APIs in Olly

[jump]

Hi,

I am looking for such things in Olly. Is it possible to do that?

1)
I have many calls on api but not on the first istruction MOV EDI, EDI but on the second instruction. So Olly dont show me CALL API but just CALL kerrnel32.xxxxxxxx for example. Ok, i know that i can change call to the first instruction but isnt available any plugin for that which will do it automatically? Or some settings in Olly that it will check also one instruction up

2)
Second question is:
I have some CALLs on API which doesnt show me in Olly on the stack its parameters. Even if I wrote them in the code. For example CALL VirtualAllocEx and many more which have more important parameters than this API. How to fix this? I guess it has something to do with missing lib? Is this fixable?

Thanks

--
Jump

[DMichael]

1.first you can try ctrl+scroll and than olly analyzes diffrent bytes or you can just breakpoint on that api(from kernel or user what ever it comes from)and just trace

2.its on the stuck but not analyzed by olly that it recives parameters you can go into dissebmly and how much PUSH there upper the call or you can try olly v2.01 alpha 4 that analyzes such things better

[deepzero]

1) you can just set a label at <push ebp>.

2) there is a way you can add your own definitions, but i wasnt able to find detais right away...there is a thread on t4u somewhere...maybe someone else has a link.

[RedBlkJck]

Sorry I may not be 'seeing' what you mean by the first question but is it possible that you just have an outdated udd and pdb for the system dlls? The call destination is correct just the labels are off? After one these last set of MS patch updates I had to clear the udd and do a refresh off the ms symbol files because the labeled analyzed addresses were off by a few bytes. I had several addresses that were NOP, PUSH EBP but they were labeled as API calls. May not be the same thing you are referring to... - jack