On page 14 (Lab2) we examine the register ESP starting from 0x190 but why we start from that?
Another thing also on page 14 there is:
We can see that our buffer starts at 0xbffff2a0 + 0x6 = 0xbffff2a6
why in this case is + 0x6 and not + 0x8?
Original post by diegoflexkid
The 0x190 was found by experimenting with offset from ESP. this is often the case when viewing the stack at some offset from ESP. 0x190 is equal to 400 decimal and buffer length is 390 decimal. So 400 should be enough to see beginning of the buffer.
Buffer starts at + 0x6 because each byte in the 4-byte column is +1. There are only A’s in buffer so we look for first occurence of 0x41. This can be spotted in the second column so its already +4 from the row address. But - remember that bytes in memory are stored in little endian order so in fact it is:
Otherwise it would make no sense as we sent “0x414141…” and the buffer in memory is “0x4141fc08414141…”
Original reply by lukasz.m
Now it’s clear thank you so much for the help
Original post by diegoflexkid