Home/ Questions/Q 7571211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T15:37:12+00:00

I’m trying to learn reverse engineering, and I’m stuck on this little thing. I

  • 0

I’m trying to learn reverse engineering, and I’m stuck on this little thing. I have code like this:

.text:10003478                 mov     eax, HWHandle
.text:1000347D                 lea     ecx, [eax+1829B8h] <------
.text:10003483                 mov     dword_1000FA64, ecx
.text:10003489                 lea     esi, [eax+166A98h]<------
.text:1000348F                 lea     edx, [eax+11FE320h]
.text:10003495                 mov     dword_1000FCA0, esi

and I’m wondering, how does it look like in C or C++? Especially the two instructions marked by arrows. HWHandle is variable which holds the a value returned from the GetModuleHandle() function.
More interesting is that a couple of lines below this instructions, dword_1000FCA0 is used as a function:

.text:1000353C                 mov     eax, dword_1000FCA0
.text:10003541                 mov     ecx, [eax+0A0h]
.text:10003547                 push    offset asc_1000C9E4 ; "\r\n========================\r\n"
.text:1000354C                 call    ecx

This will draw this text in my game console. Have you got any ideas, guys?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since HWHandle is a module handle, which is just the base address of a DLL, it looks as if the constants that are being added to this are offsets for functions or static data inside the DLL. The code is computing the addresses of these functions or data items and storing them for later use.

    Since this is typically the job of a dynamic linker, I’m not sure that this assembly code corresponds to actual C++ code. It would be helpful to know what environment you’re working in exactly — since you refer to games consoles, is this Xbox code? Unfortunately, I don’t know how exactly dynamic linking works on Xbox, but it looks as if this may be what is going on here.

    In the specific case of dword_1000FCA0, it looks as if this is the location of a jump table (i.e. essentially a list of function pointers) inside the DLL. Your second code snippet is getting a function pointer from offset 0xA inside this table, then calling it — apparently, the function being called outputs strings to the screen. (The pointer to the string to be output is pushed to the stack, which a usual x86 calling convention.) The C++ code corresponding to this would be something like

    my_print_function("\r\n========================\r\n");

    Edit:

    If you want to call functions in a DLL yourself, the canonical way of getting at the function pointer is to use GetProcAddress():

    FARPROC func=GetProcAddress(HWHandle, "MyFunction");

    However, the code you posted is calculating offsets itself, and if you really want to do the same, you could use something like this:

    DWORD func=(DWORD)HWHandle + myOffset;

    myOffset is the offset you want to use — of course, you’d need to have some way of determining this offset, and this can change every time the DLL is recompiled, so it’s not a technique I would recommend — but it is, after all, what you were asking but.

    Regardless of which of these two ways you use to get at the address of the function, you need to call it. To do this, you need to declare a function pointer — and to do that, you need to know the signature of your function (its parameters and return types). For example:

    typedef void (*print_func_type)(const char *);
print_func_type my_func_pointer=(print_func_type)func;
my_func_pointer("\r\n========================\r\n");

    Beware — if you get the address of the function or its signature wrong, your code will likely crash. All part of the fun of this kind of low-level work.

    • 0