Tech19
February 26th, 2002, 16:16
I have a program that checks the previous registration info at startup, i can find this check easy enough however i cant find the call or jump that leads to this check. The check starts at 0042B770 but when i disassemble the exe and go to this address, it does not have any referenced jumps or calls, also the few lines of code above this are all nops and then a ret... could anyone tell me how i could find the address that jumps/calls 0042B770. Thanks.
DakienDX
February 26th, 2002, 16:46
Hello Tech19 !
Since I don't think there is much encryption in it, I can only think of two ways:
Code:
Proc1:
...
Mov EAX, [????????]
Cmp EAX, ????????
Ja BadFunction
Jmp DWord Ptr [4*EAX+????????]
Code:
Proc2:
...
Mov E?X, [????????]
Call DWord Ptr [E?X+??]
Here we have a jump-table. It is at address ????????. The 4*EAX denotes the function called, since every address has 4 bytes. The Cmp checks if the call would not call a memory address where no pointer to a valid procedure is stored. So you should go to the jump-table start, find the procedure with the keycheck, find the value for EAX which needs to be passed to Proc1 and set a breakpoint with condition if EAX==????????. Then you can see from where the call came.
A bit more complicated, since you don't know the address of the jump-table. So you have to use a debugger and check it at runtime.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.