter
0:000> t
hi
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97b120 esi=7c90de50 edi=00000000
eip=7c90e4f4 esp=0022fe68 ebp=0022ff64 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90e4f4 c3              ret
0:000> t
       ^ No runnable debuggees error in 't'


Wasn't it supposed to break in after sysenter instruction above?

  anonymouse     November 13, 2011 21:12.39 CST
no it wont break

if you come to think of it you should have realized that if
every app broke after every sysenter  then bill gates would have been a BROKE by now

YOU NEED ATLEAST ONE BREAKPOINT IF YOU WNAT TO BREAK
NO BREAKPOINTS MEANS NO BREAK IT IS AS SIMPLE AS THAT


look at the documentation of ZwContinue
find what params it  takes

you will after reading a few times realize where this function is going to return to

set a break there and and hit t , p, wt , whatever you fancy windbg will break if your breakpoint was right

bp ntdll.ZwContinue "bp pointer to stackarg.type.member;g"

  pank4j   November 13, 2011 21:58.32 CST
just one quick question: by stepping in, afaik, we break at every instruction regardless of what it is (nothing to do with ZwContinue here, or any other function for that matter). if u look at the instructions above sysenter in my post above, u'll notice it did break after mov, call and mov instructions. y not after sysenter? :-)

it does execute the ret instruction after sysenter; i have verified it using a bp there.

  PeterFerrie     November 14, 2011 11:19.25 CST
The ret that you saw execute after the sysenter is not the one that you think it is.  It's returning from a call that was performed by a different request.
ZwContinue resumes execution from [[esp+4]+0b8]
Check the stack, you'll see that value is inside your module..  Just place a breakpoint at the host entrypoint and it will be hit.  Then you can step as much as you want.

  anonymouse     November 14, 2011 13:37.20 CST
well i didnt want to give you [esp+4]+0xb8 so i wrote

bp pointer to stackarg.type.member;g  

which is (API Arg 2)context.eip  

eip that ZwContinue  should return to is passed as a parameter to that call via CONTEXT structure  

the ret you see is KiFastCallRet which isnt executed serially like you think
it is executed as a part of Process Termination  Debug Event

type sxd epr  (disable exit process exception event)

and then do what you did you can notice if the ret executes or not  


use bp ntdll!ZwContinue "bp poi(poi(esp+4)+0xb8)"
will break on Kernel32!BaseProcessStartThunk



CommandLine: "C:\Documents and Settings\Admin\Desktop\test4.exe"
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00406000   image00400000
ModLoad: 7c900000 7c9b2000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 64d00000 64d34000   C:\Program Files\Alwil Software\Avast5\snxhk.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
(edc.be8): Break instruction exception - code 80000003 (first chance)
eax=00361eb4 ebx=7ffdf000 ecx=00000004 edx=00000010 esi=00361f48 edi=00361eb4
eip=7c90120e esp=0023fb20 ebp=0023fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> bp ntdll!ZwContinue "bp poi(poi(esp+4)+0xb8)"
0:000> g
ModLoad: 5cb70000 5cb96000   C:\WINDOWS\system32\ShimEng.dll
eax=00000000 ebx=7ffdf000 ecx=7c91b02a edx=7c90e514 esi=00e8f784 edi=0023fd30
eip=7c90d05e esp=0023fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!NtContinue:
7c90d05e b820000000      mov     eax,20h
0:000> bl
0 e 7c90d05e     0001 (0001)  0:**** ntdll!NtContinue "bp poi(poi(esp+4)+0xb8)"
1 e 7c810705     0001 (0001)  0:**** kernel32!BaseProcessStartThunk
0:000> t
eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7c90e514 esi=00e8f784 edi=0023fd30
eip=7c90d063 esp=0023fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!NtContinue+0x5:
7c90d063 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> t
eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7ffe0300 esi=00e8f784 edi=0023fd30
eip=7c90d068 esp=0023fd24 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!NtContinue+0xa:
7c90d068 ff12            call    dword ptr [edx]      ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)}
0:000> t
eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=7ffe0300 esi=00e8f784 edi=0023fd30
eip=7c90e510 esp=0023fd20 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCall:
7c90e510 8bd4            mov     edx,esp
0:000> t
eax=00000020 ebx=7ffdf000 ecx=7c91b02a edx=0023fd20 esi=00e8f784 edi=0023fd30
eip=7c90e512 esp=0023fd20 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCall+0x2:
7c90e512 0f34            sysenter
0:000> t
Breakpoint 1 hit
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c810705 esp=0023fffc ebp=00000330 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000202
kernel32!BaseProcessStartThunk:
7c810705 33ed            xor     ebp,ebp
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c810707 esp=0023fffc ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStartThunk+0x2:
7c810707 50              push    eax
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c810708 esp=0023fff8 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStartThunk+0x3:
7c810708 6a00            push    0
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c81070a esp=0023fff4 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStartThunk+0x5:
7c81070a e945690000      jmp     kernel32!BaseProcessStart (7c817054)
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817054 esp=0023fff4 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart:
7c817054 6a0c            push    0Ch
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817056 esp=0023fff0 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x2:
7c817056 688070817c      push    offset kernel32!`string'+0x98 (7c817080)
0:000> t
eax=00401220 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c81705b esp=0023ffec ebp=00000000 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x7:
7c81705b e876b4feff      call    kernel32!_SEH_prolog (7c8024d6)
0:000> p
eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817060 esp=0023ffc8 ebp=0023fff0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000216
kernel32!BaseProcessStart+0xc:
7c817060 8365fc00        and     dword ptr [ebp-4],0  ss:0023:0023ffec=ffffffff
0:000>
eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817064 esp=0023ffc8 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x10:
7c817064 6a04            push    4
0:000>
eax=0023ffe0 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817066 esp=0023ffc4 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x12:
7c817066 8d4508          lea     eax,[ebp+8]
0:000>
eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c817069 esp=0023ffc4 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x15:
7c817069 50              push    eax
0:000>
eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c81706a esp=0023ffc0 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x16:
7c81706a 6a09            push    9
0:000>
eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c81706c esp=0023ffbc ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x18:
7c81706c 6afe            push    0FFFFFFFEh
0:000>
eax=0023fff8 ebx=7ffdf000 ecx=020fa685 edx=0000009c esi=00e8f784 edi=00e8f6ee
eip=7c81706e esp=0023ffb8 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x1a:
7c81706e ff15b013807c    call    dword ptr [kernel32!_imp__NtSetInformationThread (7c8013b0)] ds:0023:7c8013b0={ntdll!ZwSetInformationThread (7c90dcae)}
0:000>
eax=00000000 ebx=7ffdf000 ecx=0023ffb0 edx=7c90e514 esi=00e8f784 edi=00e8f6ee
eip=7c817074 esp=0023ffc8 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
kernel32!BaseProcessStart+0x20:
*** ERROR: Module load completed but symbols could not be loaded for image00400000
7c817074 ff5508          call    dword ptr [ebp+8]    ss:0023:0023fff8=00401220
0:000> t
eax=00000000 ebx=7ffdf000 ecx=0023ffb0 edx=7c90e514 esi=00e8f784 edi=00e8f6ee
eip=00401220 esp=0023ffc4 ebp=0023fff0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
image00400000+0x1220:
00401220 55              push    ebp

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit