Editing TPM Function Calls

Jump to: navigation, search

Warning: You are not logged in.

Your IP address will be recorded in this page's edit history.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 156: Line 156:
 
</pre>
 
</pre>
 
The disassembly shows that the real function is located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice that eax is actually <code>*(esp + 0)</code>.<br>
 
The disassembly shows that the real function is located at <code>*(eax + index)</code> where <code>index</code> correspond to the function to be called. We also notice that eax is actually <code>*(esp + 0)</code>.<br>
The thing would be to find out what does <code>esp</code> holds. Well it is simple to find out since the function <code>sub_1008C()</code> doesn't have a stackframe. Which means that at <code>mov    eax, [esp+0]</code>, <code>esp</code> is actually the return address of the calling function. For instance, in <code>_IOServiceOpen_stub</code> the return address is <code>0x0000FE36</code>, which means that the real code is actually at <code>0x0000FE36 + 0x000485A = 0x00014690, *(0x00014690)</code>.<br>
+
The thing would be to find out what does <code>esp</code> holds. Well it is simple to find out since the function <code>sub_1008C()</code> doesn't have a stackframe. Which means that at <code>mov    eax, [esp+0]</code>, <code>esp</code> is actually the return address of the calling function. For instance, in <code>_IOServiceOpen_stub</code> the return address is <code>0x0000FE36</code>, which means that the real code is actually at <code>0x0000FE36 + 0x00085A = 0x00014690, *(0x00014690)</code>.<br>
 
And what do we found at <code>0x00014690</code> ?
 
And what do we found at <code>0x00014690</code> ?
 
<pre>
 
<pre>

Please note that all contributions to OSx86 may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see OSx86:Copyrights for details). Do not submit copyrighted work without permission!

Cancel | Editing help (opens in new window)
Powered by MediaWiki © 2021 OSx86 Project  |   InsanelyMac  |   Forum  |   OSx86 Wiki   |   Privacy policy   |   About OSx86   |   Disclaimers