| View previous topic :: View next topic |
| Author |
Message |
xeratal
Advanced Cheater
![]() Reputation: 1
Joined: 05 Nov 2005
Posts: 93
|
 Posted: Tue Dec 27, 2011 8:17 pm Post subject: When do API's get called? |
 |
|
Seems like an obvious answer,
but I've tried e.g. go SendInput API in a program which I know uses it, then get that address, and search call <address#>.
Can't find it in the normal programs memory region.
Even in CheatEngine, I tried searching for a call to WriteProcessMemory - only one came up, at API CloseProfileUserMapping. Is CE simply calling something which eventually calls CloseProfileUserMapping and then WriteProcessMemory or am I doing something wrong?
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Dec 27, 2011 8:22 pm Post subject: |
|
|
APIs are called when the application invokes them. They are just calls. If you want to log API information just set a breakpoint on the API itself rather then looking for all the calls to it.
1. Attach to the process.
2. Open memory viewer.
3. Hit Ctrl+G and enter the API name, ex. 'WriteProcessMemory' without the quotes.
Set a break at the start and you can look at the call stack to see where it was called and the params passed to it. I recommend using OllyDbg for debugging though since it has a bit more in depth stuff with breakpoints and known API calls that can make your life easier.
_________________
- Retired. |
|
| Back to top |
|
|
xeratal
Advanced Cheater
![]() Reputation: 1
Joined: 05 Nov 2005
Posts: 93
|
| Posted: Tue Dec 27, 2011 8:30 pm Post subject: |
|
|
I thought of that but since I couldn't even find a single call to it (well besides that one example for CE) I assumed that I wouldn't get anything by doing that.
I'll try now - will update if any results...
-Edit add
It worked! I found that it was one of the things I thought might be happening, that is one API was calling another API so it was in the 7xxxxxxx area of memory...
But I cheated to find the return address because my computer was crashing if I traced anything more than 10 lines of code in that area...
Just for knowledge - if I wanted to find the return address, where would that be in? I thought it would be in one of the registers, probably EBP or ESP, but when I looked it up it wasn't. Or is it that a "ret" statement would do something like "return to whatever comes out of the stack next" or something like that? If so, could you explain how to view the stack in CE if possible? That's another thing I could never figure out 
P.S. I've used Olly a little but I'm trying to extend my knowledge of CE for now.
|
|
| Back to top |
|
|
Geri
Moderator
![]() Reputation: 111
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Tue Dec 27, 2011 9:22 pm Post subject: |
|
|
Return addresses are in the stack. You can see the stack in the lower right corner when you are debugging.
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
- 0x7E428D8B - etc.