Posted: Tue May 30, 2017 7:13 am Post subject: How to find where a function was called from (assembly)?
I can see the beginning of a function, it starts from
Code:
push ebp
I can't figure out where it ends so I could breakpoint ret and see where it was called from. At the push, does ebp contain the address where to return from the call or a pointer to it? Is there a way to breakpoint the code at push ebp and figure out the return address thru register values?
At the push, does ebp contain the address where to return from the call or a pointer to it?
NO
You can look in call stack(stacktrace), stack for any return address. You can also use x64dbg/olly find references function to see where the function is being called from (if it's not a dynamic call like call [eax+blah] etc.) _________________
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
Posted: Tue May 30, 2017 1:03 pm Post subject:
Another tool you could get is IDA to disassemble the target. It's references feature is very helpful and it will also determine the end of the function with ease as long as the file is not obfuscated or tampered with in a way to deter disassemblers etc. _________________
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum