Home/ Questions/Q 6653525
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T01:16:49+00:00

I have this program I’m trying to reverse engineer. I don’t know whether or

  • 0

I have this program I’m trying to reverse engineer. I don’t know whether or not it was the compiler’s optimizer or obfuscation, but now some parts of the code that call other functions are calculated by math then called such as

CALL EAX

It works properly until it’s loaded as a DLL in another program. The base address offsets are changed so now all relative code works properly, but all the math calculated calls/jmps don’t go to the proper areas.

So I figured i’d fix this easily by making all absolute calls into relative calls.

While stepping the code and letting all the math get calculated I get the correct jmp/call offset.

I am not having problems like not enough space to allocate the patch. Since the absolute call is usually using the line before which I could use as well to fix things up

Absolute call, this is where the math ends:

seg000:0044F7D1                 add     eax, 3B882683h
seg000:0044F7D6                 call    eax

to be converted to like

seg000:0044F7D1                 call     3B882683h

Well the above of course will not work as eax was already something, but it’s just a pseudo code example

Well my question is not how to do this, but is there any plugin that automatically does this for me in OllyDbg or IDA Pro?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    you want to get the calculated adress of the variable calls, thats really hard to figure out because they are not equal, how you explained it in this part

    seg000:0044F7D1 add eax, 3B882683h
    seg000:0044F7D6 call eax

    would be realy easy to make such an plugin, but its never just like that. The EAX could change in that part of code thats why the call is an “variable”. Just imagine, a part of code controlls a door in a game or whatever, if you are not allowed to pass EAX or any other register would change to call the function to dont let you pass, otherwise you are allowed because you have a key or something like that and the code will change EAX to the adress that the call executes code to open the door. That was just an example because there are calls with variables. A Plugin that you think about, must listen all there possible calls that can be a really gigantic mass and would cause to bugs or no overview.

    So the easiest way for you is to break untill this call and read the register.
    I hope that can help you to understand or I did not answered the right, your question is a little bit misleading because you said things about JMPs and a dll inject that irritates me. You can tell it me more detailed in a private message or here.

    • 0