Alumna
March 2010
Each layer decryptor begins by using PUSH EBP/MOV EBP,ESP to build a fake stack-frame. It is fake because stack-pointer is not moved forward to alloc space and there is no LEAVE or POP EBP, but there is RET that is reached depending on if the encrypted data can be moved or not. There are instructions to access the stack using the base-pointer to get values but not to write as memory access, for example: mov [ebp], randval/reg32.