I am analyzing a Windows executable file(PE Format), probably written in Borland Delphi. The program starts with the following instructions:
Dec 6, 2017 - Applications running on x64 have access to a flag register (sometimes referred to as EFLAGS). Bit 18 in this register allows applications to get.
I reproduced on paper the stack until the instruction marked with (5), it seems that at (5) the esp+2Ch is pointing above the first register(AX) pushed by (1).
Where does esp+2Ch point and what can be it's value?
Thank you!
1 Answer
based on the corrected sequence that instruction fetches the dword prior to all the pushes
ebp is 0
mov eax, is/can/maybe junk anyway doesn't alter the stack
the next instuction also doesnt alter the stack
the next instruction sets the seh handler
so it fetches the DWORD from the stack prior to pusha
if this was starting of a call this DWORD could be return address of the call it can be from a earlier push instruction or moved to stack prior to pusha
just to clarify i assembled the instuction in place somewhere in ollydbg and traced through it see the output below
![Aaa Aaa](https://images.slideplayer.com/32/9960568/slides/slide_24.jpg)