Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ESP offset masking functionality not working under certain conditions #17

Open
recvfrom opened this issue Jun 8, 2018 · 1 comment
Open

ESP offset masking functionality not working under certain conditions #17

recvfrom opened this issue Jun 8, 2018 · 1 comment

Comments

@recvfrom
Copy link

recvfrom commented Jun 8, 2018

When clicking the option to perform ESP Offset masking, no action is performed for the following code block:

C7 04 24 30 75 00 00    mov     [esp+224h+dwMilliseconds], 7530h ; dwMilliseconds
FF 15 AC 10 40 00       call    ds:Sleep

To reproduce, look at address 0x00402422 in 77566850743bac708ce4e05ffa53347870863c015403eea30f7dbd8e7d4b8333
@recvfrom
Copy link
Author

recvfrom commented Jun 8, 2018

Ah, it looks like that instruction is equivalent to mov dword ptr [esp], 0x7530, so there's no offset to mask... It'd be cool if the CASC UI could somehow indicate this, since unless you check to see what IDA has defined dwMilliseconds as it isn't obvious that this case is different than something like the following, where masking is needed:

FF 74 24 18       push    [esp+220h+lpParameter] ; lpMem
E8 57 EF FF FF    call    sub_401379

Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@recvfrom