Page 1 of 1

Some Question about "ParseFunction"

PostPosted: Wed Oct 13, 2004 6:34 pm
by cde
Dear Madshi,

When we trace the address of "WriteProcessMemory"API,
finally we get the full "disAsm" message follow.


77e7adb9 public WriteProcessMemory: ; function entry point
77e7adb9 jmp -$17f55c3e ($5ff25180)


Is "ParseFunction" still can work in high-memory which kernel32.dll
real loaded in?

Best Regards,
cch

PostPosted: Wed Oct 13, 2004 7:26 pm
by nildo
Try to ParseFunction with the pointer:
Pointer( $5ff25180 )

PostPosted: Wed Oct 13, 2004 7:52 pm
by cde
Dear Nildo,
    I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:

Thanks.
Best regards,
cch.

PostPosted: Wed Oct 13, 2004 8:04 pm
by nildo
cde wrote:Dear Nildo,
    I had trace several functions in my Application.In some case
    "ParseFunction" can parse full code,but most stop at "jmp".
    It seem not the "full code"of the function.How can we know
    when and what condition or rule that "ParseFunction" will stop? :wink:
Thanks.
Best regards,
cch.


Hello!
A JMP is an unconditional jump. So the code wich is below this JMP will not be executed. Different of CALL that Calls that address and then go back to where it called. But it really should be disassembled.... What if you want to see what is below that JMP? hehe
The parsefunction will stop when its sees a $C3 (wich is a RET).

PostPosted: Wed Oct 13, 2004 8:25 pm
by cde
Dear Nildo,
    Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D



Thanks.
Best regards,
cch.

PostPosted: Wed Oct 13, 2004 8:27 pm
by nildo
cde wrote:Dear Nildo,
    Some time,we trace a function or API,it will be very useful ,if
    we can get a full "tree" of that function or API. :D



Thanks.
Best regards,
cch.


Yes it will be very usefull! But we need to tell that to Madshi, I'm just a single user! :D