flat assembler
Message board for the users of flat assembler.

Index > Windows > Find procedure start address in a dll

Author
Thread Post new topic Reply to topic
kasake36



Joined: 28 Mar 2006
Posts: 68
kasake36
I'm trying to dissassemble the sqlite3.dll file because i want to know how the sqlite3_column_double procedure really works, as it doesn't behave as i thought. So i loaded the sqlite3.dll into OllyDBG and there i still am Wink

How can i find out where the wanted procedure starts at?
Post 23 Jun 2006, 10:01
View user's profile Send private message Reply with quote
kasake36



Joined: 28 Mar 2006
Posts: 68
kasake36
I've downloaded the PE Explorer and there's a special export-viewer-dialog. But how is it possible to view the exports via OllyDBG?
Post 23 Jun 2006, 10:24
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
IDA would be better, but it's commercial Wink
Post 23 Jun 2006, 12:07
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 457
Location: Czech republic, Slovak republic
Feryno
kasake36, please check PM as soon as possible (links lost quickly)...
there is free demo version of excelent IDA
http://www.datarescue.com/idabase/idadown.htm

My way of debugging DLLs (when I don't have their source...)
Find entrypoint by another SW or handy by calculating from dll header or find some interesting part in DLL with disassembler.
Replace the first byte of the first instruction of this part with byte CC by hexa editor
Under debugger load exe which uses DLL
Debugger stops in breakpoint in DLL
Replace the breakpoint byte with the original byte.
Simple trace or step over...
Post 23 Jun 2006, 12:55
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
kasake36



Joined: 28 Mar 2006
Posts: 68
kasake36
Oh gosh! IDA is GREAT!!! I've never heard of this program before.

Feryno, thanks for all! The description of your way of debugging DLL's is very helpful!
Post 23 Jun 2006, 22:43
View user's profile Send private message Reply with quote
white_wight



Joined: 03 Feb 2006
Posts: 24
white_wight
Post 26 Jun 2006, 01:17
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
I think warez is not allowed here.
Post 26 Jun 2006, 01:46
View user's profile Send private message MSN Messenger Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 457
Location: Czech republic, Slovak republic
Feryno
Like Okasvi said, use private message instead of posting links in forum for hot software.
My opinion is that everybody must be good in disassembling/debugging, because it is great way to improve coding skills. Sometimes you have executable without source and you want to learn how it does something what you want to learn how to do it.
Now I have more time to explain my method of dll debugging:
The method of editing entry point byte to int 03 instruction is necessary only in case when dll is compressed/encrypted.
In case when dll isn't compressed/encrypted, you can load exe which uses dll, tell the debugger to show you address range where dll is loaded and you can simple place breakpoint where you want (using IDA before this is good choice how to find interesting position in code - instead of case when DLL is compressed/encrypted so IDA doesn't help you much)
Post 26 Jun 2006, 08:30
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.