Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Find all assembly "call" instructions in memory

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
DaviFN
Cheater
Reputation: 0

Joined: 23 Oct 2016
Posts: 32

PostPosted: Fri Jun 08, 2018 7:18 pm    Post subject: Find all assembly "call" instructions in memory Reply with quote

Hello!

I'm going to develop a dll that, once injected in a process, exhibits all the assembly "call" instructions (E9XXXXXX, if I'm not wrong) of the executable memory of that process, and also allow (via a window created by a thread) the removal of such instructions (noping). It will be written in C.

I know how to scan the memory already, but I can't just assume every E9 byte is referring to a "call" instruction, because that's simply not right. So I had the idea of asking here if any of you guys know a way of tell E9's apart. I presume I'd have to find the entry point and, from there, verify every opcode of the memory, listing the calls. Is that the way? And, if so, any tips of how that could be accomplished?

TL;DR: How to differentiate between E9 bytes that refer to the opcode "call" and E9 bytes that are in the middle of an opcode, or refer to data (or anything else)?

Thanks!
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Fri Jun 08, 2018 7:40 pm    Post subject: Reply with quote

Code:
E8 cw    CALL rel16    Call near, relative, displacement relative to next instruction
E8 cd    CALL rel32    Call near, relative, displacement relative to next instruction
FF /2    CALL r/m16    Call near, absolute indirect, address given in r/m16
FF /2    CALL r/m32    Call near, absolute indirect, address given in r/m32
9A cd    CALL ptr16:16    Call far, absolute, address given in operand
9A cp    CALL ptr16:32    Call far, absolute, address given in operand
FF /3    CALL m16:16    Call far, absolute indirect, address given in m16:16
FF /3    CALL m16:32    Call far, absolute indirect, address given in m16:32

_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Jun 08, 2018 7:48 pm    Post subject: Reply with quote

E9 is the operand of a jmp instruction. You're looking for E8 and/or FF.

Starting at the entry point and analyzing everything might be a little overkill. Use heuristics to make a good guess as to whether or not a byte is actually the start of an instruction. Try disassembling them and see if the operand makes sense (e.g. valid register or address). The callee shouldn't modify the return address, so continue disassembling instructions after the call to see if they make sense. You could also look at instructions before the call (could be useful for dynamic calls or >2GB displacements in x64), but that could give false negatives.

I would highly recommend you read documentation about x86 / x86-64 (e.g. Intel documentation).

Look at CE's source for examples.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
DaviFN
Cheater
Reputation: 0

Joined: 23 Oct 2016
Posts: 32

PostPosted: Fri Jun 08, 2018 7:57 pm    Post subject: Reply with quote

I don't mind thar kind of overkill... It'll perform the search only once.

Would it work if I did it that way? Start from the entry point and then verify every opcode until a memory region that is not executable anymore?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Fri Jun 08, 2018 9:43 pm    Post subject: Reply with quote

No. If you did it correctly, you should never reach a memory region that isn't executable. You start disassembling at the entry point, recursively disassemble every call and branch destination you can, and stop when you get to certain instructions or API calls (e.g. ExitProcess). I think you're severely underestimating how much work that entails. You won't even get everything in many circumstances, as there are plenty of paradigms that will screw this up (e.g. dynamic binding; JIT compilation).

If you want to get every call, searching for the opcode would be the most straightforward option.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
DaviFN
Cheater
Reputation: 0

Joined: 23 Oct 2016
Posts: 32

PostPosted: Sat Jun 09, 2018 10:03 am    Post subject: Reply with quote

Would it be enough verifying if the address to which the (possible) "call" instruction jumps is valid, and then verifying the starting bytes of that region (i.e. the starting bytes of the function) correspond to "push ebp , mov ebp,esp"?

If not, what would be enough? In what Cheat Engine source file can I find heuristic examples (could be another program, too)?
Back to top
View user's profile Send private message
ParkourPenguin
I post too much
Reputation: 138

Joined: 06 Jul 2014
Posts: 4275

PostPosted: Sat Jun 09, 2018 4:47 pm    Post subject: Reply with quote

No. Callees don't have to establish a stack frame. If it does start with those instructions, it's almost certainly a valid call instruction, but the inverse isn't necessarily true.

The file disassembler.pas has some examples. There are plenty of other open source disassemblers you can find.

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Jun 10, 2018 1:46 pm    Post subject: Reply with quote

There are a lot of various disassembler engines available for C/C++ that you can use to walk the assembly of the program and find the call instructions as you go.

There are things such as:
- ADE32/64
- HDE32/64
- OllyDbg's engine is open source : http://www.ollydbg.de/disasm.zip
- x64dbg is open source, you can see what they use (I think it was Capstone last I looked.)

and so on. These will help you walk the instructions to properly find the 'call' opcodes.

Is there a reason you are trying to kill every call though? That seems a bit strange.

Also keep in mind, nop'ing a call does not account for what it pushes on the stack as arguments. You will need to properly clean those as well.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites