How do you get to the Caller?

[howcow95]

>.> I'm currently Live debugging and unpacked cabal and as Nova,dlntq etc. suggested I'm using Olly Socket Trace, I used non DC bracelets and then I used DC bracelets and saved the logs for them seperately and I'm comparing them... I was being retarded and trying to take the caller and put them as the address but then I realized that's not it >.> so my question is I know what callers they are but dunno how to get to them :S is there any search function for it in olly? I've googled it and etc but no luck, so am I either doing something completely wrong or is there a way to get to that caller, Example below...

Caller | Thread | Function Call | Return Value
cabalmai.004973 | 0x0454 | recv( 546, 0x5, 54, 0x0 ) | 84

those are NOT my logs purely demo purpose but how would I interpret something like this?

[NovaCygni]

Quote:

Originally Posted by howcow95

>.> I'm currently Live debugging and unpacked cabal and as Nova,dlntq etc. suggested I'm using Olly Socket Trace, I used non DC bracelets and then I used DC bracelets and saved the logs for them seperately and I'm comparing them... I was being retarded and trying to take the caller and put them as the address but then I realized that's not it >.> so my question is I know what callers they are but dunno how to get to them :S is there any search function for it in olly? I've googled it and etc but no luck, so am I either doing something completely wrong or is there a way to get to that caller, Example below...

Caller | Thread | Function Call | Return Value
cabalmai.004973 | 0x0454 | recv( 546, 0x5, 54, 0x0 ) | 84

those are NOT my logs purely demo purpose but how would I interpret something like this?

Heres a helping hand...
EBP+0x004973: Old EBP
EBP+0x0546: Return Address of Calling Function
EBP+0x5: Parameter 1 -- socket
EBP+0x54: Parameter 2 -- packet buffer
EBP+0x0: Parameter 3 -- length
EBP+0x84: Parameter 4 -- flags

Obviouslly as there not ur actual values the example is incorrect Its just to show u what each parameter is,,, Urll be wanting to learn more about the Stack to start being able to play around here Though ur only a step away from DH
Only one more step for you, and your'll be able to do what u want

[howcow95]

K well now what I do is go to the ret address via right click and dump of buffer (in Olly socketTrace logs)and I search around and try to NOP some things but no success... thing is that with us CabalNA'ers if we have an unpacked cabalmain.exe it DC's every 2 or so minutes... SOOO I was trying to find what DC's us and NOP it or do something to it but no success yet. I see the two particular lines that occur before an invalid socket comes up and the .exe begins the shutdown routine, BUT I noticed the Flag and address change everytime :S


its 2 minutes DC of begin LOGGED IN if im at char screen or anywhere else then there's no DC ... also I tried comparing what is normal and when the shutdown routine starts and tried to make it so that if I hit the shutdown routine I JMP over to the normal thing >.> but that failed cuz i crashed lol also I think me not being able to fix this has something to do with the fact that the address is changing everytime :S

[pssye]

Quote:

Originally Posted by NovaCygni

Heres a helping hand...
EBP+0x004973: Old EBP
EBP+0x0546: Return Address of Calling Function
EBP+0x5: Parameter 1 -- socket
EBP+0x54: Parameter 2 -- packet buffer
EBP+0x0: Parameter 3 -- length
EBP+0x84: Parameter 4 -- flags

Obviouslly as there not ur actual values the example is incorrect Its just to show u what each parameter is,,, Urll be wanting to learn more about the Stack to start being able to play around here Though ur only a step away from DH
Only one more step for you, and your'll be able to do what u want

So you mean to day we just have to edit the Parameter 4 / flags to a valid entry. bec im able to see the valid send/ receive and invalid receive . So parameter 4 will be the DC flag ??? or its really just 1 address to NOP / edit at??