And after eip come our
function parameters that were passed in:
0:000> dd esp+190+4+4 l1
0012fed4 00320e15
0:000> db 00320e15
00320e15 4d 72 00 48 61 78 6f 72-00 fd fd fd fd ab ab ab Mr.Haxor........
Now that we have inspected memory ourselves, we can believe the graph shown in
Chapter 7, shown again in Figure 11-1.
Disassembling with CDB
To disassemble using the Windows debugger, use the u or uf (unassembled function)
command. The u command will disassemble a few instructions, with subsequent u
commands disassembling the next few instructions. In this case, because we want to see
the entire function, we??™ll use uf.
0:000> uf meet!greeting
meet!greeting:
00401020 55 push ebp
00401021 8bec mov ebp,esp
00401023 81ec90010000 sub esp,0x190
00401029 8b450c mov eax,[ebp+0xc]
0040102c 50 push eax
0040102d 8d8d70feffff lea ecx,[ebp-0x190]
00401033 51 push ecx
00401034 e8f7000000 call meet!strcpy (00401130)
00401039 83c408 add esp,0x8
0040103c 8d9570feffff lea edx,[ebp-0x190]
00401042 52 push edx
00401043 8b4508 mov eax,[ebp+0x8]
00401046 50 push eax
00401047 68405b4100 push 0x415b40
0040104c e86f000000 call meet!printf (004010c0)
00401051 83c40c add esp,0xc
00401054 8be5 mov esp,ebp
00401056 5d pop ebp
00401057 c3 ret
If you cross-reference this disassembly with the disassembly created on Linux in
Chapter 6, you??™ll find it to be almost identical.
Pages:
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470