Typo in the function epilogue explanation

Question

Typo in the function epilogue explanation

Closed this issue 7 years ago · 2 comments

amlamarra commented 7 years ago

There are 3 bullets describing what the function epilogue does. The second bullet states:

POP EBP to restore the saved EBP value into the EBP register;

One of those EPB's should be ESP.

GREAT tutorial, by the way!

Answer 1 · 2019-03-24T05:55:55.000Z

Hmm. Are you sure? 😕

The tutorial says:

----------------------------  CODE  ----------------------------
....
EIP -> 08041794  |> 8BE5           MOV ESP,EBP
       08041796  |. 5D             POP EBP
       08041797  \. C3             RETN
....
----------------------------------------------------------------

MOV ESP,EBP to pivot the stack "back down" to the saved EBP and Saved Return Pointer area;

POP EBP to restore the saved EBP value into the EBP register;

RET to return to the Saved Return Pointer.

The POP EBP does indeed restore the saved EBP value into the EBP register.

It's definitely not a POP ESP
It's definitely not popping into the ESP register
It's not popping the saved ESP value (the subsequent RET is returning to that value)

Which one should be ESP? 😅

And thanks for the kind words! I'm glad you dig it 😄

Answer 2 · 2019-03-24T12:08:45.000Z

Sorry. I just had to look at it again to realized that I was wrong. Not sure why that didn't make sense to me. Anyway, I'm studying for OSCP and this tutorial is EXACTLY what I need for the Windows BOF section. Thanks!