problem finding offset for this multilevel pointers
Posted: Thu Feb 18, 2021 12:42 pm
i'm just trying to create a 2 bytes pointer for EXP but this looks very different form the tutorial, i don't know what the offset is, could anyone tell me what to do ?
first result
second results
first result
Code: Select all
1A2372D201D - 45 8B 2C 04 - mov r13d,[r12+rax]
1A2372D201D:
1A2372D2013 - 49 83 E4 FC - and r12,-04
1A2372D2017 - 0F84 F76C1F04 - je 1A23B4C8D14
1A2372D201D - 45 8B 2C 04 - mov r13d,[r12+rax] <<
1A2372D2021 - 49 8B 87 10030000 - mov rax,[r15+00000310]
1A2372D2028 - 41 BC 04000000 - mov r12d,00000004
RAX=000000212B791CFC
RBX=00000000081C3900
RCX=00000000081C3900
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3900
RIP=000001A2372D2021
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=000001A0BED70000
R12=0000018046970000
R13=0000000000000000
R14=000001A1B20C0000
R15=000001A23339C0B0
First seen:19:33:40
Last seen:19:33:40
Code: Select all
1A2372D21F2 - 45 89 2C 04 - mov [r12+rax],r13d
1A2372D21F2:
1A2372D21E8 - 49 83 E4 FC - and r12,-04
1A2372D21EC - 0F84 646B1F04 - je 1A23B4C8D56
1A2372D21F2 - 45 89 2C 04 - mov [r12+rax],r13d <<
1A2372D21F6 - 49 8B 87 F8000000 - mov rax,[r15+000000F8]
1A2372D21FD - 49 89 87 10030000 - mov [r15+00000310],rax
RAX=000000212B791CFC
RBX=00000000081C3918
RCX=00000000081C3918
RDX=0000000000000000
RSI=000001A085F4E6F0
RDI=000001A085F4E660
RSP=000001A2320FFDA0
RBP=00000000081C3918
RIP=000001A2372D21F6
R8=000001A23630C690
R9=000001A23339C880
R10=000001A0BED70000
R11=0000018046970000
R12=0000018046970000
R13=00000000000000C8
R14=000001A1B20C0000
R15=000001A23339C0B0
First seen:19:33:40
Last seen:19:33:40