Hello what leave cmd does?
i gettin ebp pointer screwed after leave what causes the cakllee sub to crash, i watched the stack just after enter.. and before leave on tyhe same level of nesting and the same, can't be leave cmd fooled by recursive calling of my function?

values at comments show after the command:
004014E1 >/$  55            PUSH EBP	; [b]EBP=0012FC84 ESP=0012FB4C[/b]

004014E2 |. 8BEC MOV EBP, ESP
004014E4 |. 81C4 F0FEFFFF ADD ESP, -110 ; ESP=0012FA38
.
.
.
00401762 |. 59 POP ECX ; EBP=0012FB48 ESP=0012FA38
00401763 |. C9 LEAVE ; [b]EBP=0000FC00 ;( ESP=0012FB4C[/b]
00401764 \. C2 1800 RETN 18
Posted on 2003-02-02 10:44:23 by _Servil_
LEAVE is the same as:
mov esp, ebp

pop ebp
Looks like the stack version of EBP is getting altered in the routine.

The stack is set-up like this after entry:

0

...

ESP-->{local space}
EBP-->{EBP}
{return value}
{parameters}

...

0FFFFFFFFh

EBP points to it's old value, and ESP points to local stack space but EBP is used to reference these bytes as ESP changes dynamically. Need to find where DWORD PTR is getting altered.
Posted on 2003-02-02 11:49:35 by bitRAKE
thanks

solved yet
Posted on 2003-02-02 13:14:30 by _Servil_