Improbable Occurrences (Part 1)
Saturday, October 27th, 2012I was analyzing a raw thread stack when came upon this symbolic address which I thought was coincidental:
363b0030 77777777 advapi32!LsaEnumerateAccountRights+0×56
Forward disasssembly makes sense, isn’t it? And every instruction seems have a purpose
0:000> u 77777777
advapi32!LsaEnumerateAccountRights+0×56:
77777777 a4 movs byte ptr es:[edi],byte ptr [esi]
77777778 fc cld
77777779 ffc3 inc ebx
7777777b 8b65e8 mov esp,dword ptr [ebp-18h]
7777777e ff75e0 push dword ptr [ebp-20h]
77777781 ff15e4187377 call dword ptr [advapi32!_imp__I_RpcMapWin32Status (777318e4)]
77777787 50 push eax
77777788 e8c6f6fbff call advapi32!LsapApiReturnResult (77736e53)
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -