Some Question about "ParseFunction"

delphi package - full disassembler

Some Question about "ParseFunction"

Postby cde » Wed Oct 13, 2004 6:34 pm

Dear Madshi,

When we trace the address of "WriteProcessMemory"API,
finally we get the full "disAsm" message follow.


77e7adb9 public WriteProcessMemory: ; function entry point
77e7adb9 jmp -$17f55c3e ($5ff25180)


Is "ParseFunction" still can work in high-memory which kernel32.dll
real loaded in?

Best Regards,
cch
cde
 
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Postby nildo » Wed Oct 13, 2004 7:26 pm

Try to ParseFunction with the pointer:
Pointer( $5ff25180 )
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby cde » Wed Oct 13, 2004 7:52 pm

Dear Nildo,
    I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:

Thanks.
Best regards,
cch.
cde
 
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Postby nildo » Wed Oct 13, 2004 8:04 pm

cde wrote:Dear Nildo,
    I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:
Thanks.
Best regards,
cch.


Hello!
A JMP is an unconditional jump. So the code wich is below this JMP will not be executed. Different of CALL that Calls that address and then go back to where it called. But it really should be disassembled.... What if you want to see what is below that JMP? hehe
The parsefunction will stop when its sees a $C3 (wich is a RET).
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby cde » Wed Oct 13, 2004 8:25 pm

Dear Nildo,
    Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D



Thanks.
Best regards,
cch.
cde
 
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Postby nildo » Wed Oct 13, 2004 8:27 pm

cde wrote:Dear Nildo,
    Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D



Thanks.
Best regards,
cch.


Yes it will be very usefull! But we need to tell that to Madshi, I'm just a single user! :D
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am


Return to madDisAsm

Who is online

Users browsing this forum: No registered users and 1 guest

cron