32 bit dbg edited: 7711E9D3 |. 6A 33 is | Push 33 is | 7711E9D5 | E8 00000000 | Call ntdll.7711E9DA | Call $ 0 7711E9DA | 830 424 05 | the Add DWORD PTR SS: [ESP], . 5 | 7711E9DE | CB | RET FAR | . 6A 33 is E8 00 00 00 00 83 04 24 05 CB 64 bit dbg acquired: 00007FFC844B11DD | 48 : B8 8877665544332211 | MOV RAX, 1,122,334,455,667,788 | 00007FFC844B11E7 | 50 | Push RAX | 00007FFC844B11E8 | 41 is :50 | push r8 | 00007FFC844B11EA | 41:51 | push r9 | 00007FFC844B11EC <ntdll.LdrpGetProcApphelp | 41:52 | push r10 | 00007FFC844B11EE | 41:53 | pushr11 | 00007FFC844B11F0 | 41 : 54 | push r12 | 00007FFC844B11F2 | 41 : 55 | push r13 | 00007FFC844B11F4 | 41 : 56 | push r14 | r14: " minkernel \\ \\ Ntdll ldrinit.c " 00007FFC844B11F6 | 41 : 57 | push r15 | 00007FFC844B11F8 | 50 | push rax | 00007FFC844B11F9 | E8 00000000 | call ntdll.7FFC844B11FE | call $0 00007FFC844B11FE | C74424 04 23000000 | mov dword ptr ss:[rsp+4],23 | 23:'#' 00007FFC844B1206 | 830424 0D | add dword ptr ss:[rsp],D | 00007FFC844B120A | CB | ret far | 00007FFC844B120B | 90 | nop | 48 B8 88 77 66 55 44 33 22 is . 11 50 |41 is 50 41 is 51 is 41 is 52 is 41 is 53 is 41 is 54 is 41 is 55 41 is 56 is 41 is 57 is 50 E8 00 00 00 00 C7 44 is 24 04 23 is 00 00 00 83 04 24 0D CB 90 Synthesis: 7711E9D3 |. 6A 33 is | Push 33 is 7711E9D5 | E8 00000000 | call ntdll.7711E9DA | call $0 7711E9DA | 830424 05 | add dword ptr ss:[esp],5 | 7711E9DE | CB | ret far | 7711E9DF | 48 | dec eax | 7711E9E0 | B8 88776655 | mov eax,55667788 | 7711E9E5 | 44 | inc esp | 7711E9E6 | 3322 | xor esp,dword ptr ds:[edx] | 7711E9E8 | 1150 41 | adc dword ptr ds:[eax+41],edx | 7711E9EB | 50 | push eax | 7711E9EC | 41 | inc ecx | 7711E9ED | 51 | push ecx | 7711E9EE | 41 | inc ecx | 7711E9EF | 52 | push edx | 7711E9F0 | 41 | inc ecx | 7711E9F1 | 53 | push ebx | 7711E9F2 | 41 | inc ecx | 7711E9F3 <ntdll._LdrpForkProcess@0> | 54 | push esp | 7711E9F4 | 41 | inc ecx | 7711E9F5 | 55 | push ebp | 7711E9F6 | 41 | inc ecx | 7711E9F7 | 56 | push esi | 7711E9F8 | 41 | inc ecx | 7711E9F9 | 57 | push edi | edi:"LdrpInitializeProcess" 7711E9FA | 50 | push eax | 7711E9FB | E8 00000000 | call ntdll.7711EA00 | call $0 7711EA00 | C74424 04 23000000 | mov dword ptr ss:[esp+4],23 | 23:'#' 7711EA08 | 830424 0D | add dword ptr ss:[esp],D | 7711EA0C | CB | ret far | 7711EA0D | 90 | nop | 6A 33 E8 00 00 00 00 83 04 24 05 CB 48 B8 88 77 66 55 44 33 22 11 50 41 is 50 41 is 51 is 41 is 52 is 41 is 53 is 41 is 54 is 41 is 55 41 is 56 is 41 is 57 is 50 E8 00 00 00 00 C7 44 is 24 04 23 is 00 00 00 83 04 24 0D CB 90 to take back the stack: win10_64 $ ==> 1122334455667788 0000000077063620 R15 $ + 10 0000000000A6E940 0000000000A6FDA0 $ + 20 0000000002C0A000 0,000,000,000,000,246 $ + 30 0000000000000000 00000000770E1FCC $ + 40 000000000000002B 1122334455667788 take back the stack: win7_64 $ ==>> 55,667,788 11223344 75.06245 million 00000000 R15 $ + 10 > 0008EC80 00000000 0008FD20 00000000 $ + 20 is > 7EFDB000 00000000 00000202 00000000 $ + 30 > 00000000 00000000 0018FD10 00000000 $ + 40 > 778B01C4 00000000 55667788 11223344