Forum Discussion
Hey Fastlime 👋🏻
Thank you for posting, I'm sorry for the late reply back to your question.
We had a member of our Content Team share this with us, if this is of any help to your attempt:
"Just had a look over this, the task points users at looking at the Microsoft Docs in https://developer.microsoft.com/en-gb/windows/ to help them with identifying APIs. The user can look up the CreateProcess API here to help them identify the structure. Thanks!"
Will you try this final task again, and see if this helps you to solve the question successfully?
Kindest regards
- tacobacocrunchwrap32 months agoBronze I
Hello, I don't know understand how this can help if we are supposed to be identifying what EDX points to. I have also been on this lab for a long time. I spent a long time using the examples and explanations given on the assembly code to understand what is happening but I still don't understand how I can identify what EDX is pointing to.
0040155e MOV EDX, dword ptr[EBP+local_8]
00401561 ADD EDX, 0x17c
00401567 PUSH EDX
so EDX at 00401567 should be pointing the address [EBP+local_8] + 0x17c
please correct me if i'm wrong on that.
if i'm right, how do I identify what EDX is pointing to?- autom8on26 days agoBronze III
So, initially, I thought that they were asking you to look up something in Microsoft documentation, like one of the questions in an earlier lab, where a specific hex value related to a specific crypto algorithm id. But that's not it, I don't think (low level assembly stuff and windows internals are not my forte!). I think 0x17c is just the value that's being passed as the final argument in the CreateProcessA function call - and they're effectively asking you what that value is. So you need to look at the docs for that function call - CreateProcessA function (processthreadsapi.h) - Win32 apps | Microsoft Learn
- ChrisKershaw29 days agoCommunity Support
I have reached out to our lab Content Team to have this examined further for you. I'll be happy to share an update once I've heard back if that will help 😊.
- netcat29 days agoBronze III
Hint 1:
Ignore the question from iL, it doesn't help (except for the fact that you shall enter only one word into the answer box, and confusing you with EDX)
Hint 2:
At address 00401567 something is pushed onto the stack. Generally, for which reasons do you push items on the stack? (ChatGPT gives you five answers.)
Hint 3:
At address 00401567 something is pushed onto the stack. Can you figure out the reason in this case, why is it pushed on the stack and what for?