flat assembler
Message board for the users of flat assembler.

Index > Windows > New to ASM

Author
Thread Post new topic Reply to topic
dw0rek



Joined: 05 Feb 2007
Posts: 7
dw0rek 05 Feb 2007, 06:21
Hi all, i just started with asm and found the fasm compiler which is great. I tried out the example programs provided in the %fasmdir%examples\

Well i started with the template (%fasmdir%examples\template\template.asm) to see if it would be possible to (by using ollydbg) replacing the function names with addresses so that way it wouldn't be needed to include api\kernel32.inc and api\user32.inc

This is the source code (the row that im having trouble with is marked with <--):
Code:
; Template for program using standard Win32 headers

format PE GUI 4.0
entry start

include 'win32w.inc'

section '.data' data readable writeable

  _class TCHAR 'asdf',0
  _title TCHAR 'test',0
  _error TCHAR 'Startup failed.',0

  wc WNDCLASS 0, WindowProc, 0, 0, NULL, NULL, NULL, COLOR_BTNFACE + 1, NULL, _class

  msg MSG

section '.code' code readable executable

  start:
        push    0
        call    0x7608427B
;GetModuleHandleA = 0x7608427B
        mov     [wc.hInstance], eax
        push    32512
;IDI_APPLICATION = 32512
;IDI_HAND        = 32513
;IDI_QUESTION    = 32514
;IDI_EXCLAMATION = 32515
;IDI_ASTERISK    = 32516
;IDI_WINLOGO     = 32517
        push    0
        call    0x762986D8
;LoadIcon = 0x762986D8
        mov     [wc.hIcon], eax
        push    32512
;IDC_ARROW       = 32512
;IDC_IBEAM       = 32513
;IDC_WAIT        = 32514
;IDC_CROSS       = 32515
;IDC_UPARROW     = 32516
;IDC_SIZE        = 32640
;IDC_ICON        = 32641
;IDC_SIZENWSE    = 32642
;IDC_SIZENESW    = 32643
;IDC_SIZEWE      = 32644
;IDC_SIZENS      = 32645
;IDC_NO          = 32648
;IDC_HAND        = 32649
;IDC_APPSTARTING = 32650
;IDC_HELP        = 32651
        push    0
        call    0x7629862C
;LoadCursor = 0x7629862C
        mov     [wc.hCursor], eax
        push    wc
        call    0x7628F923
;RegisterClass = 0x7628F923
        test    eax, eax
        jz      error
        push    0;NULL
        push    [wc.hInstance]
        push    0;NULL
        push    0;NULL
        push    192
        push    256
        push    128
        push    128
        push    010000000h + 000400000h + 000080000h
;WS_OVERLAPPED   = 000000000h
;WS_ICONICPOPUP  = 0C0000000h
;WS_POPUP        = 080000000h
;WS_CHILD        = 040000000h
;WS_MINIMIZE     = 020000000h
;WS_VISIBLE      = 010000000h
;WS_DISABLED     = 008000000h
;WS_CLIPSIBLINGS = 004000000h
;WS_CLIPCHILDREN = 002000000h
;WS_MAXIMIZE     = 001000000h
;WS_CAPTION      = 000C00000h
;WS_BORDER       = 000800000h
;WS_DLGFRAME     = 000400000h
;WS_VSCROLL      = 000200000h
;WS_HSCROLL      = 000100000h
;WS_SYSMENU      = 000080000h
;WS_THICKFRAME   = 000040000h
;WS_HREDRAW      = 000020000h
;WS_VREDRAW      = 000010000h
;WS_GROUP        = 000020000h
;WS_TABSTOP      = 000010000h
;WS_MINIMIZEBOX  = 000020000h
;WS_MAXIMIZEBOX  = 000010000h
        push    _title
        push    _class
        push    0
        call    0x762985F0
;CreateWindowEx = 0x762985F0
        test    eax, eax
        jz      error

  msg_loop:
        push    0
        push    0
        push    0;NULL
        push    msg
        call    0x762A19A2
;GetMessage = 0x762A19A2
        cmp     eax, 1
        jb      end_loop
        jne     msg_loop
        push    msg
        call    0x762A2AA1
;TranslateMessage = 0x762A2AA1
        push    msg
        call    0x762A2A89
;DispatchMessage = 0x762A2A89
        jmp     msg_loop

  error:
        push    000010h + 000000h
;MB_OK                   = 000000h
;MB_OKCANCEL             = 000001h
;MB_ABORTRETRYIGNORE     = 000002h
;MB_YESNOCANCEL          = 000003h
;MB_YESNO                = 000004h
;MB_RETRYCANCEL          = 000005h
;MB_ICONHAND             = 000010h
;MB_ICONQUESTION         = 000020h
;MB_ICONEXCLAMATION      = 000030h
;MB_ICONASTERISK         = 000040h
;MB_USERICON             = 000080h
;MB_ICONWARNING          = MB_ICONEXCLAMATION
;MB_ICONERROR            = MB_ICONHAND
;MB_ICONINFORMATION      = MB_ICONASTERISK
;MB_ICONSTOP             = MB_ICONHAND
;MB_DEFBUTTON1           = 000000h
;MB_DEFBUTTON2           = 000100h
;MB_DEFBUTTON3           = 000200h
;MB_DEFBUTTON4           = 000300h
;MB_APPLMODAL            = 000000h
;MB_SYSTEMMODAL          = 001000h
;MB_TASKMODAL            = 002000h
;MB_HELP                 = 004000h
;MB_NOFOCUS              = 008000h
;MB_SETFOREGROUND        = 010000h
;MB_DEFAULT_DESKTOP_ONLY = 020000h
;MB_TOPMOST              = 040000h
;MB_RIGHT                = 080000h
;MB_RTLREADING           = 100000h
;MB_SERVICE_NOTIFICATION = 200000h
        push    0;NULL
        push    _error
        push    NULL
        call    0x762DFBD5
;MessageBox = 0x762DFBD5

  end_loop:
        push    [msg.wParam]
        call    0x7607D85E
;ExitProcess = 0x7607D85E

proc WindowProc hwnd, wmsg, wparam, lparam
        push    ebx esi edi
        cmp     [wmsg], 0002h
;WM_STATE                  = 0000h
;WM_NULL                   = 0000h
;WM_CREATE                 = 0001h
;WM_DESTROY                = 0002h
;WM_MOVE                   = 0003h
;WM_SIZE                   = 0005h
;WM_ACTIVATE               = 0006h
;WM_SETFOCUS               = 0007h
;WM_KILLFOCUS              = 0008h
;WM_ENABLE                 = 000Ah
;WM_SETREDRAW              = 000Bh
;WM_SETTEXT                = 000Ch
;WM_GETTEXT                = 000Dh
;WM_GETTEXTLENGTH          = 000Eh
;WM_PAINT                  = 000Fh
;WM_CLOSE                  = 0010h
;WM_QUERYENDSESSION        = 0011h
;WM_QUIT                   = 0012h
;WM_QUERYOPEN              = 0013h
;WM_ERASEBKGND             = 0014h
;WM_SYSCOLORCHANGE         = 0015h
;WM_ENDSESSION             = 0016h
;WM_SYSTEMERROR            = 0017h
;WM_SHOWWINDOW             = 0018h
;WM_CTLCOLOR               = 0019h
;WM_WININICHANGE           = 001Ah
;WM_DEVMODECHANGE          = 001Bh
;WM_ACTIVATEAPP            = 001Ch
;WM_FONTCHANGE             = 001Dh
;WM_TIMECHANGE             = 001Eh
;WM_CANCELMODE             = 001Fh
;WM_SETCURSOR              = 0020h
;WM_MOUSEACTIVATE          = 0021h
;WM_CHILDACTIVATE          = 0022h
;WM_QUEUESYNC              = 0023h
;WM_GETMINMAXINFO          = 0024h
;WM_PAINTICON              = 0026h
;WM_ICONERASEBKGND         = 0027h
;WM_NEXTDLGCTL             = 0028h
;WM_SPOOLERSTATUS          = 002Ah
;WM_DRAWITEM               = 002Bh
;WM_MEASUREITEM            = 002Ch
;WM_DELETEITEM             = 002Dh
;WM_VKEYTOITEM             = 002Eh
;WM_CHARTOITEM             = 002Fh
;WM_SETFONT                = 0030h
;WM_GETFONT                = 0031h
;WM_SETHOTKEY              = 0032h
;WM_QUERYDRAGICON          = 0037h
;WM_COMPAREITEM            = 0039h
;WM_COMPACTING             = 0041h
;WM_COMMNOTIFY             = 0044h
;WM_WINDOWPOSCHANGING      = 0046h
;WM_WINDOWPOSCHANGED       = 0047h
;WM_POWER                  = 0048h
;WM_COPYDATA               = 004Ah
;WM_CANCELJOURNAL          = 004Bh
;WM_NOTIFY                 = 004Eh
;WM_INPUTLANGCHANGEREQUEST = 0050h
;WM_INPUTLANGCHANGE        = 0051h
;WM_TCARD                  = 0052h
;WM_HELP                   = 0053h
;WM_USERCHANGED            = 0054h
;WM_NOTIFYFORMAT           = 0055h
;WM_CONTEXTMENU            = 007Bh
;WM_STYLECHANGING          = 007Ch
;WM_STYLECHANGED           = 007Dh
;WM_DISPLAYCHANGE          = 007Eh
;WM_GETICON                = 007Fh
;WM_SETICON                = 0080h
;WM_NCCREATE               = 0081h
;WM_NCDESTROY              = 0082h
;WM_NCCALCSIZE             = 0083h
;WM_NCHITTEST              = 0084h
;WM_NCPAINT                = 0085h
;WM_NCACTIVATE             = 0086h
;WM_GETDLGCODE             = 0087h
;WM_NCMOUSEMOVE            = 00A0h
;WM_NCLBUTTONDOWN          = 00A1h
;WM_NCLBUTTONUP            = 00A2h
;WM_NCLBUTTONDBLCLK        = 00A3h
;WM_NCRBUTTONDOWN          = 00A4h
;WM_NCRBUTTONUP            = 00A5h
;WM_NCRBUTTONDBLCLK        = 00A6h
;WM_NCMBUTTONDOWN          = 00A7h
;WM_NCMBUTTONUP            = 00A8h
;WM_NCMBUTTONDBLCLK        = 00A9h
;WM_KEYFIRST               = 0100h
;WM_KEYDOWN                = 0100h
;WM_KEYUP                  = 0101h
;WM_CHAR                   = 0102h
;WM_DEADCHAR               = 0103h
;WM_SYSKEYDOWN             = 0104h
;WM_SYSKEYUP               = 0105h
;WM_SYSCHAR                = 0106h
;WM_SYSDEADCHAR            = 0107h
;WM_KEYLAST                = 0108h
;WM_INITDIALOG             = 0110h
;WM_COMMAND                = 0111h
;WM_SYSCOMMAND             = 0112h
;WM_TIMER                  = 0113h
;WM_HSCROLL                = 0114h
;WM_VSCROLL                = 0115h
;WM_INITMENU               = 0116h
;WM_INITMENUPOPUP          = 0117h
;WM_MENUSELECT             = 011Fh
;WM_MENUCHAR               = 0120h
;WM_ENTERIDLE              = 0121h
;WM_MENURBUTTONUP          = 0122h
;WM_MENUDRAG               = 0123h
;WM_MENUGETOBJECT          = 0124h
;WM_UNINITMENUPOPUP        = 0125h
;WM_MENUCOMMAND            = 0126h
;WM_CTLCOLORMSGBOX         = 0132h
;WM_CTLCOLOREDIT           = 0133h
;WM_CTLCOLORLISTBOX        = 0134h
;WM_CTLCOLORBTN            = 0135h
;WM_CTLCOLORDLG            = 0136h
;WM_CTLCOLORSCROLLBAR      = 0137h
;WM_CTLCOLORSTATIC         = 0138h
;WM_MOUSEFIRST             = 0200h
;WM_MOUSEMOVE              = 0200h
;WM_LBUTTONDOWN            = 0201h
;WM_LBUTTONUP              = 0202h
;WM_LBUTTONDBLCLK          = 0203h
;WM_RBUTTONDOWN            = 0204h
;WM_RBUTTONUP              = 0205h
;WM_RBUTTONDBLCLK          = 0206h
;WM_MBUTTONDOWN            = 0207h
;WM_MBUTTONUP              = 0208h
;WM_MBUTTONDBLCLK          = 0209h
;WM_MOUSEWHEEL             = 020Ah
;WM_MOUSELAST              = 020Ah
;WM_PARENTNOTIFY           = 0210h
;WM_ENTERMENULOOP          = 0211h
;WM_EXITMENULOOP           = 0212h
;WM_NEXTMENU               = 0213h
;WM_SIZING                 = 0214h
;WM_CAPTURECHANGED         = 0215h
;WM_MOVING                 = 0216h
;WM_POWERBROADCAST         = 0218h
;WM_DEVICECHANGE           = 0219h
;WM_MDICREATE              = 0220h
;WM_MDIDESTROY             = 0221h
;WM_MDIACTIVATE            = 0222h
;WM_MDIRESTORE             = 0223h
;WM_MDINEXT                = 0224h
;WM_MDIMAXIMIZE            = 0225h
;WM_MDITILE                = 0226h
;WM_MDICASCADE             = 0227h
;WM_MDIICONARRANGE         = 0228h
;WM_MDIGETACTIVE           = 0229h
;WM_MDISETMENU             = 0230h
;WM_ENTERSIZEMOVE          = 0231h
;WM_EXITSIZEMOVE           = 0232h
;WM_DROPFILES              = 0233h
;WM_MDIREFRESHMENU         = 0234h
;WM_IME_SETCONTEXT         = 0281h
;WM_IME_NOTIFY             = 0282h
;WM_IME_CONTROL            = 0283h
;WM_IME_COMPOSITIONFULL    = 0284h
;WM_IME_SELECT             = 0285h
;WM_IME_CHAR               = 0286h
;WM_IME_KEYDOWN            = 0290h
;WM_IME_KEYUP              = 0291h
;WM_MOUSEHOVER             = 02A1h
;WM_MOUSELEAVE             = 02A3h
;WM_CUT                    = 0300h
;WM_COPY                   = 0301h
;WM_PASTE                  = 0302h
;WM_CLEAR                  = 0303h
;WM_UNDO                   = 0304h
;WM_RENDERFORMAT           = 0305h
;WM_RENDERALLFORMATS       = 0306h
;WM_DESTROYCLIPBOARD       = 0307h
;WM_DRAWCLIPBOARD          = 0308h
;WM_PAINTCLIPBOARD         = 0309h
;WM_VSCROLLCLIPBOARD       = 030Ah
;WM_SIZECLIPBOARD          = 030Bh
;WM_ASKCBFORMATNAME        = 030Ch
;WM_CHANGECBCHAIN          = 030Dh
;WM_HSCROLLCLIPBOARD       = 030Eh
;WM_QUERYNEWPALETTE        = 030Fh
;WM_PALETTEISCHANGING      = 0310h
;WM_PALETTECHANGED         = 0311h
;WM_HOTKEY                 = 0312h
;WM_PRINT                  = 0317h
;WM_PRINTCLIENT            = 0318h
;WM_HANDHELDFIRST          = 0358h
;WM_HANDHELDLAST           = 035Fh
;WM_AFXFIRST               = 0360h
;WM_AFXLAST                = 037Fh
;WM_PENWINFIRST            = 0380h
;WM_PENWINLAST             = 038Fh
;WM_COALESCE_FIRST         = 0390h
;WM_COALESCE_LAST          = 039Fh
;WM_USER                   = 0400h
        je      .wmdestroy
  .defwndproc:
        push    [lparam]
        push    [wparam]
        push    [wmsg]
        push    [hwnd]
        call    [DefWindowProcW];0x762A1D90 <-- The program works fine with [DefWindowProcW]
        ;but if it is changed to the address 0x762A1D90 the program will crash. any ideas
        ;to why this might happen, and how can it be fixed?
;DefWindowProc = 0x762A1D90
        jmp     .finish
  .wmdestroy:
        push    0
        call    0x762921DF
;PostQuitMessage = 0x762921DF
        xor     eax, eax
  .finish:
        pop     edi esi ebx
        ret
endp

section '.idata' import data readable writeable

  library kernel32,'KERNEL32.DLL',\
          user32,'USER32.DLL'

  include 'api\user32.inc'

;  dd 0, 0, 0, RVA user_name, RVA user_table

;  user_table:
;    DefWindowProcW dd RVA _DefWindowProcW
;    dd 0

;  user_name db 'USER32.DLL', 0

;  _DefWindowProcW dw 0
;    db 'DefWindowProcW', 0

;section '.reloc' fixups data readable discardable    


This row is the i cant get to work:
Code:
        call    [DefWindowProcW];0x762A1D90 <-- The program works fine with [DefWindowProcW]
        ;but if it is changed to the address 0x762A1D90 the program will crash. any ideas
        ;to why this might happen, and how can it be fixed?    


Here is a screenshot from ollydbg which will show the address of the [DefWindowProcW] function.

Code:
http://hem.bredband.net/dworek/tempdir/01.png    


Hope you guys know what ive done wrong, and also is there a way to define TCHAR somehow and the others needed so by doing that not having to include any libraries?

Thx for the help

cheers /dw0rek

_________________
Image
Post 05 Feb 2007, 06:21
View user's profile Send private message MSN Messenger Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1614
Location: Ukraine
shoorick 05 Feb 2007, 07:38
seems you've been using call [0x762A1D90] - if yes - remove brackets
Post 05 Feb 2007, 07:38
View user's profile Send private message Visit poster's website Reply with quote
dw0rek



Joined: 05 Feb 2007
Posts: 7
dw0rek 05 Feb 2007, 08:21
thank you for your reply.

no i did not use call [0x762A1D90]

i first try with
Code:
call    [DefWindowProcW]    

then everything works just fine like it should. but when i replace it to this:
Code:
call    0x762A1D90    

it doesnt work anymore. this is a bit strange to me since ive used the same way of replacing all the other function calls with their address.

Im sure there is something that im missing but like i said i just started out with asm and would appreciate if you guys could help out.

This is the problem signature:
Code:
  Problem Event Name:   APPCRASH
  Application Name:     TEMPLATE.exe
  Application Version:  0.0.0.0
  Application Timestamp:        45c6e7a5
  Fault Module Name:    StackHash_1ce9
  Fault Module Version: 0.0.0.0
  Fault Module Timestamp:       00000000
  Exception Code:       c0000005
  Exception Offset:     762986d8
  OS Version:   6.0.6000.2.0.0.256.1
  Locale ID:    1033
  Additional Information 1:     1ce9
  Additional Information 2:     36da68bdbac70af0c8325c2c9239f49e
  Additional Information 3:     bcdc
  Additional Information 4:     954b3c412b38dd2f446ab2854d4b5865    


not sure if it tells you guys much, i cant really see what is wrong may-b you can?

Anyways, thx for the help.

cheers /dw0rek

_________________
Image
Post 05 Feb 2007, 08:21
View user's profile Send private message MSN Messenger Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1614
Location: Ukraine
shoorick 05 Feb 2007, 09:04
it's not easy to help you as i need to update all adresses to reproduce your case, as all mine are different
Post 05 Feb 2007, 09:04
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 05 Feb 2007, 09:59
about TCHAR: no, there is no way to define typed char. you must have either ANSI string (1 byte per character) or Widechar string (2 bytes per character), end choose *A() or *W() functions yourself.
Post 05 Feb 2007, 09:59
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Feb 2007, 10:41
oh and there's alot easier ways than yours to get rid of includes...
Post 05 Feb 2007, 10:41
View user's profile Send private message MSN Messenger Reply with quote
dw0rek



Joined: 05 Feb 2007
Posts: 7
dw0rek 05 Feb 2007, 11:04
im sure there are, like i said im very new to asm.

would be awesome if you could show me some ways that you know of.

thx

/dw0rek

_________________
Image
Post 05 Feb 2007, 11:04
View user's profile Send private message MSN Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Feb 2007, 11:47
I guess you mean with getting rid of includes is related to imports:
http://board.flatassembler.net/topic.php?t=5808 for tips how to manually build smaller but working IAT.

http://board.flatassembler.net/topic.php?t=5436 for two different procs to manage imports w/GetProcAddress and few tips how to get address of GetProcAddress w/o importing it.

and here is the code/method I use in some of my projects:
Code:
;hashimp-test
; - okasvi
;apihash-macro is taken from fasm-board, iirc...
format PE gui
;____________________________________________________________________
        ;macros and equs
        ;____________________________________________________________
macro apihash destination, [args]
{
        common local ..result, ..char, ..temp
        virtual at 0
                db args
                db 0
                ..result = 0
                ..temp = 0
                repeat $
                        load ..char byte from % - 1
                        if ..char = 0
                                break
                        end if
                        ..temp   = (..temp and 0xffffff00) or ..char
                        ..temp   = ..temp shl 25 or ..temp shr 7
                        ..result = ..result xor ..temp
                end repeat
        end virtual
        destination dd ..result and 0xffffffff
}

pad_size equ 32
pad_eax  equ 28
pad_ecx  equ 24
pad_edx  equ 20
pad_ebx  equ 16
pad_esp  equ 12
pad_ebp  equ 8
pad_esi  equ 4
pad_edi  equ 0
;____________________________________________________________________
        ;EP
        ;____________________________________________________________
entry $
init:
                call    krnl32base
                test    eax, eax
                jz      error

                push    [LoadLibrary]
                push    eax
                call    gpaddr
                mov     [LoadLibrary], eax

                mov     esi, ApiTable
        .l1:    push    esi
                call    [LoadLibrary]
                mov     ebp, eax
                call    iez

        .l2:    push    dword [esi]
                push    ebp
                call    gpaddr
                mov     [esi], eax

                add     esi, 4
                mov     eax, [esi]
                test    eax, eax
                jnz     .l2
                                        ;I'm lazy&dealing w/hangover.
                                        ;The part of my brain which
                                        ;is supposed to think
                                        ;logically refuses to work.
                add     esi, 4
                mov     eax, [esi]
                test    eax, eax
                jz      .l3
                jmp     .l1
        .l3:
                push    0
                push    capt
                push    msg
                push    0
                call    [MessageBox]

                xor     eax, eax
                jmp     done
error:          mov     eax, 1
done:           push    eax
                call    [ExitProcess]
;____________________________________________________________________
        ;procs
        ;____________________________________________________________
        ;krnl32base
        ;--
        ;get kernel32.dll baseaddress
krnl32base:
                pushad
                xor     eax, eax
                mov     eax, [fs:eax+30h]
                test    eax,eax
                js      .err
                mov     eax, [eax+0ch]
                mov     esi, [eax+1ch]
                lodsd
                mov     eax, [eax+08h]
                mov     [esp+pad_eax], eax
                jmp     .ret
        .err:   xor     eax, eax
                mov     [esp+pad_eax], eax
        .ret:   popad
                retn
        ;____________________________________________________________
        ;gpaddr
        ;counter                [esp-4]
        ;baddr                  [esp+4]
        ;hash                   [esp+8]
        ;--
        ;getprocaddr
gpaddr:
                pushad
                mov     edi, [esp+pad_size+4]
                mov     ebp, [esp+pad_size+8]
                sub     esp, 4
                mov     edi, [esp+pad_size+4+4]
                add     edi, [edi+03ch]
                mov     edi, [edi+078h]
                add     edi, [esp+pad_size+4+4]
                mov     ebx, edi
                mov     eax, [edi+018h]
                mov     esi, [edi+020h]
                mov     ecx, eax
                mov     [esp], eax
                add     esi, [esp+pad_size+4+4]
                inc     ecx
                sub     esi, 4
        .l1:    add     esi, 4
                dec     ecx
                jz      .err
                mov     edi, [esi]
                add     edi, [esp+pad_size+4+4]
                push    edi
                call    hashz
                cmp     eax, ebp
                jnz     .l1
                mov     esi, [ebx+024h]
                neg     ecx
                add     ecx, [esp]
                shl     ecx, 1
                add     esi, ecx
                add     esi, [esp+pad_size+4+4]
                movzx   eax, word [esi]
                mov     esi, [ebx+01ch]
                shl     eax, 2
                add     esi, [esp+pad_size+4+4]
                add     esi, eax
                mov     edi, [esi]
                add     edi, [esp+pad_size+4+4]
                jmp     .ret
        .err:   xor     eax, eax
        .ret:   add     esp, 4
                mov     [esp+pad_eax], edi
                popad
                retn    8
        ;____________________________________________________________
        ;iez
        ;--
        ;inc esi until 0byte. esi=0byte+1
iez:
                push    eax
        .l1:    mov     al, byte [esi]
                inc     esi
                test    al, al
                jnz     .l1
                pop     eax
                retn
        ;____________________________________________________________
        ;hashz
        ;str    [esp+4]
        ;--
        ;hash asciiZ-string
hashz:
                pushad
                mov     esi, dword [esp+pad_size+4]
                xor     edx, edx
                xor     eax, eax
      .l1:      ror     eax, 7
                xor     edx, eax
                lodsb
                test    al, al
                jnz     .l1
                mov     [esp+pad_eax], edx
                popad
                retn    4
;____________________________________________________________________
;____________________________________________________________________
        ;data
        ;____________________________________________________________
        msg     db      'humm',0
        capt    db      'bleh',0
;____________________________________________________________________
        apihash LoadLibrary,            'LoadLibraryA'
        ;____________________________________________________________
        ApiTable:
        kernel32        db      'kernel32',0
        apihash Sleep,                  'Sleep'
                                dd      0
        ;____________________________________________________________
        user32          db      'user32',0
        apihash MessageBox,             'MessageBoxA'
                                dd      0
        ;____________________________________________________________
                                dd      0;marks the end of the hashes
;____________________________________________________________________
;____________________________________________________________________
        ;IAT
        ;____________________________________________________________
        krnl32:
                ExitProcess     dd      RVA _ExitProcess
                                dw      0
                _ExitProcess    db      0,0,'ExitProcess',0
        _krnl32                 db      'kernel32'
data import
        dd      0,0,0, RVA _krnl32, RVA krnl32
        dd      0,0,0,0,0
end data
;____________________________________________________________________
;____________________________________________________________________
        ;reserved data
        ;____________________________________________________________
        EOF     rd      1    


edit: code above is just an example how to not rely on GetProcAddressA@kernel32.dll, how to keep your executables IAT clean and how to hide your imports as there is no string pointing to APIs you use.

btw. my gpaddr doesnt support forwarded-exports so incase it fails to get addr of some APIs like HeapAlloc@kernel32.dll you need to see where it's really located and there should be string which you see while it crashes under debugger(something like NTDLL.RtlAllocateHeap = make it import it directly from there...)

_________________
When We Ride On Our Enemies
support reverse smileys |:


Last edited by okasvi on 05 Feb 2007, 11:55; edited 1 time in total
Post 05 Feb 2007, 11:47
View user's profile Send private message MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 05 Feb 2007, 11:50
dw0rek: you want to get rid of includes or of imports? First one is okay, just little harder. Second one is completely bad way for real world
Post 05 Feb 2007, 11:50
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
dw0rek



Joined: 05 Feb 2007
Posts: 7
dw0rek 05 Feb 2007, 23:19
imports is to import the dlls used in the file right? if that is the case then the imports are ofcause to stay, but i mean the includes that defines the function names. I.E. MessageBoxA.

Oh and okasvi thanks for an awesome post man!

cheers /dw0rek

_________________
Image
Post 05 Feb 2007, 23:19
View user's profile Send private message MSN Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 07 Feb 2007, 15:43
dw0rek wrote:
i mean the includes that defines the function names. I.E. MessageBoxA.


well, you could do it this way:
Code:
data import
        library kernel32,       'kernel32'  ,\
                user32,         'user32'

        import  kernel32,       \
                ExitProcess,    'ExitProcess'   ,\
                ReadFile,       'ReadFile'      ,\
                WriteFile,      'WriteFile'     ,\
                Sleep,          'Sleep'

        import  user32,\
                MessageBox,     'MessageBoxA'
end data     


instead of including INCLUDE\API\KERNEL32.INC & USER32.inc which do define the name of APIs you use...

I hope I didnt miss the point of 'getting rid of includes' again Smile

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 07 Feb 2007, 15:43
View user's profile Send private message MSN Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 07 Feb 2007, 16:09
okasvi: he still neds to include "INCLUDE\MACRO\import32.inc"
Post 07 Feb 2007, 16:09
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 07 Feb 2007, 22:30
sure, but the code in first post includes win32w.inc and doesnt it include the macros? I thought he wanted to get rid of includes which define the API names etc.
Post 07 Feb 2007, 22:30
View user's profile Send private message MSN Messenger Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1614
Location: Ukraine
shoorick 08 Feb 2007, 05:38
i do use scan.exe by Vortex and do not care about API includes at all
Post 08 Feb 2007, 05:38
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.