heya,
what i wonder what is the best way to identify 'procedures' after compiling, there for in the disassembly decoding.
a procedure should have some sort of a byte signature .

call 00401234

00401234:
XXX..
XXX..
...
..
RET

the XXX part should be the signature to identify a procedure, since each procedure should have the same rule, push stack pointer, ,return..
any specifc data i might follow?
Posted on 2003-07-27 16:18:46 by wizzra
Well, best bet I guess is "push ebp, mov ebp,esp" ... combined with the "leave, ret" it's almost a sure bet.

Fake
Posted on 2003-07-27 16:22:31 by Fake51
heya,
for a procedure with parameters i guess that would be fine yeah.
naked procs would be just by examin a ret.



2038:000A E80100 CALL 000E
17:
18: RET ;<end of program>
2038:000D CB RETF
19: START ENDP
20:
21: TESTP PROC NEAR C A:BYTE
2038:000E 55 PUSH BP
2038:000F 8BEC MOV BP,SP
22:
23: RET
2038:0011 5D POP BP
24: TESTP ENDP


558BEC - signature followed by 5DC3 Signature
Posted on 2003-07-27 16:42:40 by wizzra
> 558BEC - signature followed by 5DC3 Signature

That is not sufficient. Some procedures can not have prologue.
You must consider the references.
Posted on 2003-07-29 23:31:38 by n u M I T_o r

heya,
what i wonder what is the best way to identify 'procedures' after compiling, there for in the disassembly decoding...


Hey,
I found only way, what can catch any possibility: after attainment RETN going in reverse through the code and finding instruction, what PUSHes a value on the stack. At first, of course, there have to be finished disassembling with informations about every instruction. It's difficult, but authentic ;)
Posted on 2003-07-30 12:15:27 by MazeGen
Consider one more thing, procedure can have multiple exits.
But in my opinion, best way is to collect all CALL references, filter all external function calls and you found all procs.
Posted on 2003-07-30 17:29:12 by iwabee

But in my opinion, best way is to collect all CALL references, filter all external function calls and you found all procs.

Maybe I pick too deep holes in it, but not all CALLs may have to be real calls to procedures. CALL is just
PUSH label
JMP target
label:

It depends upon how important is need for absolute identifying procedures too. If it is not so important, I agree with iwabee.
Posted on 2003-07-30 17:50:08 by MazeGen