Practical Reverse Engineering Exercise Solutions: Page 35 / Exercise 6
Exercise 6 on page 35 of the book Practical Reverse Engineering presents us with a malware samples.
These can be downloaded at the following page:
https://grsecurity.net/malware_research/
In this exercise, we are expected to have a look at the following routine sub_13842
:
|
|
Firstly, we see that the function prototype takes two parameters, which are not saved on the stack but in the two registers ecx
and edx
. This can be deducted from the fact that these two registers are immediately referenced without prior initialization.