From the Disassembly Window - The 4th Entry-point
Thus far, you have not seen anything extraordinary from PEBrowse; what we have tried are basic operations, available from any capable PE-file viewer. Before I move on to some of the more unusual features, there is one more obvious place to find entry-points -- within the disassembly listing itself. I now have the disassembly listings for two functions from MSSCRIPT.OCX open -- CDispatchEx::InvokeEx and CAutomationObject::GetResourceHandle. Find and open these yourself. Taking a look first at CDispatchEx::InvokeEx you should see one call statement (highlighted in the default call statement color blue):
0x6B983FED: CALL DWORD PTR [ECX+0x18]
This call through a register plus offset memory address is typical of C++ programs using classes; the ECX represents the "this" pointer that references a vtable somewhere in memory. Generally excluding heroic measures and some luck, one cannot resolve the true target address until an executing program with a debugger attached actually reaches this statement where you can then examine the contents of ECX.
Turning our attention now to CAutomationObject::GetResourceHandle (Figure 6), we see a single call statement:
0x6B98DCD5: CALL struct HINSTANCE__ * __stdcall GetResourceHandle(unsigned long); (0x6B98A8F2)
Figure 6
The CAutomationObject::GetResourceHandle is an internal call -- double-clicking (or from the popup menu, Disassemble) will not open a new disassembly window, but instead reuse the current one while nesting the original window in a list box that now appears at the top of the disassembly display. As one descends deeper and deeper into internal calls, the list box acts much like a stack would, placing the last disassembly window at the top of the list thereby reminding you of how you reached the code that is presently before you. If you press the Back key (or Edit/Back from the main menu or Back from the popup), you will return to the previous listing which in this case was our starting point. Before pressing the Back key, scroll down a bit until you find the instruction:
0x6B98A95B: CALL DWORD PTR [KERNEL32.DLL!GetLocaleInfoA]; (0x6B9810C0)
The call to GetLocaleInfoA is an external call; if one needs to examine what this API does, it is a fairly simple matter to locate KERNEL32.DLL and disassemble the exported symbol. (Try double-clicking this line. You will be presented with a file open dialog box for KERNEL32.DLL. This will then launch another instance of PEBrowse and, after you respond "Yes" to the initialization nodes dialog box, will allow you to view the API.)
 prev page | 1st page | next page  |