.Often enough, I tend to come across a group of functions in this form:
int sub_448503(struc_9 *pObj, ...)
{
if (pObj->some_ptr)
{
// do some heavy lifting
}
else
{
return some_error; //often E_FAIL...
}
}
Now, on a good day, the offset for ptr will be something nice, i.e. large and not very round. For example, if ptr is at offset 668h, life is improved. If ptr is at 4, your SOL for this technique.
So, lets say it is large and not very round. Now, one can go seaching for immediate operands of the same value. Lets say you go off and do an immediate search in IDA Pro for 668h. You will quite likely find:
a) Some functions from the same group that have a similiar if check at the beginning
b) The spot where ptr is set up (often quite handy)
c) A bunch of stuff you don't want
It is, of course, (c) that is painful. You would be amazed at how often 98h occurs as an immediate operand. So, the question becomes, how can I narrow down my search. So, for example, I might want to eliminate:
1) any place where 98 is used with ebp (I don't care about stack vars at that offset) eg
mov eax, [ebp+98h]
is not of interest. Well, depends if the compilier has gone made and started using ebp as a general register, but not usual.
2) any place where 98 is used as a constant. eg
mov eax, 98h
is likely not of interest. Though I really hate it when compilers do:
mov eax, [ebp+arg_0]
add eax, 98h
cmp [eax], 0
jz woof
but still, that is relatively rare in my experience
3) where 98h is used with cmp or test. This helps me find (a) above well
4) where 98h is used only as an offset as a destination, so we want to find things like:
mov [ecx+98h], eax
Now I figure someone must have explored this avenue previously and might have some clever ideas. I am currently leaning towards writing some IDA script, but I have no experience so I have to get over the learning curve first, so thought I would throw it out here. As well, was wondering if people had other refinements of this technique.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}