Cheat Engine

[Tilosag]

I am trying to find out where the parameters of WSA send are kept.
When I step over following call:

i30*photobucket*com/albums/c316/Tilosag/debug_PP*jpg
(remove asterisks and place dots instead)

2 packets are send.
But I really don't know how to figure the position of the send data.
Any suggestions? What do u see there?


Regards
Tilo

[Slugsnack]

after you set up the stack frame :
[ebp] holds old ebp
[ebp+4] holds return address
[ebp+8] holds socket descriptor
[ebp+c] holds a pointer to an array wsabuf structures

assuming you're coding in C, or something dereference [ebp+c]. each dword at that point is a pointer to a wsabuf structure. in each wsabuf structure, at offset of 4 is pointer to the buffer. so you could typecast it to wsabuf and access buf directly or you could just do it all via hardcoded offsets ( inadvisable )

if you're doing this in olly, look at [ebp+c], look that up in the hex dump. you can then follow each of the pointers and look at the wsabuf structures

before setting up the stack frame, what i now describe as [ebp+8] is [esp]. [ebp+c] is [esp+4], etc. etc.

[Tilosag]

It's Java in C++.

[Slugsnack]

umm in olly press ctrl-g, and write WSASend. when you get there press f2 to breakpoint. when it is hit, the parameters are on the stack as i wrote them.

what i describe with [ebp+x] is simply stdcall convention. when a call is done, parameters are pushed on first, then return address pushed on the stack when the call instruction is executed.

the parameters are pushed on the stack in reverse order which is how i know where they are
http://msdn.microsoft.com/en-us/library/ms742203(VS.85).aspx

they would be pushed on after the call. at the moment your eip seems to be pointing to the call iteslf. actually doing some static analysis, assuming [<&WS_32.#4> is WSASend, then we can say that eax holds socket descriptor. i can see ESP is 0879F8FC so actually you are looking at completely the wrong area of the stack. if you are gonna do it like how you're doing it now make sure you're looking at the top of the stack, which is pointed to by esp

keep up with the pictures, they're very helpful

[Tilosag]

Great, I found it! Thank you! Perfect advice

I had to migrate to Olly 110 version becouse the latest does not have something like Ctrl+g (when i enter WSASend it says "unknow identifier") or even plugins.

Edit:
Hmm... now it's quite awkward for Olly. When it attaches to a process then everything freezes and I can't even start the program.



I noticed that Olly v.2 does not recognize any functions. Is it possible to fix it?

[Slugsnack]

Make sure the breakpoint you set before is not still there. I haven't used the new olly though so can't help you there. If it's still not working then delete the corresponding udd file olly made to store your debugging configurations for that particular process.