Hi,

I am writing an OllyDBG plugin to parse arguments to a given function, essentially by locating calls to the function then disassembling back, looking for PUSH instructions. I can handle simple instances of PUSH contant or PUSH register but I am not sure how to decode instructions such as: PUSH DWORD PTR SS:[EBP+8]. What fields of t_disasm will indicate this is happening? I can't find any that indicate EBP is the register involved.

Cheers

J

I was about to recommend the OllyDbg forum for better luck getting an answer to this, but I just saw you posted there too.

For anyone else interested:

hxxp://ollydbg.win32asmcommunity.net/


dELTA

As far as I can tell OllyDBG tries to calculate the memory address from the reg + offset which is obviously ok at a breakpoint but is meaningless when the program isn't actually running and the reg values are unknown. I just want to check where arguments are coming from (specifically if its from the stack, e.g. is it a PUSH DWORD PTR SS:[EBP +/- offset]).

JH