Linked Code in external File

[Andyhhp]

dll have some part where the names of functions listed

This is known as the export list.

after that you have to get the address of that functions and base address

What do you mean by this? In a process, you have a linear virtual memory model into which the library is loaded.

all functions' declarations have to be written in alphabetic way

Why? Function names are arbitrary lengths. If you are not using a sparse method for storing names then alphabetic naming doesnt help serching at all. If you are using a sparse method then you are most likely wasting a lot of space.

end of function is declared via 0xC3

No. 0xC3 is the binary for the ret instruction. There is no gurentee that there will be a single ret instruction per function.

For example

Code: Select all

void myFunction(int arg)
{
  if(arg == 0)
    return;

  //Some really really long function

  return;
}

This example will most likely have two ret instructions in it.

On the other hand, there is no gurantee that a function will have any ret instruction.

for example

Code: Select all

pop ebp
mov eax,[esp]
jmp eax

That results in a function returning properly (albeit trashing the return value, but that doesnt matter for void functions)


Sorry to pick and point but it is a good habbit to be accurate

~Andrew

[djsilence]

No. 0xC3 is the binary for the ret instruction. There is no gurentee that there will be a single ret instruction per function.

try on read it hex redactor... anyway, have your function one or more ret instructions.

this will looks like that:

B8 A0 C3 D9 E4 11 23 4F 3D 6A BB 7D 1A 2D 3E 49
8D E2 FE FA A0 20 3E 1C 5E 6A C3 CC CC CC CC CC

See, after C3 meets just one time if you write in C(C++) and after that go CC's.

Daniel.

[djsilence]

So, there is one way more:

look for binary 0xCC... but if function length is exactly 0x20 (or 0x40, 0x60, etc.) so there will no any 0xCC, but 0xC3 will be anyway.

[Andyhhp]

So, there is one way more:

look for binary 0xCC... but if function length is exactly 0x20 (or 0x40, 0x60, etc.) so there will no any 0xCC, but 0xC3 will be anyway.

This is only if the methods are aligned on paragraph boundaries. The layout of them is highly compiler dependent which means using it as a defintive test is a poor idea.

Either way, none of this explains why you want to find the end of the function.

All you need is the entry address and then you call it. why does it matter where the function ends?

~Andrew

[atc]

erazzzor, ich kann ein bißchen Deutsch. Wenn du ein Problem mit Englisch haben, sendest mir ein PM. Mein Deutsch ist vermutlich nicht genug für komplizierte programmierung Themen, jedoch glaube ich wir können die Sprachbarriere überwunden. Es tut mir leid wenn mein Grammatik ist schlecht!

[Boazdexter]

hey what kind of linked code in external file
please tell me about it
i just faced so many problems for it



___________________________________
"Want to get-on Google's first page and loads of traffic to your website? Hire a SEO Specialist from Ocean Groups seo pecialist
"