Hello everyone!I am trying at the moment to code an unpacker for several different compressors and packers using the TitanEngine Community edition. One of the things which I am trying to do is to set a breakpoint on an API (GetProcAddress). However, my callback code seems to be called only in cases where the breakpoint is placed at the begining of the API :

 

SetAPIBreakPoint("KERNEL32.DLL","GetProcAddress",UE_BREAKPOINT,UE_APISTART,(void*)cbCallBack);

 

If I am change the UE_APISTART with APIEND, the callback never gets called. The thing is that I would need to be able to land somewhere near the end of the API call and return from there. Does anyone know how I can do this?

I apologize if this is not the correct thread to post this question.
 

Just because your api is called it doesn't mean that the end of the api is executed. Are you sure that, whatever you are trying to execute actually executes:

7C80AC86     C9                               LEAVE

7C80AC87     C2 0800                          RET 8

@AndreiN: UE_APIEND just searches for the first RET instruction and puts a breakpoint there. Just go for UE_APISTART and use StepOut from there (StepOut will trace to the return value).

Greetings

if you change the library from kernel32 to kernelbase it will work

cause after calling GetProcAddress in kernel32

you will find 2 jump ,lead you to GetProcAddress in kernelbase

Thats because there is no ret instruction in all cases inside kernel32. Its a forwarder, but not in all cases and its also different on windows xp. you should use kernel32, since this is the official dll, kernelbase is subject to changes.