Let??™s see what comes
next:
0:000> .formats esp+190
Evaluate expression:
Hex: 0012fecc
Okay, esp+0x190 (or esp+400 bytes) is 0x0012fecc. That value looks familiar. In fact,
if you look at the preceding registers display (or use the r command), you??™ll see that ebp
is 0x0012fecc. So ebp is stored directly after name.We know that ebp is a 4-byte pointer,
so let??™s see what??™s after that.
0:000> dd esp+190+4 l1
0012fed0 00401076
NOTE The I1 (the letter l followed by the number 1) after the address tells
the debugger to display only one of whatever type is being displayed. In this
case,we are displaying double words (4 bytes) and we want to display one (1)
of them. For more info on range specifiers, see the debugger.chm HTML help
topic ???Address and Address Range Syntax.???
That??™s another value that looks familiar. This time, it??™s the function return address:
0:000> k
ChildEBP RetAddr
0012fecc 00401076 meet!greeting+0x9
0012fedc 004013a0 meet!main+0x16
0012ffc0 77e7eb69 meet!mainCRTStartup+0x170
0012fff0 00000000 kernel32!BaseProcessStart+0x23
Chapter 11: Basic Windows Exploits
253
PART III
When you correlate the next adjacent memory address and the stack trace, you see
that the return address (saved eip) is stored next on the stack.
Pages:
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469