I've looked at trying to do this for indirect calls with hardcoded addresses, but found many were to wrapper code that did "JMP register"...https://twitter.com/berendjanwever/status/855379369832964096 …
-
-
Replying to @berendjanwever
Did you know you can do `ub foo L1` (Unassemble Backwards)? That way you don't need to guess the length of the call instruction...
2 replies 0 retweets 6 likes -
Replying to @taviso
yeah, but it is slower and an e8 call is always 5 bytes :)
1 reply 0 retweets 2 likes -
Replying to @berendjanwever @taviso
Since it's automated, I try to avoid having to parse errors: .if (by(«ra»-5) == 0xe8) { .if ($vvalid(«ra»-4,4)) { u «ra»-5 L1 } }
1 reply 0 retweets 0 likes -
Replying to @berendjanwever @taviso
I've found the return address can be 0x41414141 in some cases, and `ub 0x41414141 L1` tends to throws an error. :D
1 reply 0 retweets 1 like -
Replying to @berendjanwever @taviso
sanity checks are possible bc. a valid call should point *exactly* to a symbol, making false positives in a corrupted state highly unlikely
1 reply 0 retweets 1 like -
Replying to @berendjanwever
You mean you discard it if it doesn't point to a debug symbol?
2 replies 0 retweets 1 like -
Replying to @taviso
code in small branches can be stored away from the main func and may not get marked with a symbol. Windbg returns whatever symbol is close.
2 replies 0 retweets 1 like -
Replying to @berendjanwever
Yeah, that's my point, if it returns Foo+99999 then that's probably not helpful, but if you only accept Foo, then miss valid calls.
1 reply 0 retweets 0 likes -
Replying to @taviso
I've been mulling this over, but I can't think of any code that would compile into direct call symbol + offset. Have you ever seen this IRL?
1 reply 0 retweets 0 likes
Uh, we're talking about debugging code with just public or export symbols, right?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.