| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by seppel 1736 days ago
	> I got something infected with a virus named Romania.856 (I will always remember this name) For me it was Tai-Pan.438.A. I printed out(!) the disassembly code and studied it for weeks. I remember the stack modifications (not matching push/pop instructions) were super troubling for me to understand because such tricks were not really explained it the normal books.

1 comments

mycall 1736 days ago

I understand the modifications part, but why would push/pop counts be mismatched?

link

seppel 1735 days ago

It was doing push/ret, ie. pushing stuff (addresses) and then returning to the pushed address. Or popping stuff without pushing before (saving the return address of something) and storing it somewhere.

That is of course perfectly legal, but not something you see in normal programs. In the end, it really helping me to understand how the stack works, but the first time I saw it, it was super confusing.

link

tinus_hn 1735 days ago

The return address is on the stack so if you push data and then return, that data is now interpreted as an address to jump to.

link