Memory Hacking Software

Discussions Regarding Memory Hacking Software

Skip to content

Finding ECX origin

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Post a reply

Finding ECX origin

Postby slointe » Sun Nov 04, 2007 3:16 pm

This one has been bugging
me



Code: Select all
1EF845DE   CC               INT3
1EF845DF   CC               INT3
1EF845E0   51               PUSH ECX ; Where do I originate?
1EF845E1   D981 D80A0000    FLD DWORD PTR DS:[ECX+AD8]  ; ECX is what I want but it's dynamic         
1EF845E7   51               PUSH ECX
1EF845E8   D889 D40A0000    FMUL DWORD PTR DS:[ECX+AD4]
1EF845EE   D95C24 04        FSTP DWORD PTR SS:[ESP+4]
1EF845F2   D94424 04        FLD DWORD PTR SS:[ESP+4]
1EF845F6   D91C24           FSTP DWORD PTR SS:[ESP]
1EF845F9   E8 F285FDFF      CALL gamex86.1EF5CBF0
1EF845FE   83C4 08          ADD ESP,8
1EF84601   C3               RETN
1EF84602   CC               INT3


How do I go about finding what populates the PUSH ECX?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am
Top

Postby mezzo » Sun Nov 04, 2007 9:12 pm

dunno if this will work, but how about injecting code at 1EF845E1
and doing a pop, then writing the value somewhere in a 'temp' ramlocation and pushing it again ?
- No thanks, I already have a penguin -
User avatar
mezzo
El Mariachi
 
Posts: 739
Joined: Mon Apr 30, 2007 10:27 pm
Location: Antwerp
Top

Postby L. Spiro » Mon Nov 05, 2007 9:35 am

How do I go about finding what populates the PUSH ECX?

I assume you mean what set ECX.

Go to the function that called this function and look for the code that set ECX.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby slointe » Fri Nov 30, 2007 9:48 am

L. Spiro wrote:
How do I go about finding what populates the PUSH ECX?

I assume you mean what set ECX.

Go to the function that called this function and look for the code that set ECX.


L. Spiro


So the function that is setting this ECX would be calling this function something like "call 1EF845E0"? The address of the PUSH command?
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am
Top

Postby L. Spiro » Fri Nov 30, 2007 10:37 am

The address of the PUSH command?

I have no idea what this is doing in your sentence.



Go to the function that called this function by stepping to the RET at the end of this function.
You go to an instruction after CALL 1EF845E0.

Above that there is MOV ECX, <something>.


Follow the code to figure out what set ECX.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby slointe » Fri Nov 30, 2007 10:40 am

Does whoever call this function:
Code: Select all
1EF845DE   CC               INT3
1EF845DF   CC               INT3
1EF845E0   51               PUSH ECX ; Where do I originate?
1EF845E1   D981 D80A0000    FLD DWORD PTR DS:[ECX+AD8]  ; ECX is what I want but it's dynamic         
1EF845E7   51               PUSH ECX
1EF845E8   D889 D40A0000    FMUL DWORD PTR DS:[ECX+AD4]
1EF845EE   D95C24 04        FSTP DWORD PTR SS:[ESP+4]
1EF845F2   D94424 04        FLD DWORD PTR SS:[ESP+4]
1EF845F6   D91C24           FSTP DWORD PTR SS:[ESP]
1EF845F9   E8 F285FDFF      CALL gamex86.1EF5CBF0
1EF845FE   83C4 08          ADD ESP,8
1EF84601   C3               RETN
1EF84602   CC               INT3


Call it by this address?:
Code: Select all
1EF845E0

slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am
Top

Postby L. Spiro » Fri Nov 30, 2007 10:41 am

Probably.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby slointe » Fri Nov 30, 2007 10:47 am

That's what I thought. I set a BP on it and all I see is the ECX value and not who calls it.

Got it now. Thanks!
slointe
Hackleberry Fin
 
Posts: 28
Joined: Tue Jul 10, 2007 11:25 am
Top
Post a reply

Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group