I have not had trouble finding functions by Olly but do not know how to find the parameters , they could guide me please .
Example:
Code:
004FA860 55 PUSH EBP 004FA861 8BEC MOV EBP,ESP 004FA863 83EC 14 SUB ESP,14 004FA866 68 66924000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> 004FA86B 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 004FA871 50 PUSH EAX 004FA872 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 004FA879 83EC 58 SUB ESP,58 004FA87C 53 PUSH EBX 004FA87D 56 PUSH ESI 004FA87E 57 PUSH EDI 004FA87F 8965 EC MOV DWORD PTR SS:[EBP-14],ESP 004FA882 C745 F0 F0594000 MOV DWORD PTR SS:[EBP-10],Imperium.00405> 004FA889 33F6 XOR ESI,ESI 004FA88B 8975 F4 MOV DWORD PTR SS:[EBP-C],ESI 004FA88E 8975 F8 MOV DWORD PTR SS:[EBP-8],ESI 004FA891 8975 C4 MOV DWORD PTR SS:[EBP-3C],ESI 004FA894 8975 B4 MOV DWORD PTR SS:[EBP-4C],ESI 004FA897 8975 A4 MOV DWORD PTR SS:[EBP-5C],ESI 004FA89A 8975 A0 MOV DWORD PTR SS:[EBP-60],ESI 004FA89D 6A 11 PUSH 11 004FA89F 68 045F4300 PUSH Imperium.00435F04 004FA8A4 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34] 004FA8A7 50 PUSH EAX 004FA8A8 FF15 98114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaAryCo>; MSVBVM60.__vbaAryConstruct2 004FA8AE 6A 01 PUSH 1 004FA8B0 FF15 F8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnErr>; MSVBVM60.__vbaOnError 004FA8B6 6A 02 PUSH 2 004FA8B8 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8] 004FA8BB 51 PUSH ECX 004FA8BC 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] 004FA8BF 52 PUSH EDX 004FA8C0 E8 5F04F3FF CALL Imperium.0042AD24 004FA8C5 FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaSetSy>; MSVBVM60.__vbaSetSystemError 004FA8CB 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34] 004FA8CE 8945 A0 MOV DWORD PTR SS:[EBP-60],EAX 004FA8D1 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 004FA8D4 894D AC MOV DWORD PTR SS:[EBP-54],ECX 004FA8D7 C745 A4 11600000 MOV DWORD PTR SS:[EBP-5C],6011 004FA8DE 56 PUSH ESI 004FA8DF 6A 40 PUSH 40 004FA8E1 8D55 A4 LEA EDX,DWORD PTR SS:[EBP-5C] 004FA8E4 52 PUSH EDX 004FA8E5 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C] 004FA8E8 50 PUSH EAX 004FA8E9 FF15 68124000 CALL DWORD PTR DS:[<&MSVBVM60.#717>] ; MSVBVM60.rtcStrConvVar2 004FA8EF 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C] 004FA8F2 51 PUSH ECX 004FA8F3 FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove 004FA8F9 8BD0 MOV EDX,EAX 004FA8FB 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 004FA8FE FF15 84134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; MSVBVM60.__vbaStrMove 004FA904 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C] 004FA907 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar 004FA90D FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc 004FA913 68 53A94F00 PUSH Imperium.004FA953 004FA918 EB 26 JMP SHORT Imperium.004FA940 004FA91A FF15 E0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaExitP>; MSVBVM60.__vbaExitProc 004FA920 68 53A94F00 PUSH Imperium.004FA953 004FA925 EB 19 JMP SHORT Imperium.004FA940 004FA927 F645 F4 04 TEST BYTE PTR SS:[EBP-C],4 004FA92B 74 09 JE SHORT Imperium.004FA936 004FA92D 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C] 004FA930 FF15 CC134000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr 004FA936 8D4D B4 LEA ECX,DWORD PTR SS:[EBP-4C] 004FA939 FF15 40104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar 004FA93F C3 RETN 004FA940 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34] 004FA943 8955 A0 MOV DWORD PTR SS:[EBP-60],EDX 004FA946 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60] 004FA949 50 PUSH EAX 004FA94A 6A 00 PUSH 0 004FA94C FF15 C8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaAryDe>; MSVBVM60.__vbaAryDestruct 004FA952 C3 RETN
Thank you
and go to the address where the function begins (0x004FA860).
