let's try to parse a little code:
Quote:
0000000140325BB6 | FF15 A4149F00 | call qword ptr ds:[<&TextOutW>] |
0000000140325BBC | 8B9424 60010000 | mov edx,dword ptr ss:[rsp+160] |
0000000140325BC3 | 8B8424 68010000 | mov eax,dword ptr ss:[rsp+168] |
0000000140325BCA | 03C2 | add eax,edx |
0000000140325BCC | 898424 68010000 | mov dword ptr ss:[rsp+168],eax |
0000000140325BD3 | 48:8B8424 D00E0000 | mov rax,qword ptr ss:[rsp+ED0] |
0000000140325BDB | 48:8B80 48080000 | mov rax,qword ptr ds:[rax+848] |
0000000140325BE2 | C74424 20 70170000 | mov dword ptr ss:[rsp+20],1770 |
0000000140325BEA | 44:8B88 A4381D00 | mov r9d,dword ptr ds:[rax+1D38A4] |
0000000140325BF1 | 4C:8D05 507FCF00 | lea r8,qword ptr ds:[14101DB48] | r8:L"ItemNum/Max: %4d/%4d", 000000014101DB48:L"ItemNum/Max: %4d/%4d"
|
line 0000000140325BEA <- Data (2 bytes) from memory is loaded to register R9.
The memory address is specified as the contents of the register RAX [rax+1D38A4], 0x00000000484C2040.
If it is a stack or array, the memory address will be different each time it is loaded.
These 2 bytes contain information about the current number of items.
line 0000000140325BF1 <- A string is loaded into the R8 register. "ItemNum/Max: %4d/%4d"
Next comes the calculation of the length of the characters, the conversion of data types and output line to the window.
line 000000014101DB48:L"ItemNum/Max: %4d/%4d" <- The address from which the character string was loaded.
I tried to make a breakpoint on these addresses with data on the current number of items. But code execution does not stop.
Although this action looks even funny because there is no executable code and nothing can stop there.
PS Value [rax+1D38A4] - this constant. So the memory address with data is not dynamic. Further it is necessary to trace this memory. Look for the function that writes this data there.