Quote:
|
Originally Posted by hosiminh
About those address where aspr reads user name (if/when regged) ... is there any generic way to find this particular asm instruction:
mov e??,dword ptr ds:[someaddress] ?
|
you mean in ollydbg ? if yes then you can try this out
right click-->search for--> all commands
type in there
mov r32,dword ptr ds:[const]
and hit find
ollydbg will pop up another window with all those calls that matches the pattern
Code:
Found commands
Address Disassembly Comment
00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection)
00401012 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000
00401066 MOV EAX,DWORD PTR DS:[4B0123] [004B0123]=00000000
00401140 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000
004014EF MOV ESI,DWORD PTR DS:[4CD280] DS:[004CD280]=00000000
if you just prefer only those that are moved to eax
change the command to
mov eax,dword ptr ds:[const]
Code:
Found commands
Address Disassembly Comment
00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection)
00401012 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000
00401066 MOV EAX,DWORD PTR DS:[4B0123] [004B0123]=00000000
00401140 MOV EAX,DWORD PTR DS:[4B011B] [004B011B]=00000000
0040196F MOV EAX,DWORD PTR DS:[4CD280] [004CD280]=0000000
and so on viz i searched for for register ebp below
Code:
Found commands
Address Disassembly Comment
00401000 JMP SHORT OLLYDBG.00401012 (Initial CPU selection)
00414B60 MOV EBP,DWORD PTR DS:[4CD420] DS:[004CD420]=00000000
00418E7A MOV EBP,DWORD PTR DS:[4D8144] DS:[004D8144]=00000000
0049CE40 MOV EBP,DWORD PTR DS:[4E3030] DS:[004E3030]=00000000
hope thats what you were looking for