Hello Everybody,
For svkp we have to recover from program bytes ripped from the execution of program & some from stack manipulation.
Stack manipulation start address --> 0xEB6B385 & end address --> 0xEB6C82D
If somebody wants to practice Evaluator's Excellent Pseudo_code exercise at woodmann's forum, can have a look at it. The url for it hxxp://66.98.132.48/forum/showthread.php?t=4805
I have tried to recover the bytes but it's not perfect.
Code:
:004C7B26 55 PUSH EBP
:004C7B27 8BEC MOV EBP,ESP
:004C7B29 6AFF PUSH FF
:004C7B2B 6840534F00 PUSH 004F5340
:004C7B30 68AE7C4C00 PUSH 004C7CAE
:004C7B35 64FF3500000000 PUSH DWORD PTR FS:[00000000]
:004C7B3C 64892500000000 MOV FS:[00000000],ESP
:004C7B43 83EC68 SUB ESP,68
doubtful
Code:
:004C7B46 57 PUSH EDI
:004C7B47 50 PUSH EAX
:004C7B48 6800000000 PUSH 00000000
:004C7B4D 57 PUSH EDI
:004C7B4E 8965E8 MOV [EBP-18],ESP
:004C7B51 33DB XOR EBX,EBX
:004C7B53 895DFC MOV [EBP-04],EBX
might be ok...
Code:
:004C7B56 50 PUSH EAX
:004C7B57 6A02 PUSH 02
:004C7B59 FF1570204E00 CALL [004E2070]
:004C7B5F 59 POP ECX
:004C7B60 830D703D5300FF OR DWORD PTR [00533D70],-01
:004C7B67 89DB MOV EBX,EBX
:004C7B69 830D743D5300FF OR DWORD PTR [00533D74],-01
:004C7B70 FF156C204E00 CALL [004E206C]
:004C7B76 87ED XCHG EBP,EBP
:004C7B78 8B0D3C3A5300 MOV ECX,[00533A3C]
:004C7B7E 8908 MOV [EAX],ECX
:004C7B80 FF1534204E00 CALL [004E2034] <-- will call 4C7B90
R@dier / SvensK / Everybody You can use Gaia's / Zilot's excellent Import Rec Plugin which will find majority of the api some 7 or 10 not found we need to find manually.
more later...
Regards, Sope.