| View previous topic :: View next topic |
| Author |
Message |
mOnSoOn
Expert Cheater
 Reputation: 0
Joined: 05 Jul 2007
Posts: 203
|
 Posted: Fri Nov 23, 2007 8:10 pm Post subject: DumpRegs |
 |
|
I have an address that stored in ECX register.
I got an address that containts an opcode with the ECX register (with my address..), I want to know how can I dump ECX register.
DumpRegs should help? (RPM\WPM to this address)
|
|
| Back to top |
|
 |
appalsap
Moderator
 Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Fri Nov 23, 2007 8:19 pm Post subject: |
|
|
CONTEXT context;
GetThreadContext(TheProcessThread, &context);
//do something with context.ECX
_________________
|
|
| Back to top |
|
|
mOnSoOn
Expert Cheater
Reputation: 0
Joined: 05 Jul 2007
Posts: 203
|
| Posted: Fri Nov 23, 2007 8:34 pm Post subject: |
|
|
| appalsap wrote: | CONTEXT context;
GetThreadContext(TheProcessThread, &context);
//do something with context.ECX |
Thanks.
Do you know how to declare context stracture in Delphi? (TCONTEXT doesn't work).
|
|
| Back to top |
|
|
appalsap
Moderator
Reputation: 0
Joined: 27 Apr 2006
Posts: 6753
Location: Pakistan
|
| Posted: Fri Nov 23, 2007 8:41 pm Post subject: |
|
|
TContext (an alias for _CONTEXT) works, are you sure you put Windows in your uses?
_________________
|
|
| Back to top |
|
|
mOnSoOn
Expert Cheater
Reputation: 0
Joined: 05 Jul 2007
Posts: 203
|
| Posted: Fri Nov 23, 2007 8:43 pm Post subject: |
|
|
| appalsap wrote: | | TContext (an alias for _CONTEXT) works, are you sure you put Windows in your uses? |
Stupid from me >.>.
Forgot to write VAR :\.
Thanks appalsap.
Edit:
I have to read\dump ecx from a specific address. Are you sure that it is the way?
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Fri Nov 23, 2007 8:52 pm Post subject: |
|
|
You have 2 options:
1) Use the TF to step through the code and use GetThreadContext each time to make sure it is at the proper EIP. This method is time consuming (CPU wise).
2) Place an interrupt on the address then catch it as a debugger. When you catch the interrupt use GetThreadContext and replace the overwritten bytes. This method will be detected by a CRC check.
Both will probably be detected since you have to attach as a debugger for both.
|
|
| Back to top |
|
|
mOnSoOn
Expert Cheater
Reputation: 0
Joined: 05 Jul 2007
Posts: 203
|
| Posted: Fri Nov 23, 2007 8:55 pm Post subject: |
|
|
I thought exactly about the 2nd option, but the 1st option.. I have no idea how it works.
(Running in GGless mode)
|
|
| Back to top |
|
|
sphere90
Grandmaster Cheater
 Reputation: 0
Joined: 24 Jun 2006
Posts: 912
|
| Posted: Fri Nov 23, 2007 9:10 pm Post subject: |
|
|
| mOnSoOn wrote: | I thought exactly about the 2nd option, but the 1st option.. I have no idea how it works.
(Running in GGless mode) |
Since you are running in GGless mode, why not use OllyDbg?
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
