Olly replaces addresses of known functions by their names, so you'll see "<&ADVAPI32.RegSetValueExW>" instead of it's address. I'm writing a plugin for Olly and retrieve a t_disasm struct. Now I'd like to extract the address info for strings like the above. However, I can't figure out how to do this reliably. Sometimes the address is stored in addrconst, sometimes in opdata[0], sometimes in immconst.
Question: how can I retrieve the correct function address from a t_disasm struct, if, and only if, the symbol actually is a function name?

regards,

Sören

you mean olly already has done the work and you simply want to leech its output

have Your Tried playing with

FindName(),
FindDecode()
DecodeName(),
FindSymbolicName(),
FindLabelByName(),
FindImportByName(),
FindDecode(),
DecodeAddress()
DecodeKnownArguments()
DecodeFullVarName()

does none of them provide you the results

why should you parse t_disasm when you have easier and faster methods ?

Thank you, but as far as I can tell none of those functions does what I want. I essentially need the inverse of "Decodeaddress" or alternatively a way of reliably getting the address from t_disasm.

Any other suggestions?

regards,

Sören

are you saying you want to know how to emulate the behaviour

when you do option-> debugging options -->disasm--> show local module names

and show symbolic address ?



like you want to retrieve the 0x4AF072 ?

Yes, that's pretty much what I want. Or rather - I want both infos, the name and the address. Not only for call instructions but for others as well, i.e. mov eax, <&somefunction>.

Any tips?

thanks,

Sören

Are you looking for Decodename and/or Findname? Using those on adrconst, immconst, jmpaddr/jmpconst and opaddr[0..2] should give you the info you want.

Thank you. But how do I tell when to look in which of those variables? I tried switching on optype but did not get correct results as the DEC_* optype constants only seem to encode size info, not actual type.

regards,

Sören