Main Menu Item - View/Disassemble At
If you were given an address that claimed to be inside of MSSCRIPT.OCX you could try using it as a disassembly starting point. Select View/Disassemble At and you will see Figure 7.
Figure 7
The address appearing in the edit field is based on hints provided by activity while you have been analyzing this module; if the guess is correct, respond "Ok" or change the edit field to the desired value. The analyze check box controls whether the initial display is based on a recursive traversal or a linear sweep algorithm -- the former analyzes all jump statements and includes them in the listing, while the latter disassembles sequentially from the starting address for a user-configurable number of instructions. Sometimes, the address you provide yields a display like Figure 8 and a sequence that is not a recognizable sequence of valid x86 instructions. In this case you can try pressing F7 or Edit/Adjust/16 Bytes/Up or F8 or Edit/Adjust/16 Bytes/Down to adjust the starting address -- this turns off analyze mode, which can be enabled again after reaching something meaningful.
Figure 8
Another Main Menu Item - View/Subroutines
The entry-points accessible from the main menu using View/Subroutines sounds like a throwback to the 1970's -- subroutines were something I wrote in Fortran! In any case, if you select this option, after responding “Yes” to a dialog box warning you that the operation might take "a few moments", you will eventually see the display presented in Figure 9 and a tree view of the 6th entry-point types.
Figure 9
The tree view has been populated by nearly all of the internal methods, i.e., subroutines that are targets of call statements, in MSSCRIPT.OCX. Child nodes contain addresses of these call statements in effect providing you with a quick cross-reference of where a particular piece of code is being used internally. Of course, the listing is incomplete since it will not contain calls statements through a register, e.g. CALL EAX, or a memory reference, e.g. CALL [ECX+0x18]. The methods that are only called externally will also be missing from the cross-reference. If your starting address can be found within one of the items listed, you will have a good idea in quick order on whether it is being used internally or externally.
 prev page | 1st page | next page  |