On 12/27/21 23:50, Mohamad Al-Jaf wrote:
I see, but I still don't understand the method used here. How can you see the stack entries if you don't disassemble the file? The only way I know of is through WineDbg and that does not seem to be correct. The method on that wiki page appears to require looking at the assembly code. Specifically, it says "ret hhll (where hhll is the number of bytes to remove, i.e. the number of arguments times 4)". As far as I know, ret is assembly code. So the method listed requires disassembly, no?
The page is confusingly written, and I'm not sure whether it's telling the user to disassemble the function or its caller. Doing the latter is usually okay, provided you don't have some other reason to avoid it (e.g. it's also a Microsoft DLL).
Anyway, what I was proposing is something like the attached patch. Running it on the testbot yields an argument count of zero for CurrentIP() [1].