How to find a function parameters ?

10/31/2015 23:29 xelipe#1
Hello,

I have not had trouble finding functions by Olly but do not know how to find the parameters , they could guide me please .

Example:
Code:
004FA860   55               PUSH EBP
004FA861   8BEC             MOV EBP,ESP
004FA863   83EC 14          SUB ESP,14
004FA866   68 66924000      PUSH <JMP.&MSVBVM60.__vbaExceptHandler>
004FA86B   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]
004FA871   50               PUSH EAX
004FA872   64:8925 00000000 MOV DWORD PTR FS:[0],ESP
004FA879   83EC 58          SUB ESP,58
004FA87C   53               PUSH EBX
004FA87D   56               PUSH ESI
004FA87E   57               PUSH EDI
004FA87F   8965 EC          MOV DWORD PTR SS:[EBP-14],ESP
004FA882   C745 F0 F0594000 MOV DWORD PTR SS:[EBP-10],Imperium.00405>
004FA889   33F6             XOR ESI,ESI
004FA88B   8975 F4          MOV DWORD PTR SS:[EBP-C],ESI
004FA88E   8975 F8          MOV DWORD PTR SS:[EBP-8],ESI
004FA891   8975 C4          MOV DWORD PTR SS:[EBP-3C],ESI
004FA894   8975 B4          MOV DWORD PTR SS:[EBP-4C],ESI
004FA897   8975 A4          MOV DWORD PTR SS:[EBP-5C],ESI
004FA89A   8975 A0          MOV DWORD PTR SS:[EBP-60],ESI
004FA89D   6A 11            PUSH 11
004FA89F   68 045F4300      PUSH Imperium.00435F04
004FA8A4   8D45 CC          LEA EAX,DWORD PTR SS:[EBP-34]
004FA8A7   50               PUSH EAX
004FA8A8   FF15 98114000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaAryCo>; MSVBVM60.__vbaAryConstruct2
004FA8AE   6A 01            PUSH 1
004FA8B0   FF15 F8104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError
004FA8B6   6A 02            PUSH 2
004FA8B8   8D4D 08          LEA ECX,DWORD PTR SS:[EBP+8]
004FA8BB   51               PUSH ECX
004FA8BC   8B55 D8          MOV EDX,DWORD PTR SS:[EBP-28]
004FA8BF   52               PUSH EDX
004FA8C0   E8 5F04F3FF      CALL Imperium.0042AD24
004FA8C5   FF15 A8104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError
004FA8CB   8D45 CC          LEA EAX,DWORD PTR SS:[EBP-34]
004FA8CE   8945 A0          MOV DWORD PTR SS:[EBP-60],EAX
004FA8D1   8D4D A0          LEA ECX,DWORD PTR SS:[EBP-60]
004FA8D4   894D AC          MOV DWORD PTR SS:[EBP-54],ECX
004FA8D7   C745 A4 11600000 MOV DWORD PTR SS:[EBP-5C],6011
004FA8DE   56               PUSH ESI
004FA8DF   6A 40            PUSH 40
004FA8E1   8D55 A4          LEA EDX,DWORD PTR SS:[EBP-5C]
004FA8E4   52               PUSH EDX
004FA8E5   8D45 B4          LEA EAX,DWORD PTR SS:[EBP-4C]
004FA8E8   50               PUSH EAX
004FA8E9   FF15 68124000    CALL DWORD PTR DS:[<&MSVBVM60.#717>]     ; MSVBVM60.rtcStrConvVar2
004FA8EF   8D4D B4          LEA ECX,DWORD PTR SS:[EBP-4C]
004FA8F2   51               PUSH ECX
004FA8F3   FF15 4C104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
004FA8F9   8BD0             MOV EDX,EAX
004FA8FB   8D4D C4          LEA ECX,DWORD PTR SS:[EBP-3C]
004FA8FE   FF15 84134000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove
004FA904   8D4D B4          LEA ECX,DWORD PTR SS:[EBP-4C]
004FA907   FF15 40104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004FA90D   FF15 E0104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc
004FA913   68 53A94F00      PUSH Imperium.004FA953
004FA918   EB 26            JMP SHORT Imperium.004FA940
004FA91A   FF15 E0104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc
004FA920   68 53A94F00      PUSH Imperium.004FA953
004FA925   EB 19            JMP SHORT Imperium.004FA940
004FA927   F645 F4 04       TEST BYTE PTR SS:[EBP-C],4
004FA92B   74 09            JE SHORT Imperium.004FA936
004FA92D   8D4D C4          LEA ECX,DWORD PTR SS:[EBP-3C]
004FA930   FF15 CC134000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004FA936   8D4D B4          LEA ECX,DWORD PTR SS:[EBP-4C]
004FA939   FF15 40104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
004FA93F   C3               RETN
004FA940   8D55 CC          LEA EDX,DWORD PTR SS:[EBP-34]
004FA943   8955 A0          MOV DWORD PTR SS:[EBP-60],EDX
004FA946   8D45 A0          LEA EAX,DWORD PTR SS:[EBP-60]
004FA949   50               PUSH EAX
004FA94A   6A 00            PUSH 0
004FA94C   FF15 C8104000    CALL DWORD PTR DS:[<&MSVBVM60.__vbaAryDe>; MSVBVM60.__vbaAryDestruct
004FA952   C3               RETN
and also the type

Thank you
11/01/2015 21:48 _asm#2
Load your program in [Only registered and activated users can see links. Click Here To Register...] and go to the address where the function begins (0x004FA860).

It will show you something like that: [Only registered and activated users can see links. Click Here To Register...]

You can see the Data-Types, Parameters and you can even decompile the function using the hexrays plugin (not free).