Did you know you can do `ub foo L1` (Unassemble Backwards)? That way you don't need to guess the length of the call instruction...
-
-
-
yeah, but it is slower and an e8 call is always 5 bytes :)
-
Since it's automated, I try to avoid having to parse errors: .if (by(«ra»-5) == 0xe8) { .if ($vvalid(«ra»-4,4)) { u «ra»-5 L1 } }
-
I've found the return address can be 0x41414141 in some cases, and `ub 0x41414141 L1` tends to throws an error. :D
-
sanity checks are possible bc. a valid call should point *exactly* to a symbol, making false positives in a corrupted state highly unlikely
-
You mean you discard it if it doesn't point to a debug symbol?
-
code in small branches can be stored away from the main func and may not get marked with a symbol. Windbg returns whatever symbol is close.
-
so the symbol may be wrong. This is a way to get a better alternative in some cases (direct call), but not all (all other types of call).
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.