2

I'm reverse engineering an application and I identified a specific function call that has an output that I need to capture. For the actual capture, I'll do a memory dump, so that I can handle. However, I used rohitab's API Monitor to see the function call, but I'm having a hard time identifying it in a debugger. I'd like to use x64dbg since that's what I'm trying to learn, but IDA/Olly/Win all work. Any help is much appreciated!

I included an image that shows the function call and the call stack. The one highlighted in blue is the one I'm trying to step to. Once I can step to it and have the debugger pause the process, I can issue a memory dump.

API Monitor

Axel Munoz
  • 19
  • 1
  • 4
  • You want to find the function in the debugger? See https://reverseengineering.stackexchange.com/questions/17874/ – user202729 Oct 05 '18 at 12:40
  • @user202729, thanks for that reference! It looks like it mainly worked. The blue marked out portion in the higlighted field in my image is the name of the executable, call it foo.exe. When I find the same function in x64dbg it's referenced to an advapi32.dll. (As well as other functions from foo.exe all come from advapi32.dll), why is this? – Axel Munoz Oct 05 '18 at 13:44
  • For x64dbg you can press Ctrl+G and type “CryptDecrypt” which should bring you to the function. Then you can set a breakpoint there with F4. I think in this tool you are using it shows which module calls the function, not in which module the function is... – mrexodia Oct 07 '18 at 15:03

0 Answers0