I've looked at trying to do this for indirect calls with hardcoded addresses, but found many were to wrapper code that did "JMP register"...https://twitter.com/berendjanwever/status/855379369832964096 …
-
-
Replying to @berendjanwever
Did you know you can do `ub foo L1` (Unassemble Backwards)? That way you don't need to guess the length of the call instruction...
2 replies 0 retweets 7 likes -
Replying to @taviso
yeah, but it is slower and an e8 call is always 5 bytes :)
1 reply 0 retweets 2 likes -
Replying to @berendjanwever @taviso
Since it's automated, I try to avoid having to parse errors: .if (by(«ra»-5) == 0xe8) { .if ($vvalid(«ra»-4,4)) { u «ra»-5 L1 } }
1 reply 0 retweets 0 likes -
Replying to @berendjanwever @taviso
I've found the return address can be 0x41414141 in some cases, and `ub 0x41414141 L1` tends to throws an error. :D
1 reply 0 retweets 1 like -
Replying to @berendjanwever @taviso
sanity checks are possible bc. a valid call should point *exactly* to a symbol, making false positives in a corrupted state highly unlikely
1 reply 0 retweets 1 like -
Replying to @berendjanwever
You mean you discard it if it doesn't point to a debug symbol?
2 replies 0 retweets 1 like -
Replying to @taviso
code in small branches can be stored away from the main func and may not get marked with a symbol. Windbg returns whatever symbol is close.
2 replies 0 retweets 1 like
so the symbol may be wrong. This is a way to get a better alternative in some cases (direct call), but not all (all other types of call).
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.