14 Dec
2021
14 Dec
'21
12:59 p.m.
param_2 is edx which is 0 that's the first three pushed values then the function pointers, two of them ecx here is 0xffffc944. I type `p *$ecx` into gdb and see it's a valid dereferencable pointer. wonder where this came from. glancing up at the entrypoint assembly 08048167 89 e1 MOV ECX,ESP 08048169 83 e4 f0 AND ESP,0xfffffff0 $ecx is $esp before being aligned to 16 bytes.