General Programming | DLL Function Parameters

Author	Message	Time
NicoQwertyu	There's a "mystery" DLL that I'm interested in. No documentation or source has ever been released by the creator, and no one has released their own research on the dll to the public. Getting the function names (exports) is easy enough, but how can I find out: how many, type, and order of parameters to be passed to these functions? All I have right now is an entry point, an ordinal, and a non-decorated function name.	August 31, 2006, 3:54 PM
UserLoser	Disassemble it and figure it out.	August 31, 2006, 5:14 PM
Win32	As UserLoser says, disassemble the DLL and find the routine entry points and take a look at the function prelude. -Matt	September 1, 2006, 5:39 AM
TheMinistered	[quote] take a look at the function prelude. [/quote] Since when did the C++ generated assembly to setup the stack and what not (seh error handling, etc) give you any idea of what the function does. It'll give you an idea of how many variables its using perhaps, lol. If you want to know what a function DOES, you must examine it wholey. You must examine it step by step from start to finish. You must understand every instructions purpose/role. From entry point to ret. If you don't know all about reverse-engineering there is one thing you can do. You can figure out the declarations and call them. See what happens, maybe it'll produce a predictable outcome/etc.	September 1, 2006, 1:06 PM
Win32	All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does. -Matt	September 1, 2006, 1:37 PM
Myndfyr	[quote author=Win32 link=topic=15608.msg157386#msg157386 date=1157117864] All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does. -Matt [/quote] Right, that will tell him (possibly) what the number of parameters are, but it won't tell him the type of use of the parameters. For that you'd need to follow the execution path of the function. For example, if one of the parameters on the stack is used in GetPrivateProfileStringA, then you could probably infer that the parameter is a char* (unless it's passed in parameter 4 (0-based)), and you could also deduce the actual use of the parameter based on where it is in the GetPrivateProfileString call. Plus, the function prelude doesn't tell you if there are any __fastcall parameters, or if the function was naked.	September 1, 2006, 5:52 PM
UserLoser	Out of curiousity, what DLL are you speaking of?	September 2, 2006, 6:34 AM
NicoQwertyu	Steam.dll. I wanted to leave it unnamed at first though, because this is something I want to learn to do.	September 2, 2006, 2:28 PM
Quarantine	I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.	September 2, 2006, 3:14 PM
NicoQwertyu	[quote author=Warrior link=topic=15608.msg157411#msg157411 date=1157210059] I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs. [/quote] This is why I didn't post which DLL I was interested in.	September 3, 2006, 3:23 PM
Quarantine	No shame in that, I think it's fine to discuss the development but not the distribution. Of course you could of been looking into something related to logons and accessing all games or something.	September 3, 2006, 4:46 PM
NicoQwertyu	I'm not interested in game hacking. I just ment I didn't want to be pointed into the direction of "look at ____ source." I just want to learn how to take a DLL I have no knowledge of, and find how to use each of it's functions (or a select few). I found a section of asm that calls (SteamGetCurrentEmailAddress) a function, which I thought would be simple and wouldn't accept many arguments, but it doesn't look that way. If anyone could help me understand this, I'd be grateful. 200899C0 55 push ebp 200899C1 8BEC mov ebp,esp 200899C3 51 push ecx 200899C4 894DFC mov [ebp-04h],ecx 200899C7 8B4514 mov eax,[ebp+14h] 200899CA 50 push eax 200899CB 8B4D10 mov ecx,[ebp+10h] 200899CE 51 push ecx 200899CF 8B550C mov edx,[ebp+0Ch] 200899D2 52 push edx 200899D3 8B4508 mov eax,[ebp+08h] 200899D6 50 push eax 200899D7 E871C70E00 call SteamGetCurrentEmailAddress 200899DC 83C410 add esp,00000010h 200899DF 8BE5 mov esp,ebp 200899E1 5D pop ebp 200899E2 C21000 retn 0010h Does this mean it takes 4 arguments, all of which are 4 bytes?	September 3, 2006, 5:38 PM
Kp	[quote author=NicoQwertyu link=topic=15608.msg157446#msg157446 date=1157305130] Does this mean it takes 4 arguments, all of which are 4 bytes?[/quote] For the most part, yes. It's possible that some of those arguments are smaller than 4 bytes, but the compiler must promote them up to a multiple of 32bits to pass them easily.	September 3, 2006, 6:24 PM

Author

Message

Time

NicoQwertyu

There's a "mystery" DLL that I'm interested in. No documentation or source has ever been released by the creator, and no one has released their own research on the dll to the public. Getting the function names (exports) is easy enough, but how can I find out: how many, type, and order of parameters to be passed to these functions?

All I have right now is an entry point, an ordinal, and a non-decorated function name.

August 31, 2006, 3:54 PM

UserLoser

Disassemble it and figure it out.

August 31, 2006, 5:14 PM

Win32

As UserLoser says, disassemble the DLL and find the routine entry points and take a look at the function prelude.

-Matt

September 1, 2006, 5:39 AM

TheMinistered

[quote]
take a look at the function prelude.
[/quote]

Since when did the C++ generated assembly to setup the stack and what not (seh error handling, etc) give you any idea of what the function does. It'll give you an idea of how many variables its using perhaps, lol.

If you want to know what a function DOES, you must examine it wholey. You must examine it step by step from start to finish. You must understand every instructions purpose/role. From entry point to ret.

If you don't know all about reverse-engineering there is one thing you can do. You can figure out the declarations and call them. See what happens, maybe it'll produce a predictable outcome/etc.

September 1, 2006, 1:06 PM

Win32

All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.

-Matt

September 1, 2006, 1:37 PM

Myndfyr

[quote author=Win32 link=topic=15608.msg157386#msg157386 date=1157117864]
All he wants to know is what parameters the function takes. Diden't mention anything about what it actually does.

-Matt
[/quote]
Right, that will tell him (possibly) what the number of parameters are, but it won't tell him the type of use of the parameters. For that you'd need to follow the execution path of the function. For example, if one of the parameters on the stack is used in GetPrivateProfileStringA, then you could probably infer that the parameter is a char* (unless it's passed in parameter 4 (0-based)), and you could also deduce the actual use of the parameter based on where it is in the GetPrivateProfileString call.

Plus, the function prelude doesn't tell you if there are any __fastcall parameters, or if the function was naked.

September 1, 2006, 5:52 PM

UserLoser

Out of curiousity, what DLL are you speaking of?

September 2, 2006, 6:34 AM

NicoQwertyu

Steam.dll. I wanted to leave it unnamed at first though, because this is something I want to learn to do.

September 2, 2006, 2:28 PM

Quarantine

I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.

September 2, 2006, 3:14 PM

NicoQwertyu

[quote author=Warrior link=topic=15608.msg157411#msg157411 date=1157210059]
I'm unfamiliar with Steam but if you're looking into hacking a game I'd look into the HL/Source SDKs.
[/quote]

This is why I didn't post which DLL I was interested in.

September 3, 2006, 3:23 PM

Quarantine

No shame in that, I think it's fine to discuss the development but not the distribution. Of course you could of been looking into something related to logons and accessing all games or something.

September 3, 2006, 4:46 PM

NicoQwertyu

I'm not interested in game hacking. I just ment I didn't want to be pointed into the direction of "look at ____ source." I just want to learn how to take a DLL I have no knowledge of, and find how to use each of it's functions (or a select few).

I found a section of asm that calls (SteamGetCurrentEmailAddress) a function, which I thought would be simple and wouldn't accept many arguments, but it doesn't look that way. If anyone could help me understand this, I'd be grateful.

200899C0 55 push ebp
200899C1 8BEC mov ebp,esp
200899C3 51 push ecx
200899C4 894DFC mov [ebp-04h],ecx
200899C7 8B4514 mov eax,[ebp+14h]
200899CA 50 push eax
200899CB 8B4D10 mov ecx,[ebp+10h]
200899CE 51 push ecx
200899CF 8B550C mov edx,[ebp+0Ch]
200899D2 52 push edx
200899D3 8B4508 mov eax,[ebp+08h]
200899D6 50 push eax
200899D7 E871C70E00 call SteamGetCurrentEmailAddress
200899DC 83C410 add esp,00000010h
200899DF 8BE5 mov esp,ebp
200899E1 5D pop ebp
200899E2 C21000 retn 0010h

Does this mean it takes 4 arguments, all of which are 4 bytes?

September 3, 2006, 5:38 PM

[quote author=NicoQwertyu link=topic=15608.msg157446#msg157446 date=1157305130]
Does this mean it takes 4 arguments, all of which are 4 bytes?[/quote]

For the most part, yes. It's possible that some of those arguments are smaller than 4 bytes, but the compiler must promote them up to a multiple of 32bits to pass them easily.

September 3, 2006, 6:24 PM

Valhalla Legends Forums Archive | General Programming | DLL Function Parameters