Some Question about "ParseFunction"

delphi package - full disassembler
Post Reply
cde
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Some Question about "ParseFunction"

Post by cde »

Dear Madshi,

When we trace the address of "WriteProcessMemory"API,
finally we get the full "disAsm" message follow.


77e7adb9 public WriteProcessMemory: ; function entry point
77e7adb9 jmp -$17f55c3e ($5ff25180)


Is "ParseFunction" still can work in high-memory which kernel32.dll
real loaded in?

Best Regards,
cch
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Try to ParseFunction with the pointer:
Pointer( $5ff25180 )
cde
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Post by cde »

Dear Nildo,
  1. I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:
Thanks.
Best regards,
cch.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

cde wrote:Dear Nildo,
  1. I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:
Thanks.
Best regards,
cch.
Hello!
A JMP is an unconditional jump. So the code wich is below this JMP will not be executed. Different of CALL that Calls that address and then go back to where it called. But it really should be disassembled.... What if you want to see what is below that JMP? hehe
The parsefunction will stop when its sees a $C3 (wich is a RET).
cde
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

Post by cde »

Dear Nildo,
  1. Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D


Thanks.
Best regards,
cch.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

cde wrote:Dear Nildo,
  1. Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D


Thanks.
Best regards,
cch.
Yes it will be very usefull! But we need to tell that to Madshi, I'm just a single user! :D
Post Reply