@28:52 I guess instead of storing A in the memory we need to store A-4 , then when pop happens first esp = A-4 and then A since pop consists of two steps then on ret call since esp = A, eip = A and esp will increment , again because ret also comprises of two steps.
Just a small correction....the gadgetaddr2 doesn't get overwritten....push decrements esp first , so esp = esp-4 , then it gets written by push edi ...anyways we don't have gadget2 now to subvert execution to .
@28:52 I guess instead of storing A in the memory we need to store A-4 , then when pop happens first esp = A-4 and then A since pop consists of two steps then on ret call since esp = A, eip = A and esp will increment , again because ret also comprises of two steps.
Just a small correction....the gadgetaddr2 doesn't get overwritten....push decrements esp first , so esp = esp-4 , then it gets written by push edi ...anyways we don't have gadget2 now to subvert execution to .
agree, stack grows down words not upward
Exactly, this is what I realized too! He explained that incorrectly, push will always decrement the stack pointer overwriting previous return address
Extremely high Quality lecture, such nice and simple presentation. kudos Sir
amazing video sir
@18:08, I think he is wrong ? The contents of eax register is copied into a location edx + 64.