There's a "mystery" DLL that I'm interested in. No documentation or source has ever been released by the creator, and no one has released their own research on the dll to the public. Getting the function names (exports) is easy enough, but how can I find out: how many, type, and order of parameters to be passed to these functions?
All I have right now is an entry point, an ordinal, and a non-decorated function name.
Disassemble it and figure it out.
As UserLoser says, disassemble the DLL and find the routine entry points and take a look at the function prelude.
-Matt
Quote
take a look at the function prelude.
Since when did the C++ generated assembly to setup the stack and what not (seh error handling, etc) give you any idea of what the function does. It'll give you an idea of how many variables its using perhaps, lol.
If you want to know what a function DOES, you must examine it wholey. You must examine it step by step from start to finish. You must understand every instructions purpose/role. From entry point to ret.
If you don't know all about reverse-engineering there is one thing you can do. You can figure out the declarations and call them. See what happens, maybe it'll produce a predictable outcome/etc.
All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.
-Matt
Quote from: Win32 on September 01, 2006, 08:37 AM
All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.
-Matt
Right, that will tell him (possibly) what the number of parameters are, but it won't tell him the type of use of the parameters. For that you'd need to follow the execution path of the function. For example, if one of the parameters on the stack is used in GetPrivateProfileStringA, then you could probably infer that the parameter is a char* (unless it's passed in parameter 4 (0-based)), and you could also deduce the actual use of the parameter based on where it is in the GetPrivateProfileString call.
Plus, the function prelude doesn't tell you if there are any __fastcall parameters, or if the function was naked.
Out of curiousity, what DLL are you speaking of?
Steam.dll. I wanted to leave it unnamed at first though, because this is something I want to learn to do.
I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.
Quote from: Warrior on September 02, 2006, 10:14 AM
I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.
This is why I didn't post which DLL I was interested in.
No shame in that, I think it's fine to discuss the development but not the distribution. Of course you could of been looking into something related to logons and accessing all games or something.
I'm not interested in game hacking. I just ment I didn't want to be pointed into the direction of "look at ____ source." I just want to learn how to take a DLL I have no knowledge of, and find how to use each of it's functions (or a select few).
I found a section of asm that calls (SteamGetCurrentEmailAddress) a function, which I thought would be simple and wouldn't accept many arguments, but it doesn't look that way. If anyone could help me understand this, I'd be grateful.
200899C0 55 push ebp
200899C1 8BEC mov ebp,esp
200899C3 51 push ecx
200899C4 894DFC mov [ebp-04h],ecx
200899C7 8B4514 mov eax,[ebp+14h]
200899CA 50 push eax
200899CB 8B4D10 mov ecx,[ebp+10h]
200899CE 51 push ecx
200899CF 8B550C mov edx,[ebp+0Ch]
200899D2 52 push edx
200899D3 8B4508 mov eax,[ebp+08h]
200899D6 50 push eax
200899D7 E871C70E00 call SteamGetCurrentEmailAddress
200899DC 83C410 add esp,00000010h
200899DF 8BE5 mov esp,ebp
200899E1 5D pop ebp
200899E2 C21000 retn 0010h
Does this mean it takes 4 arguments, all of which are 4 bytes?
Quote from: NicoQwertyu on September 03, 2006, 12:38 PM
Does this mean it takes 4 arguments, all of which are 4 bytes?
For the most part, yes. It's possible that some of those arguments are smaller than 4 bytes, but the compiler must promote them up to a multiple of 32bits to pass them easily.