WaxfordSqueers
November 19th, 2012, 06:13
Have a problem with stack offsets in Olly and IDA. The problem began when IDA2ICE complained that certain functions had very large stack offsets. One of them is listed as [ebp-0FA0Ch], which seems really wild. The same address in Olly is listed as MOV [LOCAL.16003], 0
Here's the code snippet from that section of code:
One of the problems is this line here:
87F1A7 C7 85 F4 05 FF FF 00 00 00 00 mov dword ptr [ebp-0FA0Ch], 0
How can a a base pointer have an offset of -0x0FAC?? And in Olly, is it normal to have the same offset at LOCAL.16003? In fact, what the hey does LOCAL.16003 mean?
Can anyone interpret the machine code to see if that seems correct?
Here's the code snippet from that section of code:
Code:
87F190 55 push ebp
87F191 8B EC mov ebp, esp
87F193 B8 0C FA 00 00 mov eax, 0FA0Ch
87F198 E8 23 F4 2A 00 call sub_B2E5C0
87F19D A1 84 6B F8 00 mov eax, lParam
87F1A2 33 C5 xor eax, ebp
87F1A4 89 45 FC mov [ebp-4], eax
87F1A7 C7 85 F4 05 FF FF 00 00 00 00 mov dword ptr [ebp-0FA0Ch], 0
87F1B1 C6 45 F7 00 mov byte ptr [ebp-9], 0
87F1B5 8B 45 10 mov eax, [ebp+10h]
One of the problems is this line here:
87F1A7 C7 85 F4 05 FF FF 00 00 00 00 mov dword ptr [ebp-0FA0Ch], 0
How can a a base pointer have an offset of -0x0FAC?? And in Olly, is it normal to have the same offset at LOCAL.16003? In fact, what the hey does LOCAL.16003 mean?
Can anyone interpret the machine code to see if that seems correct?