Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 16:39

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: Completion Routine
PostPosted: 17 Jan 2010 01:25 

Joined: 17 Jan 2010 01:13
Posts: 6
Hello,

I think that I am in the right forum. I need a little help to tackle the following problem.

I know that the program uses WSARecv(). As I have already read, it would be good to put a breakpoint on the first bytes of the first buffer to. How do I know which is the first buffer?

I use Ollydbg and IDA. In Ollydbg I used the command "bp WSARecv()". Unfortunately, I can only stay in the login area. For once I'm logged in, I get many stops.

I'd really appreciate an answer.

Sincerely,
xUsername


Top
 Profile  
 
 
 Post subject: Re: Completion Routine
PostPosted: 17 Jan 2010 01:55 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
WSARecv works a bit differently than the classical recv but it's not hard.
after you set the breakpoint and the debugger breaks you should see all the parameters of the function in the stack windows (right-down), something like:
Code:
0023FF1C   004013E2  ....  /CALL to WSARecv from 004013DD
0023FF20   0000000C  ....  |Socket = C
0023FF24   00401234  ....  |pBuffers = 00401234
0023FF28   00000001  ....  |nBuffers = 1
0023FF2C   00402222  ....  |pReceivedCount = 00402222
0023FF30   00403333  ....  |pFlags = 00403333
0023FF34   00000000  ....  |pOverlapped = NULL
0023FF38   00000000  ....  \Callback = NULL
now select pBuffers and select "Follow in Dump"

so go in the Dump windows (left-down)
here you will find the array of pointers to the buffers and their sizes used for receiving the data (nBuffers buffers and sizes).

the first 4 bytes are the size of the buffer, so select the next 4 bytes and select "Follow DWORD in Dump".
this is the buffer where will be received the data when WSARecv finishes (CTRL-F9)

for thoroughness I need to add that the overlapped stuff creates confusion because if it's used then the data will be received in other moments... anyway it's used almost never.

more info about WSARecv:
http://msdn.microsoft.com/en-us/library ... 85%29.aspx
http://msdn.microsoft.com/en-us/library ... 85%29.aspx


Top
 Profile  
 
 Post subject: Re: Completion Routine
PostPosted: 17 Jan 2010 02:02 

Joined: 17 Jan 2010 01:13
Posts: 6
It went really fast.

I thank you for your help and will try that. I have incorrectly set the BP.

As it is written: Thanks for the super fast response. I had added you to MSN. But it seems like you there would rarely be online. Also do not worry. I have just received 1000 questions and there is only one way to answer them. Ask someone! Tutorials and similar matters are too superficial.

Sincerely,
xUsername


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron