a0rtega
commented
6 years ago Hello there!
That return is returning a 3 bytes size NOP sequence (as requested in the function parameter size). To do this, it creates a jmp+3 and inserts a random 1 byte instruction that will never be executed (because of the jmp).
For example, lets consider the random 1 byte instruction is 'pop eax'. The sequence would be as follows:
As we can see, when the code reaches the jmp, it will go directly to the nops, without executing the pop, giving us a 3 bytes NOP sequence (jmp + pop) because it doesn't affect any value in our execution context (registers, flags ...).
scmanjarrez
Hi, I'm trying to understand the substitutions but I don't understand whats the meaning in assembly of "jmp 3" (get_nops, size=3, bits=32)? or why it's considered a nop. Also, why you pop from the stack? Wouldn't it destroy the stack? (for example, if the executable tries to access some already pop'd variable)
Thanks in advance.