i am making a little program that works a bit like strace except that i am making it catch all the calls and also the rets. As i can't find a way to get all the calls and ret because of indirect calls, i would like to find a way to get the function from which a ret opcode originates. Do you guys have any idea on how to do that
Asked
Active
Viewed 37 times
0
-
what instruction set is this? – old_timer May 03 '16 at 00:42
1 Answers
1
You can simulate what a ret does: It looks into the stack at address %esp, and sets EIP to that value. The instruction before the address at the current stack will be the call used to go here.
phihag
- 278,196
- 72
- 453
- 469
-
ok but as the previous instruction's size is not fixed, isn't it difficult to go backward and get to the beginning of this instruction ? – juan michelle May 01 '16 at 18:37
-
1Yes, that is a general limitation of all variable-size opcode architectures - you cannot go backwards. But you do know the calling function. I'm not sure why you want to get the `call` in the first place, but the way to do that is then to disassemble the whole function from any valid point you do know, stopping at the address read by the `ret`. – phihag May 01 '16 at 18:44