Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-

address of strcmp

Name: Anonymous 2010-11-05 0:08

Having a running instance of, say, notepad
how do I find the address of the strcmp function?
I want to hook the function using this other tool I made and watch the calls

Name: Anonymous 2010-11-05 1:06

>>1
Jokes on you when compiler will decide to inline such simple function. bcc551 inlines strcmp:


 _TEXT    segment dword public use32 'CODE'
    align    4
_foo    proc    near
?live1@0:
   ;   
   ;    int foo(const char* a, const char* b)
   ;   
@1:
    push      ebp
    mov       ebp,esp
   ;   
   ;    {
   ;        return strcmp(a,b)+1;
   ;   
    mov       eax,dword ptr [ebp+8]
    mov       edx,dword ptr [ebp+12]
@2:
    mov       cl,byte ptr [eax]
    cmp       cl,byte ptr [edx]
    jne       short @3
    test      cl,cl
    je        short @3
    mov       cl,byte ptr [eax+1]
    cmp       cl,byte ptr [edx+1]
    jne       short @3
    add       eax,2
    add       edx,2
    test      cl,cl
    jne       short @2
@3:
    setne     dl
    sbb       eax,eax
    or        al,dl
    inc       eax
   ;   
   ;    }
   ;   
@5:
@4:
    pop       ebp
    ret
So does msvc according to google.
gcc and clang are not such faggots.

Name: Anonymous 2010-11-05 2:08

Fuck, I forgot about that possibility  Thanks

Name: Anonymous 2010-11-05 2:29

strcmp can sometimes be inlined by some compilers, especially if the length parameter is constant.

There are however plenty of ways of locating it, but all of them are implementation spcific:
1) if libc is dynamically linked, look at the exports
2) if it's statically linked, search for patterns (known code patterns).

IDA Pro can perform 2 for you for a large variety of libraries such as MSVC libc from earliest to latest version's, and if it somehow couldn't you could always make your own FLIRT signatures for it to identify. Of course, if you could make your own FLIRT signatures, it would be just as easy to write your own code to do the indentification automatically.

In general, I would suggest you try to find what exactly you want to hook by properly reverse engineering the binary, instead of hoping you could somehow magically hook something which you don't know exactly about (there can be a lot of ways strcmp can be implemented, different per implementation (both library and compiler), and sometimes even the user may use a different version for some reason(rare)).

Name: Anonymous 2010-11-05 7:35

>>4
And don't forget about OllyDbg! Damn, I wish IDA had nice debugger too. For some reason, its debugger segfaulted in xp and wine, while ollydbg works in both

Name: Anonymous 2010-11-14 16:46

Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -