lol
I need explications on instructions like [ebp+...]
Example

those are local variables or params passed to the function

some_shitty_proc proc lpParam1:dword

local local_variable:dword

mov eax,local_variable

...

Under Softice :

"D EBP+8" command give you the right address where is stored this param.
Then you can put a conditional breakpoint on memory access to see who is writing in !

It is in red. Learn the Stack dynamics in a introduction to assembly book or site

I can't put bpm because I want to ascend the code .

Revenge Naides has understand what I trie to do .What he is redunderlining is right .
I am amazed , he did it in deadlisting , I have found the same result in live approach with poor raisonings and It was very long .
I will add that he has not put in red this line in wich I have found a interresting byte


Would be able to put a name of document where I am sure to find your method ?
I have read any tricks on the stack push ,pop (increase or contrary of 4 bytes) , call , ret .I think I understand the role of esp but EBP nothing .
And this knowledge don't permit to ascend the code .
Most of explications shows the opposite direction the from the top to the bottom and not from the bottom to the top .

I am in a good mood today.

The stack is an area of memory hanging from the roof so every time you push something in the stack, it grows down. ESP points to the Bottom of the stack, and everytime you push something in the stack, the value of ESP decreases by 4 (Because registers are 4 bytes long) ESP is the ADDRESS of the last thing you pushed into the stack. Clear? OK

Before calling a function, the parameters are pushed into the stack, because callee function needs to know where to find them to be able to use them.

Let us imagine that ESP was hex 0000110 and a function that takes three parameters,Func (a,b,c) is called. Each parameter is pushed
c is pushed ESP is now 00000010 - 4 = 0000010C
b is Pushed ESP is now 0000000C - 4 = 00000108
a is Pushed ESP is now 00000008 - 4 = 00000104

(note the reverse order)
Then when call instruction is executed the return address is automatically pushed in the stack,
So now ESP is 4-4 = 00000100

Now you are at first instruction of the Callee function and the Parameters are at known locations: a at [ESP + 4] b at [ESP + 8] and c at [ESP + C]

but using ESP as reference to track your parameters is a pain, because it keeps changing every time you push or pop something to the stack.
Enter EBP, which you use to "freeze" the position of the stack when the call got started. That is why MOST call code start with

push EBP ;so the caller stack frame of variables will be restored at the end of the call
mov EBP, ESP ; Now all the addresses can be referenced to EBP instead of the slizzy ESP

But ESP got decreased by 4 when we pushed EBP so now a, the last pushed parameter is located at [EBP+8] b at [EBP+C] c at [EBP+10], the return address at [EBP + 4]the previous value of EBP is at [EBP+0].
Not infequently, the next isntruction of a typical call will substract a number from ESP,
for instance

sub ESP, 0C

which would open a space for 3 four byte (dword) local variables , which are going to be at addresses BELOW the EBP

The passed parameters and outside variables are found as Postive offsets from EBP like [EBP+0C] or [EBP + 10] while local variables, if there are any, are referred by negative offsets of EBP [EBP - 4], [EBP - 8].

At the end of the call, before the ret, EBP is poped [The frame is restored] so the caller code local variables an their relative positions remain in the same places relative to the caller stack frame, anchored on the value of EBP. And that is why it is so easy to fuck up code flow when you mess with pushes pops and returns if you dont READ THE FUCKING MANUAL AND LEARN THE STACK DYNAMICS

By the way, IDA will be much more helpful to "ascend" in the code:

You can rename [EBP + 8] to "My Variable", or "my shit" and IDA will track it up the call tree up to a certain point.

Thanks Sir