Hey I hope you can help me with some of the following =)
I'm trying to learn how stuff is stored in memory and how objects are passed...
Say you have:
struct somestruct
{
float f;
dword dw;
int i;
char *sz;
} test;
void SomeFunc( somestruct whatever )
{
}
Now in asm that will be push whatever; call SomeFunc...
Now how would I go about finding out how the structure is defined by looking at it in memory? How can I find out how many members and what kind those members are? Say via either a disassembler or SICE/OllyDbg...
Another thing is generally structs and arrays defined... They are stored in memory but how the memoryboundaries for such an "object"? If you know there is an array of say 10 DWORDs such as a jumptable, could you scan for that? Sure you can scan for 10 DWORDs but how can you be sure it is an array of 10 DWORDs (jumptable like for a switchstatement) etc?
Finding out how stuff is stored is really annoying :PPP
If someone could tell me I'd be really appreciative =)
Regards SFP.
I'm trying to learn how stuff is stored in memory and how objects are passed...
Say you have:
struct somestruct
{
float f;
dword dw;
int i;
char *sz;
} test;
void SomeFunc( somestruct whatever )
{
}
Now in asm that will be push whatever; call SomeFunc...
Now how would I go about finding out how the structure is defined by looking at it in memory? How can I find out how many members and what kind those members are? Say via either a disassembler or SICE/OllyDbg...
Another thing is generally structs and arrays defined... They are stored in memory but how the memoryboundaries for such an "object"? If you know there is an array of say 10 DWORDs such as a jumptable, could you scan for that? Sure you can scan for 10 DWORDs but how can you be sure it is an array of 10 DWORDs (jumptable like for a switchstatement) etc?
Finding out how stuff is stored is really annoying :PPP
If someone could tell me I'd be really appreciative =)
Regards SFP.
You can't. The most you can do is by guessing, by looking at how the codes access that part of the memory (the struct). This is the fuzzy part of disassembly..
Ah ok :((
Btw do you know of any plugin or simular to IDA Pro or any tool that will dump disassemble via branching?
Meaning that if you disassemble a func you can spesify that it will disassemble calls branching out say 5 levels? Because doing it by hand is really tiresome =)
But what about the memorysearching etc, that is finding arrays... ?
Btw do you know of any plugin or simular to IDA Pro or any tool that will dump disassemble via branching?
Meaning that if you disassemble a func you can spesify that it will disassemble calls branching out say 5 levels? Because doing it by hand is really tiresome =)
But what about the memorysearching etc, that is finding arrays... ?
Bump up, bump down and move it all around =)
Now how would I go about finding out how the structure is defined by looking at it in memory? How can I find out how many members and what kind those members are? Say via either a disassembler or SICE/OllyDbg...
for example FillRectint FillRect(
HDC hDC, // handle to DC
CONST RECT *lprc, // rectangle
HBRUSH hbr // handle to brush
);
it is assumed that the second parameter of the FillRect function is a pointer to a RECT structure, if you have a disassembler/debugger, it is pretty easy to distinguish the second parameter being pushed as a pointer to a RECT structure. You have to have some kind of mechanism that will distiniguish this and a reference data to check whether that function requires a structure.... size of the structure... what kind of structure... What you do then is get the size of the structure and retrieve the same amount of data on the memory address being pushed on the stack...
HDC hDC, // handle to DC
CONST RECT *lprc, // rectangle
HBRUSH hbr // handle to brush
);
try OllyDbg, you'll see what I mean. Though it's not what you desribed in the "High Level Fashion" but it helps you a little bit.
The image with a mouse over below is a just suggestion, not a feature of ollydbg but would be great. I believe this is what you are looking for? Try suggesting this feature at the OllyDbg forum - http://ollydbg.win32asmcommunity.net/ :)
you can also suggest to be able to use, user defined datas, I mean the user is able to supply it's own structure definitions, constants at runtime. I may be wrong but I don't think OllyDbg is capable of doing this yet but would be nice, if it's possible in the future...
names of functions may be difficult since you can't assume everything to be in a DLL but I think a feature of placing a specific ID(sequence of numbers) before the function would be nice... or maybe a specific memory address where the function resides - bad idea... or you can mark specific functions at runtime to distinguish what kind of function it is, depending on the data(structure definitions, constants) you specified...
the idea here is kinda foggy but I'll elaborate more later... :)
Ye something like that would be great =))