I have an executable from which I want to acquire some variable value. I have disassembled the executable file and it looks like this:
Code: Select all
debug386:078AEBA5 loc_78AEBA5: ; CODE XREF: debug386:078AEB9Ej
debug386:078AEBA5 mov eax, [ebp+5050h]
debug386:078AEBAB neg eax
debug386:078AEBAD mov [ebp+5050h], eax
debug386:078AEBB3 mov ecx, [ebp+5050h]
debug386:078AEBB9 mov eax, [ebp+5028h]
debug386:078AEBBF add eax, ecx
debug386:078AEBC1 mov [ebp+5028h], eax
debug386:078AEBC7 mov eax, [ebp+5028h]
debug386:078AEBCD mov ecx, [ebp+2A7Dh]
debug386:078AEBD3 cmp eax, ecx
debug386:078AEBD5 mov eax, 1
debug386:078AEBDA jl loc_78AEBE5
debug386:078AEBE0 mov eax, 0
debug386:078AEBE5
Now I have 2 problems. First one is that, the segment which contains the code, debug386 is visible in IDA only when I debug the application. I can't see it in disassembly view if the application is not running and debugger attached. I have impression that this segment is unpacked from somewhere at runtime, but I think this is not a problem, assuming, that I can sequentially scan process memory and find the correct address by matching bytes of this code. My main problem is that, I don't know how to hook loc_78AEBA5. If I acquire correct memory address of loc_78AEBA5, then what? What signature should callback and next function pointers should have?
Any help would be greatly appreciated.