View Full Version : Finding The Static BasePointer
alien56
22nd February 2007, 22:26
Hello,
Im trying as best I can to learn to find the Static DMA for an Address. Ive spent much time trying look for them for some addresses Ive found but there is one thing I dont understand.
I took the TeamAddy and decided to Trace it back to try to understand how it was found.
((9D903C +60)+ D8)
I Understand where the D8 comes from, it is the value the original address holds. I was able to Trace to The Breakpoints to find where 9D903C came from. I understand everything up to this point except for where +60 Came from. I have no clue how the +60 comes into play and would Very much appreciate an explanaition if someone would be so kind. I have a couple addresses that ive found That I would love to get the static Base Pointer for but that part confuses me.
Thanks
firebat
22nd February 2007, 23:13
Hello,
Im trying as best I can to learn to find the Static DMA for an Address. Ive spent much time trying look for them for some addresses Ive found but there is one thing I dont understand.
I took the TeamAddy and decided to Trace it back to try to understand how it was found.
((9D903C +60)+ D8)
I Understand where the D8 comes from, it is the value the original address holds. I was able to Trace to The Breakpoints to find where 9D903C came from. I understand everything up to this point except for where +60 Came from. I have no clue how the +60 comes into play and would Very much appreciate an explanaition if someone would be so kind. I have a couple addresses that ive found That I would love to get the static Base Pointer for but that part confuses me.
Thanks
After the part where u see the 9D903C being stored, there will be a call (like Call [Eax + 122]) and in that call it will have the +60
alien56
22nd February 2007, 23:26
Ok ....I think I got it ...Thanks for you reply. You go to the Address Of the Call and the value that it holds is the value you need.
005820B3 8B11 MOV EDX,DWORD PTR DS:[ECX]
005820B5 FF92 80000000 CALL DWORD PTR DS:[EDX+80]
005820BB 84C0 TEST AL,AL
005820BD 0F94C0 SETE AL
005820C0 8BCE MOV ECX,ESI
005820C2 50 PUSH EAX
005820C3 E8 58E4FFFF CALL BF2.00580520
005820C8 8B0D 3C909D00 MOV ECX,DWORD PTR DS:[9D903C]
005820CE 8B11 MOV EDX,DWORD PTR DS:[ECX]
005820D0 FF52 30 CALL DWORD PTR DS:[EDX+30] <--The Call you mentioned
005820D3 85C0 TEST EAX,EAX
005820D5 74 3F JE SHORT BF2.00582116
005820D7 8B0D 3C909D00 MOV ECX,DWORD PTR DS:[9D903C] <--- BaseAddress
005820DD 8B01 MOV EAX,DWORD PTR DS:[ECX] <---- ECX
005820DF FF50 30 CALL DWORD PTR DS:[EAX+30]
005820E2 8B10 MOV EDX,DWORD PTR DS:[EAX]
005820E4 8BC8 MOV ECX,EAX <--- EAX
005820E6 FF92 E4000000 CALL DWORD PTR DS:[EDX+E4] <---- The BreacPoint
Im sorry, Im just having a little trouble understanding this. So theres what it looks like. Like you said there is a Call above it. +30? so how do you +60 from that
firebat
23rd February 2007, 00:20
Breakpoint each call then trace into with F7. In one of them it will be like MOV EAX,[ECX+60].
005820B3 8B11 MOV EDX,DWORD PTR DS:[ECX]
005820B5 FF92 80000000 CALL DWORD PTR DS:[EDX+80]
005820BB 84C0 TEST AL,AL
005820BD 0F94C0 SETE AL
005820C0 8BCE MOV ECX,ESI
005820C2 50 PUSH EAX
005820C3 E8 58E4FFFF CALL BF2.00580520
005820C8 8B0D 3C909D00 MOV ECX,DWORD PTR DS:[9D903C]
005820CE 8B11 MOV EDX,DWORD PTR DS:[ECX]
005820D0 FF52 30 CALL DWORD PTR DS:[EDX+30]
005820D3 85C0 TEST EAX,EAX
005820D5 74 3F JE SHORT BF2.00582116
005820D7 8B0D 3C909D00 MOV ECX,DWORD PTR DS:[9D903C]
005820DD 8B01 MOV EAX,DWORD PTR DS:[ECX]
005820DF FF50 30 CALL DWORD PTR DS:[EAX+30] <-- check this call
005820E2 8B10 MOV EDX,DWORD PTR DS:[EAX]
005820E4 8BC8 MOV ECX,EAX
005820E6 FF92 E4000000 CALL DWORD PTR DS:[EDX+E4]
vBulletin® v3.7.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.