Bronze I
Bronze IHello, I don't know understand how this can help if we are supposed to be identifying what EDX points to. I have also been on this lab for a long time. I spent a long time using the examples and explanations given on the assembly code to understand what is happening but I still don't understand how I can identify what EDX is pointing to.
0040155e MOV EDX, dword ptr[EBP+local_8]
00401561 ADD EDX, 0x17c
00401567 PUSH EDX
so EDX at 00401567 should be pointing the address [EBP+local_8] + 0x17c
please correct me if i'm wrong on that.
if i'm right, how do I identify what EDX is pointing to?
Bronze IISo, initially, I thought that they were asking you to look up something in Microsoft documentation, like one of the questions in an earlier lab, where a specific hex value related to a specific crypto algorithm id. But that's not it, I don't think (low level assembly stuff and windows internals are not my forte!). I think 0x17c is just the value that's being passed as the final argument in the CreateProcessA function call - and they're effectively asking you what that value is. So you need to look at the docs for that function call - CreateProcessA function (processthreadsapi.h) - Win32 apps | Microsoft Learn
