Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Finding base address in a remote process
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-02-2007, 17:46
ricnar456 ricnar456 is offline
Friend
  
Join Date: May 2002
Posts: 290
Rept. Given: 1
Rept. Rcvd 28 Times in 10 Posts
Thanks Given: 0
Thanks Rcvd at 52 Times in 40 Posts
ricnar456 Reputation: 28
GetModuleHandleA i think will be useful, look when is called and see in EAX the value when return from api.

ricnar
Reply With Quote
  #2  
Old 11-03-2007, 21:24
yaa
 
Posts: n/a
ricnar456, your post made me wonder, how can you discover if a routine is a function (thus returns a value) or is a procedure (returns nothing)? Is there any to understand it?

yaa
Reply With Quote
  #3  
Old 11-04-2007, 01:38
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
Simple, look at API prototypes. GetmodulehandleA is an API function.
__________________
omnino lo qui quae que quod somos es pulvis en el ventus.
TAOS

-The opposite of courage in our society is not cowardice, but conformity-
Reply With Quote
  #4  
Old 11-05-2007, 02:05
yaa
 
Posts: n/a
taos

the meaning of my question was, if there is a way, at runtime, to discover if a routine is a function or a procedure. My knowledge of assembly is really lousy but I can't find any clue to answer my question based on registers or flags. I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?


yaa
Last edited by yaa; 11-05-2007 at 02:12.
Reply With Quote
  #5  
Old 11-05-2007, 04:23
taos's Avatar
taos taos is offline
The Art Of Silence
  
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 137 Times in 36 Posts
taos Reputation: 54
Quote:
Originally Posted by yaa
I mean, EAX could have changed value during a routine's execution without it meaning that it is a return value.

Am I right or am I missing something?
Not exactly, any procedure must push all generic registers and before to return pop it so if they are procedures, you must have the same values in generic registers (EAX,EDX,etc...) but not in stack register and others.

It's more easy to test it, use sleep procedure api (Declare Sub Sleep Lib "kernel32.dll" (ByVal dwMilliseconds As Long) ) and messagebeep api function (Declare Function MessageBeep Lib "user32.dll" (ByVal wType As Long) As Long), in a simple asm program.Debug with olly and follow generic registers before and after sleep and messagebeep APIs.
__________________
omnino lo qui quae que quod somos es pulvis en el ventus.
TAOS

-The opposite of courage in our society is not cowardice, but conformity-
Reply With Quote
  #6  
Old 11-05-2007, 06:12
yaa
 
Posts: n/a
I tested this in a small C app, with a function that returns a value and one that returns void. I can't in any way distinguish the two cases. btw, EAX is not among the registers whose values a C programs expects each routine will maintain so ...

yaa
Reply With Quote
  #7  
Old 11-05-2007, 07:17
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
In fact, in assembler instructions it is quite difficult to decide if you are facing a procedure or a function.

But you could follow this approach: if the EAX value after the return of the CALL is used immediately in the code, it should be a function, and if the EAX value is ignored after that return, you could think of it as a procedure...

Normally, this should work if you are reversing code to a higher level of programming.

Cheers

Nacho_dj
__________________
http://arteam.accessroot.com
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Finding API Address britedream General Discussion 5 10-05-2006 21:28
Can we hook some func in another process then change return address? Teerayoot General Discussion 5 09-21-2004 11:12


All times are GMT +8. The time now is 03:47.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )