I want to find a static pointer to my value in a game, but when I BP on the value I get the line:



So I say to myself that this pointer is dynamic because it involves ESI, and ESI will change, and therefore be unreliable.

What I need help with is finding out how ESI gets populated, so I followed ESI back in the code until this line:



Yes this is where ESI gets populated, but still there is no sight of a static pointer, so now I must trace ECX back and find how ECX got populated with the value. Here the problem arises because if you look in the code that I posted below, the line MOV ESI,ECX is at the start of the routine, so ECX cannot be traced any further back.

So what now? How do I continue to trace ECX back on my quest for the static pointer?

Thanks


*Code removed*

Hi

To backtrace into the calling proc you can either check out a static disassembly, or use the live approach of setting a BPM x on the first instruction in the current proc.

005A64A0 83EC 08 SUB ESP,8


I haven't done that in quite a while, but when Softice breaks it should tell you the LastEIP or EIPFrom or whatever the term is (have forgotten exactly). This calling EIP value should be from some *other* proc, then you can set a BP on that address and continue to trace back within that proc, and repeat as necessary...

Kayaker

This is also done by Olly, it shows you something like 'Call from <address>' directly inside the 'information' window (the one below the 'code' window)

Zai

When I Bp on SUB ESP,8 it says

0012FC4C 005FA0AE RETURN to game.005FA0AE

It doesn't say where from

In Olly

Another resource is:
Type on SoftIce: WS or Window Stack

It displays the call stack.
The first line is the current instruction, the second line contains the address where the current code was called from. by double clicking on it you can quickly go to the area that called the SUB ESP, 8 and see who or what was loaded into ECX. if it is not waht you are looking for you can look into the third line, which is the caller of the caller, and so on.

It only works for CALL. if the calling code was something like JMP EBX, you need some other strategy to trace back.

I'm using Olly, but olly also has a stack window.

No luck.

If you are able to debug with olly, maybe you can run a "run trace" until it hits the breakpoint at the MOV ESI, ECX instruction. This will show in the trace log, the instructions that ran before it got to here.

-nt20

Sounds good.

How can I do this?

I'm not good enough to explain it, here's some links I found googling

http://home.t-online.de/home/OllyDbg/Tut_rtr.htm

http://216.239.37.104/search?q=cache:P6xZSYsM3RcJ:www.immunitysec.com/papers/msrpcheap2.pdf+run+trace+ollydbg&hl=en&ie=UTF-8

http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1&topic=435

And you can search "run trace" in the ollydbg forum mentioned above and get lots of links that may help you.

-nt20

load the target with olly

right click -> run trace -> set condition
eip is in range 005A64A5 to 005A64A7

hit trace into

when it breaks:
view -> run trace

you should find a "mov ecx, something" right before the call to that routine....

some compilers (vc with fastcall convention?) use ecx and edx to pass the first two arguments to a function

cheers
koyaan

Hmm,

Maybe there is a step missing, because I do all that, but nothing comes up in the run trace window, and the game doesn't break.

Maybe because I'm attatching the debugger after the game loads?

if its only executed at startup

try broadening the eip range