Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-2003, 16:50
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Question Problem with Return Address

I got an application which calls a MFC function.
That MFC function calls another MFC function.
Now my problem:
As you know, when a call is executed, the return
address is pushed on the stack.
But not in this case:
When that MFC function calls the other MFC function,
0 is pushed on the stack as return address instead of
the real return address.
The result of this is that when that call
returns, the app crashes.

So how can this happen?

Notice:
That application is protected.
In the protected version of the app
that problem does not seem to occur.
However, I've unpacked that app by hand
and now I got this problem.

Thx
Reply With Quote
  #2  
Old 08-02-2003, 18:39
Squidge's Avatar
Squidge Squidge is offline
Drunken Squirrel
 
Join Date: Oct 2002
Posts: 412
Rept. Given: 4
Rept. Rcvd 9 Times in 4 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
Squidge Reputation: 9
Which protection was it? As any app that uses CALL to jump into MFC is guaranteed to have a valid return address as it's pushed onto the stack by the hardware. What you are most likely seeing is that the app itself is doing the PUSH and then JMPing into MFC. Maybe it pushes the address of some protection function onto the stack, and once the protection is removed, the result is zero, hence the crash?
Reply With Quote
  #3  
Old 08-03-2003, 16:13
ArC ArC is offline
VIP
 
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Sorry, everything is ok:
Inside that call there's a pointer pointing
to the return address.
However, there's an AND [pointer],0 executed
which causes that the return address is "removed"

However, it's still a bit strange, cause the return address
is duplicated on the stack. You can say that it is stored
twice.
But when we come to the RET of the call, the stack points
to the old return address which was removed with the AND
I mentioned above....

However, thx for your reply
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[NOOB QUESTION] how can i edit a function to return 1 in IDA pro? Mendax47 General Discussion 6 08-22-2021 09:38
How do I know what information return this address? byvs General Discussion 5 11-20-2015 20:57
Can we hook some func in another process then change return address? Teerayoot General Discussion 5 09-21-2004 11:12
Softice - how do I return to calling code? sync General Discussion 16 08-22-2002 20:02


All times are GMT +8. The time now is 13:37.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )