Scribd Logo
Carica

Benvenuto in Scribd!

  • DeDe SDK v1.1 Function Reference

    Caricato da

    ali mudofar
    70 visualizzazioni3 pagine
    The DeDe SDK v1.1 provides functions for analyzing binaries, including getting bytes, words, and strings from virtual offsets. It can also disassemble code and return instruction information. Reference functions are not yet implemented.

    Descrizione originale:

    dd

    Titolo originale

    DeDe_SDK

    Copyright

    © © All Rights Reserved

    Formati disponibili

    RTF, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The DeDe SDK v1.1 provides functions for analyzing binaries, including getting bytes, words, and strings from virtual offsets. It can also disassemble code and return instruction information. Reference functions are not yet implemented.

    Copyright:

    © All Rights Reserved
    Scarica in formato RTF, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    70 visualizzazioni3 pagine

    DeDe SDK v1.1 Function Reference

    Caricato da

    ali mudofar
    The DeDe SDK v1.1 provides functions for analyzing binaries, including getting bytes, words, and strings from virtual offsets. It can also disassemble code and return instruction information. Reference functions are not yet implemented.

    Copyright:

    © All Rights Reserved
    Scarica in formato RTF, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    DeDe SDK v1.

    I. Description of DeDe functions


    function GetByte(dwVirtOffset : DWORD) : Byte;

    Description:
    Returns the byte at virtual offset dwVirtOffset of the target file.
    ------------------------------------------------------------------------
    ----------------

    function GetWord(dwVirtOffset : DWORD) : Word;

    Description:
    Returns the word at virtual offset dwVirtOffset of the target file.
    ------------------------------------------------------------------------
    ----------------

    function GetDWORD(dwVirtOffset : DWORD) : DWORD;

    Description:
    Returns the dword at virtual offset dwVirtOffset of the target file.
    ------------------------------------------------------------------------
    ----------------

    function GetPascalString(dwVirtOffset : DWORD) : String;

    Description:
    Returns the pascal string at virtual offset dwVirtOffset of the target file.
    ------------------------------------------------------------------------
    ----------------

    procedure GetBinaryData(var buffer : Array of Byte;


    size : Integer;
    dwVirtOffset : DWORD);

    Description:
    Returns size bytes in buffer starting from dwVirtOffset of the target file.
    The size of the buffer must be set before calling this function.
    ------------------------------------------------------------------------
    ----------------

    function Disassemble(dwVirtOffset : DWORD) : TDasmData;

    Description:
    Disassembles the instruction at dwVirtOffset of the target file. The result is
    return in TDasmData structure:

    Type TDasmData = record


    btSize : Byte;
    sInstruction : String;
    end;

    sInstruction is the instruction and btSize is the number of opcodes in it. The
    next instruction starts at VirtOffset+Size, where VirtOffset is passed address
    and Size is returned number of opcodes.

    Remarks:
    If ptFixRelativeOffsets has been specified for the plugin flags Disassemble()
    had been called from, the relative offsets in the resulting instruction are
    fixed as absolute. The format they are returned is the same as in DeDe's
    disassembler listing. All numbers are in hex and starts with '$':

    mov eax, [ebp-$04]


    mov eax, dword ptr [$4417C8]

    The offsets of jump and call instruction are fixed and are given in hex without
    '$' before the values:

    call 00402E20
    jz 0043A8B9

    When this flag is not specified call and jump instructions are returned as:

    call -$0003BBCD
    jmp +$0000001D

    Instructions can be parsed getting the first 8 chars for the instruction itself
    and the rest for the operands (if any)
    ------------------------------------------------------------------------
    ----------------

    The following function are still not implemented:


    -------------------------------------------------

    function GetCallReference(dwVirtOffset : DWORD;


    var sReference : String;
    var btRefType : Byte;
    btMode : Byte = 0) : Boolean;

    Description:
    This function checks the procedure starting from dwVirtOffset of the target
    file. It returns sReference - the name(s) if the procedure has been
    recognized. If the procedure at dwVirtOffset has been recognized btRefType is
    the type of the returned reference - REF_TYPE_DSF, REF_TYPE_PUBLISHED or
    REF_TYPE_IDATA. The first value is set when the pattern for the tested
    procedure has been found in any of the loaded dsf files in DeDe when the
    function is called from the plugin. The second value is set when the tested
    procedure appears to be published method of some of the forms and the third
    value is set when the tested procedure is imported function. Value
    REF_TYPE_PROTECTED can not be set as a result of calling GetCallReference(). If
    reference has not been found the return value of btRefType is undefined. The
    last parameter btMode (default 0) specifies how the name should be returned.
    Its value can be any of the REF_MODE_ constants or their binary OR:

    REF_MODE_INCLUDE_UNIT = $00000001;
    REF_MODE_INCLUDE_PARENS = $00000002;
    REF_MODE_INCLUDE_PARAMS = $00000004;
    REF_MODE_ALL_REFS = $00000008;

    When REF_MODE_INCLUDE_UNIT is specified DeDe adds the unit/dll name and dot
    ('.') before the procedure name
    ('kernel32.GetProcAddress','SysUtils.MessageBox()', etc.). When this value is
    not specified the unit/dll name is removed ('GetProcAddress','MessageBox()',
    etc.). If REF_MODE_INCLUDE_PARENS is specified then '(' and ')' not including
    parameters are returned. If the flag is not specified no '('/')' and no
    parameters are returned (REF_MODE_INCLUDE_PARAMS is ignored if
    REF_MODE_INCLUDE_PARENS is not specified.). When REF_MODE_INCLUDE_PARENS and
    REF_MODE_INCLUDE_PARENS are specified then parameters names/types are returned.
    REF_MODE_ALL_REFS is ignored if the reference is not dsf. When this flag is
    specified then all reference names are returned if there are more than one. The
    names are separated by 'enter' (#13, ASCII 13). When this flag is not specified
    dsf references are returned only if there is only one found!

    ------------------------------------------------------------------------
    ----------------

    function GetObjectName(dwVirtOffset : DWORD;


    var sObjName : String) : Boolean;

    Description:

    ------------------------------------------------------------------------
    ----------------

    function GetFieldReference(dwVirtOffset : DWORD;


    var sReference : String) : Boolean;

    Description:

    ------------------------------------------------------------------------
    ----------------

    Potrebbero piacerti anche