Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: Is there a generic method to determine generic type and number of parameters passed?

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    Is there a generic method to determine generic type and number of parameters passed?

    Ie how could I determine the number of parameters a function uses at runtime(I know I have to load as data file or a mapped file and directly read the functions bytes is there another way?),any thoughts on this in a programming sense?
    Last edited by BanMe; July 15th, 2010 at 22:45.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    Hmm, as far as parameter lists go, i would imagine one would need to understand how to stack is setup for a particular function, as you know when a function returns, depending on its calling convention the stack will be cleaned using a combination of push's and ADD's. I would write a alittle test case if i were you, write a few functions taking and returning diferent data types, then pop it in IDA then a debugger, and try and make sense of the logic IDA uses, I'm alittle rusty so i don't want to say too much out of fear of providing false information

    Edit:
    Yes, just as arc said, it's alot more difficult to determine these things because of the few calling conventions and different programming techniques, You'd need a very mature disassembling engine for such a task. I wrote a small test case and then all the questions arose

    Code:
    #include <iostream>
    
    using namespace std;
    
    int myfunc( int a, int b, int c )
    {
        return ( a+b+c );
    }
    double myfunc2( double a, double b )
    {
        if( b != 0 )
        {
            return ( a/b );
        }
        else
        return ( 0.0f );
    }
    int main()
    {
        //Call func 1
        int i = myfunc( 3,4,6 );
        double j = ( 24.5, 5.5 );
        return 0;
    }
    cl file.cpp /EHsc /MT
    Last edited by _genuine; July 16th, 2010 at 02:54.

  3. #3
    The number of parameters of a compiled function is quite hard to determine. For example, is it cdecl, stdcall, or thiscall (extra parameter in ecx)? Or even fastcall (arguments in registers instead of on the stack)? Even a highly advanced disassembler like IDA can still sometimes get it wrong.

    As for the type of parameters, well, that's even harder and may in fact be impossible to do automatically. Imagine a function that just passes its 32-bit parameters on to another function, maybe even a virtual function. Are those parameters ints? floats? pointers? Who knows...

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Yes, just as arc said, it's alot more difficult to determine these things because of the few calling conventions and different programming techniques, You'd need a very mature disassembling engine for such a task.
    That is true, I do have to know alot of about various calling methods and be able to check and double check if a functions meats the criteria of 'known' calling types, if these know types fail to recognize something then it should be noted and xref'd back to calle to see if that has a recognizable 'conventional behavior' about it...

    That being said..genuine took a step without me, and looked at wikipedia..

    So I guess I'll use it to with a small update.. to use both functions..

    Code:
        int i = myfunc( 3,4,6 );
        double j = myfunc2( 24.5, 5.5 );
        return 0;
    So this is a somewhat good example, it needs a bit more but this is a starting point

    After compiling this with VC++ 2k5 on xp sp3(x86)..

    code for myfunc...

    Code:
    004111E0 > 55               PUSH EBP
    004111E1   8BEC             MOV EBP,ESP
    004111E3   81EC C0000000    SUB ESP,0C0
    004111E9   53               PUSH EBX
    004111EA   56               PUSH ESI
    004111EB   57               PUSH EDI
    004111EC   8DBD 40FFFFFF    LEA EDI,DWORD PTR SS:[EBP-C0]
    004111F2   B9 30000000      MOV ECX,30
    004111F7   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    004111FC   F3:AB            REP STOS DWORD PTR ES:[EDI]
    004111FE   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]//param 1 to eax
    00411201   0345 0C          ADD EAX,DWORD PTR SS:[EBP+C]//add param 2 to eax
    00411204   0345 10          ADD EAX,DWORD PTR SS:[EBP+10]//add param 3 to eax...
    00411207   5F               POP EDI
    00411208   5E               POP ESI
    00411209   5B               POP EBX
    0041120A   8BE5             MOV ESP,EBP
    0041120C   5D               POP EBP
    0041120D   C3               RETN
    This one is relatively easy to analyze visually to see 3 params, so that recognition falls under recognizable EBP code patters and the code would need to know those patters..this one has 3.... The Next Fuction is not so easily decipherable visually unless you know asm..

    code for myfunc2
    Code:
    00411220 > 55               PUSH EBP
    00411221   8BEC             MOV EBP,ESP
    00411223   81EC C0000000    SUB ESP,0C0
    00411229   53               PUSH EBX
    0041122A   56               PUSH ESI
    0041122B   57               PUSH EDI
    0041122C   8DBD 40FFFFFF    LEA EDI,DWORD PTR SS:[EBP-C0]
    00411232   B9 30000000      MOV ECX,30
    00411237   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041123C   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041123E   D9EE             FLDZ
    00411240   DC5D 10          FCOMP QWORD PTR SS:[EBP+10]//compare b 0
    00411243   DFE0             FSTSW AX
    00411245   F6C4 44          TEST AH,44
    00411248   7B 0A            JPO SHORT Test01.00411254//jmp to return 0
    0041124A   DD45 08          FLD QWORD PTR SS:[EBP+8]//parameter 1
    0041124D   DC75 10          FDIV QWORD PTR SS:[EBP+10]//div par1 by par2..
    00411250   EB 04            JMP SHORT Test01.00411256
    00411252   EB 02            JMP SHORT Test01.00411256
    00411254   D9EE             FLDZ
    00411256   5F               POP EDI
    00411257   5E               POP ESI
    00411258   5B               POP EBX
    00411259   8BE5             MOV ESP,EBP
    0041125B   5D               POP EBP
    0041125C   C3               RETN
    a funny double jmp appears ? minus the 'else'...

    So this is still based on EBP patters, this also includes the FLD and FDIV EBP instructions.. the more patters I see the more I think to look at the callee, maybe this could make it easier, then checking various conditions all at once if double positives occur those cases need further handling....

    I ended up with compiled code that looked like this for main..
    I added visual analysis comments of what patters I see and would look for..
    Code:
    00411270 > 55               PUSH EBP
    00411271   8BEC             MOV EBP,ESP
    00411273   81EC DC000000    SUB ESP,0DC
    00411279   53               PUSH EBX
    0041127A   56               PUSH ESI
    0041127B   57               PUSH EDI
    0041127C   8DBD 24FFFFFF    LEA EDI,DWORD PTR SS:[EBP-DC]
    00411282   B9 37000000      MOV ECX,37
    00411287   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041128C   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041128E   6A 06            PUSH 6
    00411290   6A 04            PUSH 4
    00411292   6A 03            PUSH 3//3numeric pushes o0
    00411294   E8 07FEFFFF      CALL Test01.004110A0// then call myfunc
    00411299   83C4 0C          ADD ESP,0C//oh a verifier 0xc/0x4 = 0x3 
    0041129C   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
    0041129F   83EC 08          SUB ESP,8//sub esp qword
    004112A2   DD05 00414100FLD QWORD PTR DS:[__real@401600000000000>
    004112A8   DD1C24           FSTP QWORD PTR SS:[ESP]//fill esp
    004112AB   83EC 08          SUB ESP,8//sub another qword
    004112AE   DD05 F0404100 FLD QWORD PTR DS:[__real@403880000000000>
    004112B4   DD1C24           FSTP QWORD PTR SS:[ESP]//fill esp
    004112B7   E8 ADFDFFFF    CALL Test01.00411069//myfunc2
    004112BC   83C4 10          ADD ESP,10//a verifier 10/8 = 2 
    004112BF   DD5D E8          FSTP QWORD PTR SS:[EBP-18]
    004112C2   33C0             XOR EAX,EAX
    004112C4   5F               POP EDI
    004112C5   5E               POP ESI
    004112C6   5B               POP EBX
    004112C7   81C4 DC000000    ADD ESP,0DC
    004112CD   3BEC             CMP EBP,ESP
    004112CF   E8 D6FDFFFF      CALL Test01.004110AA
    004112D4   8BE5             MOV ESP,EBP
    004112D6   5D               POP EBP
    004112D7   C3               RETN
    So to check function for cdecl you check the callee after call for cleanup of stack then you 'might' be able to 'guess at' the size and number based on basic mathmatic computations....

    stdcall..is next
    Last edited by BanMe; July 16th, 2010 at 17:42.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    STDCALL... :)

    so with slight modification of code we end up with stdcall

    Code:
    int __stdcall myfunc( int a, int b, int c )
    double __stdcall myfunc2( double a, double b )
    so stdcall myfunc
    Code:
    004111E0 > 55               PUSH EBP
    004111E1   8BEC             MOV EBP,ESP
    004111E3   81EC C0000000    SUB ESP,0C0
    004111E9   53               PUSH EBX
    004111EA   56               PUSH ESI
    004111EB   57               PUSH EDI
    004111EC   8DBD 40FFFFFF    LEA EDI,DWORD PTR SS:[EBP-C0]
    004111F2   B9 30000000      MOV ECX,30
    004111F7   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    004111FC   F3:AB            REP STOS DWORD PTR ES:[EDI]
    004111FE   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]//same as before
    00411201   0345 0C          ADD EAX,DWORD PTR SS:[EBP+C]
    00411204   0345 10          ADD EAX,DWORD PTR SS:[EBP+10]
    00411207   5F               POP EDI
    00411208   5E               POP ESI
    00411209   5B               POP EBX
    0041120A   8BE5             MOV ESP,EBP
    0041120C   5D               POP EBP
    0041120D   C2 0C00          RETN 0C//this is different
    stdcall code for myfunc2
    Code:
    00411220 > 55               PUSH EBP
    00411221   8BEC             MOV EBP,ESP
    00411223   81EC C0000000    SUB ESP,0C0
    00411229   53               PUSH EBX
    0041122A   56               PUSH ESI
    0041122B   57               PUSH EDI
    0041122C   8DBD 40FFFFFF    LEA EDI,DWORD PTR SS:[EBP-C0]
    00411232   B9 30000000      MOV ECX,30
    00411237   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041123C   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041123E   D9EE             FLDZ
    00411240   DC5D 10          FCOMP QWORD PTR SS:[EBP+10]
    00411243   DFE0             FSTSW AX
    00411245   F6C4 44          TEST AH,44
    00411248   7B 08            JPO SHORT Test01.00411252
    0041124A   DD45 08          FLD QWORD PTR SS:[EBP+8]
    0041124D   DC75 10          FDIV QWORD PTR SS:[EBP+10]
    00411250   EB 02            JMP SHORT Test01.00411254
    00411252   D9EE             FLDZ
    00411254   5F               POP EDI
    00411255   5E               POP ESI
    00411256   5B               POP EBX
    00411257   8BE5             MOV ESP,EBP
    00411259   5D               POP EBP
    0041125A   C2 1000          RETN 10
    This is the same as before and the same difference as noted above(including noted fix from prev.).. So will the callee hold any thing useful for us lets check

    Code:
    00411270 > 55               PUSH EBP
    00411271   8BEC             MOV EBP,ESP
    00411273   81EC DC000000    SUB ESP,0DC
    00411279   53               PUSH EBX
    0041127A   56               PUSH ESI
    0041127B   57               PUSH EDI
    0041127C   8DBD 24FFFFFF    LEA EDI,DWORD PTR SS:[EBP-DC]
    00411282   B9 37000000      MOV ECX,37
    00411287   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041128C   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041128E   6A 06            PUSH 6//same pushes as before
    00411290   6A 04            PUSH 4
    00411292   6A 03            PUSH 3
    00411294   E8 07FEFFFF      CALL Test01.004110A0
    //no cleaning of stack this is not (cdecl) check for stdcall next.. 
    00411299   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
    0041129C   83EC 08          SUB ESP,8//same
    0041129F   DD05 00414100    FLD QWORD PTR DS:[__real@401600000000000>
    004112A5   DD1C24           FSTP QWORD PTR SS:[ESP]
    004112A8   83EC 08          SUB ESP,8//same
    004112AB   DD05 F0404100    FLD QWORD PTR DS:[__real@403880000000000>
    004112B1   DD1C24           FSTP QWORD PTR SS:[ESP]
    004112B4   E8 B0FDFFFF      CALL Test01.00411069
    //no cleaning, check stdcall next
    004112B9   DD5D E8          FSTP QWORD PTR SS:[EBP-18]
    004112BC   33C0             XOR EAX,EAX
    004112BE   5F               POP EDI
    004112BF   5E               POP ESI
    004112C0   5B               POP EBX
    004112C1   81C4 DC000000    ADD ESP,0DC
    004112C7   3BEC             CMP EBP,ESP
    004112C9   E8 DCFDFFFF      CALL Test01.004110AA
    004112CE   8BE5             MOV ESP,EBP
    004112D0   5D               POP EBP
    004112D1   C3               RETN
    So analyzing stdcall relies on checking for stack cleanup after call for both (cdecl and stdcall)if it there it might be cdecl if not it might be stdcall. to do verification you keep track of params while at callee and then div param size by retn 0xn to get num of params.

    fastcall

    another slight mod and we get 'fastcall'..

    myfunc fast call...
    Code:
    004111E0 > 55               PUSH EBP
    004111E1   8BEC             MOV EBP,ESP
    004111E3   81EC D8000000    SUB ESP,0D8
    004111E9   53               PUSH EBX
    004111EA   56               PUSH ESI
    004111EB   57               PUSH EDI
    004111EC   51               PUSH ECX
    004111ED   8DBD 28FFFFFF    LEA EDI,DWORD PTR SS:[EBP-D8]
    004111F3   B9 36000000      MOV ECX,36
    004111F8   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    004111FD   F3:AB            REP STOS DWORD PTR ES:[EDI]
    004111FF   59               POP ECX
    00411200   8955 EC          MOV DWORD PTR SS:[EBP-14],EDX
    00411203   894D F8          MOV DWORD PTR SS:[EBP-8],ECX
    00411206   8B45 F8          MOV EAX,DWORD PTR SS:[EBP-8]
    00411209   0345 EC          ADD EAX,DWORD PTR SS:[EBP-14]
    0041120C   0345 08          ADD EAX,DWORD PTR SS:[EBP+8]
    0041120F   5F               POP EDI
    00411210   5E               POP ESI
    00411211   5B               POP EBX
    00411212   8BE5             MOV ESP,EBP
    00411214   5D               POP EBP
    00411215   C2 0400          RETN 4
    I'm not to sure what to do in this case.. :/

    the funny part is that myfunc2 doesnt really change from the stdcall convention..
    Code:
    00411230 > 55               PUSH EBP
    00411231   8BEC             MOV EBP,ESP
    00411233   81EC C0000000    SUB ESP,0C0
    00411239   53               PUSH EBX
    0041123A   56               PUSH ESI
    0041123B   57               PUSH EDI
    0041123C   51               PUSH ECX
    0041123D   8DBD 40FFFFFF    LEA EDI,DWORD PTR SS:[EBP-C0]
    00411243   B9 30000000      MOV ECX,30
    00411248   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041124D   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041124F   59               POP ECX
    00411250   D9EE             FLDZ
    00411252   DC5D 10          FCOMP QWORD PTR SS:[EBP+10]
    00411255   DFE0             FSTSW AX
    00411257   F6C4 44          TEST AH,44
    0041125A   7B 08            JPO SHORT Test01.00411264
    0041125C   DD45 08          FLD QWORD PTR SS:[EBP+8]
    0041125F   DC75 10          FDIV QWORD PTR SS:[EBP+10]
    00411262   EB 02            JMP SHORT Test01.00411266
    00411264   D9EE             FLDZ
    00411266   5F               POP EDI
    00411267   5E               POP ESI
    00411268   5B               POP EBX
    00411269   8BE5             MOV ESP,EBP
    0041126B   5D               POP EBP
    0041126C   C2 1000          RETN 10
    But Main does change.. a little..and provides a little insight..
    Code:
    00411280 > 55               PUSH EBP
    00411281   8BEC             MOV EBP,ESP
    00411283   81EC DC000000    SUB ESP,0DC
    00411289   53               PUSH EBX
    0041128A   56               PUSH ESI
    0041128B   57               PUSH EDI
    0041128C   51               PUSH ECX
    0041128D   8DBD 24FFFFFF    LEA EDI,DWORD PTR SS:[EBP-DC]
    00411293   B9 37000000      MOV ECX,37
    00411298   B8 CCCCCCCC      MOV EAX,CCCCCCCC
    0041129D   F3:AB            REP STOS DWORD PTR ES:[EDI]
    0041129F   59               POP ECX
    004112A0   6A 06            PUSH 6//1 stack push
    004112A2   BA 04000000      MOV EDX,4//1 in edx
    004112A7   B9 03000000      MOV ECX,3//1 in ecx
    004112AC   E8 DBFDFFFF      CALL Test01.0041108C
    004112B1   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX//return in eax...
    004112B4   83EC 08          SUB ESP,8
    004112B7   DD05 00414100    FLD QWORD PTR DS:[__real@401600000000000>
    004112BD   DD1C24           FSTP QWORD PTR SS:[ESP]
    004112C0   83EC 08          SUB ESP,8
    004112C3   DD05 F0404100    FLD QWORD PTR DS:[__real@403880000000000>
    004112C9   DD1C24           FSTP QWORD PTR SS:[ESP]
    004112CC   E8 A7FDFFFF      CALL Test01.00411078
    004112D1   DD5D E8          FSTP QWORD PTR SS:[EBP-18]
    004112D4   33C0             XOR EAX,EAX
    004112D6   5F               POP EDI
    004112D7   5E               POP ESI
    004112D8   5B               POP EBX
    004112D9   81C4 DC000000    ADD ESP,0DC
    004112DF   3BEC             CMP EBP,ESP
    004112E1   E8 C9FDFFFF      CALL Test01.004110AF
    004112E6   8BE5             MOV ESP,EBP
    004112E8   5D               POP EBP
    004112E9   C3               RETN
    not a very reliable method for identifing __fastcall but its a start I guess...:[
    Last edited by BanMe; July 16th, 2010 at 17:38.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #6
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    I continue none the less.. ;}

    As for the type of parameters, well, that's even harder and may in fact be impossible to do automatically. Imagine a function that just passes its 32-bit parameters on to another function, maybe even a virtual function. Are those parameters ints? floats? pointers? Who knows...
    well the key isnt to know the exact type, just the type shown through thorough analysis.

    But this does bring up a valid point..If a pointer is passed to a function as a output mechanism how would one determine its 'general size' staticly. we can discuss various methods but definitly, im going to try the simple ones first

    regards BanMe
    Last edited by BanMe; July 19th, 2010 at 00:27.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    No ESP opcode tables for me yet...

    Im still open to other ideas,I mean I know I have to do as thorough of a disassembly job as possible(staticly),did oleh self code known dll functions into olly, I dont think that applies to 'unknown' dll's... Starts looking at olly with olly..Also is there 'any' other code out there that does enumerate parameters in assembled code and attempts to determine size?

    regards BanMe
    Last edited by BanMe; July 21st, 2010 at 10:44. Reason: The wording was off ...apologies.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by BanMe View Post
    did oleh self code known dll functions into olly
    Yes, he did. There's a precompiled list of all known DLL functions in OllyDbg's resource section.

  9. #9
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Thank you clarifying that for 'known' dll's, but how is it done with unknown dll's is what I meant. Thats the section of olly I am looking for, hopefully it will shed some light on this.. :d

    regards BanMe
    Last edited by BanMe; July 19th, 2010 at 10:05.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  10. #10
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    update found a open source decompiler that decompiles code into almost compilable C++

    Boomerang, is its name and its got some damn interesting source code.. sadly it all uses classes but the techniques are clearly defined and easy to understand.

    http://boomerang.sourceforge.net/

    regards BanMe
    Last edited by BanMe; July 22nd, 2010 at 12:40.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Maybe have a look at the algo here

    http://burrowscode.wordpress.com/2010/02/22/exporting-non-exported-functions-in-windows-pes-part-3-of-3/

    ...an algorithm to determine exactly the number of variables that a function expects to be passed to it...
    Kayaker

  12. #12
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Great... Hit me with that small and simple python function after almost getting done.. no matter I still like the micro length disassembler in boomerang..although I'm not to great at classes, I guess I get a crash course at removing QT4 support from the code..any pointers on this regard?
    Last edited by BanMe; July 23rd, 2010 at 22:12.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  13. #13
    Blagodarenko
    Guest

    Binary file prototype extraction

    I've been solved this problem not so far. All I found is:
    1. There is no meens to recover origianal prototype, becouse __usercall convention exitsts etc.
    2. We can build usefull prototype that can be used to call common module function.

    I have wrote in my blog(http://artem.ufoctf.ru/?p=247&lang=en) about it.After that I have developed tool that:

    1. Generate functions prototypes.
    2. Make module SDK ( prototypes and addresses )
    3. Load test that using SDK into analyzed process.

    The tool is availiable here: http://ufoctf.ru/ufoblog/en/maiway-2/.

    I still have some trubles with trackimg parameters in stack.
    Last edited by Blagodarenko; August 19th, 2010 at 01:24. Reason: links don't work
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Blagodarenko
    Guest

    Some ideas about __fastcall paremeters determination

    __fastcall and __usercall is the most difficalt to determinate. Some ideas about parameters that passed throuth registers: http://artem.ufoctf.ru/?p=236&lang=en.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    ty for the replies.. :]

    Wonderful to see a nice tool like that and thanks for the pointers to fast call..
    kayakers posting is going to be indeed influential in dynamicly analyzing things and combined with bit more time this is going to work. And I mean seriously if I cant do it the 'nice' analytical way',can't I just cause a 'segment fault' like memalyze and gather information accordingly ..I bet I could emulate the driver to, but I dont have all the KD knowledge for that yet.There are still other ways and I will find them..
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. [ARTeam] generic unpacker source
    By deroko in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 1st, 2007, 12:02
  2. .NET generic unpacker
    By pnluck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: September 30th, 2006, 09:01
  3. My First Script: Stack based generic a s p r u n p
    By orion in forum OllyScript Plugin
    Replies: 10
    Last Post: July 5th, 2004, 16:49
  4. A new generic multipurpose patcher tool
    By druvo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: March 28th, 2003, 16:14
  5. parameters passed to a call
    By The Keeper in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: March 7th, 2002, 12:22

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •