Actually there is an error here in the explaination. At 6:09 you say that Notepad++ is highlighting a "return address". This is false. What you are highlighting is the EBP(the previous stack frame) pushed on to the stack, no the return address. In fact the return address is the function symbol that is above(in memory) from the old EBP. To clarify at 6:13 0079ffdc is the old EBP(not the return address) and 77af7bf4 (ntdll!_RtlUserThreadStart+0x1b) is the return address.
!teb does not work, it gives error InitTypeRead ( TEB )
.logopen does not work, it keeps saying "Log file could not be opened"
New technique i've learned. Thanks!
Actually there is an error here in the explaination. At 6:09 you say that Notepad++ is highlighting a "return address". This is false. What you are highlighting is the EBP(the previous stack frame) pushed on to the stack, no the return address. In fact the return address is the function symbol that is above(in memory) from the old EBP.
To clarify at 6:13 0079ffdc is the old EBP(not the return address) and 77af7bf4 (ntdll!_RtlUserThreadStart+0x1b) is the return address.
...although you do seem to "correct" the error later in the explaination.
Anyhow nice video.
thanks.. high voice!