flat assembler
Message board for the users of flat assembler.
Index
> Windows > New to ASM |
Author |
|
shoorick 05 Feb 2007, 07:38
seems you've been using call [0x762A1D90] - if yes - remove brackets
|
|||
05 Feb 2007, 07:38 |
|
dw0rek 05 Feb 2007, 08:21
thank you for your reply.
no i did not use call [0x762A1D90] i first try with Code: call [DefWindowProcW] then everything works just fine like it should. but when i replace it to this: Code: call 0x762A1D90 it doesnt work anymore. this is a bit strange to me since ive used the same way of replacing all the other function calls with their address. Im sure there is something that im missing but like i said i just started out with asm and would appreciate if you guys could help out. This is the problem signature: Code: Problem Event Name: APPCRASH Application Name: TEMPLATE.exe Application Version: 0.0.0.0 Application Timestamp: 45c6e7a5 Fault Module Name: StackHash_1ce9 Fault Module Version: 0.0.0.0 Fault Module Timestamp: 00000000 Exception Code: c0000005 Exception Offset: 762986d8 OS Version: 6.0.6000.2.0.0.256.1 Locale ID: 1033 Additional Information 1: 1ce9 Additional Information 2: 36da68bdbac70af0c8325c2c9239f49e Additional Information 3: bcdc Additional Information 4: 954b3c412b38dd2f446ab2854d4b5865 not sure if it tells you guys much, i cant really see what is wrong may-b you can? Anyways, thx for the help. cheers /dw0rek _________________ |
|||
05 Feb 2007, 08:21 |
|
shoorick 05 Feb 2007, 09:04
it's not easy to help you as i need to update all adresses to reproduce your case, as all mine are different
|
|||
05 Feb 2007, 09:04 |
|
vid 05 Feb 2007, 09:59
about TCHAR: no, there is no way to define typed char. you must have either ANSI string (1 byte per character) or Widechar string (2 bytes per character), end choose *A() or *W() functions yourself.
|
|||
05 Feb 2007, 09:59 |
|
okasvi 05 Feb 2007, 10:41
oh and there's alot easier ways than yours to get rid of includes...
|
|||
05 Feb 2007, 10:41 |
|
dw0rek 05 Feb 2007, 11:04
im sure there are, like i said im very new to asm.
would be awesome if you could show me some ways that you know of. thx /dw0rek _________________ |
|||
05 Feb 2007, 11:04 |
|
okasvi 05 Feb 2007, 11:47
I guess you mean with getting rid of includes is related to imports:
http://board.flatassembler.net/topic.php?t=5808 for tips how to manually build smaller but working IAT. http://board.flatassembler.net/topic.php?t=5436 for two different procs to manage imports w/GetProcAddress and few tips how to get address of GetProcAddress w/o importing it. and here is the code/method I use in some of my projects: Code: ;hashimp-test ; - okasvi ;apihash-macro is taken from fasm-board, iirc... format PE gui ;____________________________________________________________________ ;macros and equs ;____________________________________________________________ macro apihash destination, [args] { common local ..result, ..char, ..temp virtual at 0 db args db 0 ..result = 0 ..temp = 0 repeat $ load ..char byte from % - 1 if ..char = 0 break end if ..temp = (..temp and 0xffffff00) or ..char ..temp = ..temp shl 25 or ..temp shr 7 ..result = ..result xor ..temp end repeat end virtual destination dd ..result and 0xffffffff } pad_size equ 32 pad_eax equ 28 pad_ecx equ 24 pad_edx equ 20 pad_ebx equ 16 pad_esp equ 12 pad_ebp equ 8 pad_esi equ 4 pad_edi equ 0 ;____________________________________________________________________ ;EP ;____________________________________________________________ entry $ init: call krnl32base test eax, eax jz error push [LoadLibrary] push eax call gpaddr mov [LoadLibrary], eax mov esi, ApiTable .l1: push esi call [LoadLibrary] mov ebp, eax call iez .l2: push dword [esi] push ebp call gpaddr mov [esi], eax add esi, 4 mov eax, [esi] test eax, eax jnz .l2 ;I'm lazy&dealing w/hangover. ;The part of my brain which ;is supposed to think ;logically refuses to work. add esi, 4 mov eax, [esi] test eax, eax jz .l3 jmp .l1 .l3: push 0 push capt push msg push 0 call [MessageBox] xor eax, eax jmp done error: mov eax, 1 done: push eax call [ExitProcess] ;____________________________________________________________________ ;procs ;____________________________________________________________ ;krnl32base ;-- ;get kernel32.dll baseaddress krnl32base: pushad xor eax, eax mov eax, [fs:eax+30h] test eax,eax js .err mov eax, [eax+0ch] mov esi, [eax+1ch] lodsd mov eax, [eax+08h] mov [esp+pad_eax], eax jmp .ret .err: xor eax, eax mov [esp+pad_eax], eax .ret: popad retn ;____________________________________________________________ ;gpaddr ;counter [esp-4] ;baddr [esp+4] ;hash [esp+8] ;-- ;getprocaddr gpaddr: pushad mov edi, [esp+pad_size+4] mov ebp, [esp+pad_size+8] sub esp, 4 mov edi, [esp+pad_size+4+4] add edi, [edi+03ch] mov edi, [edi+078h] add edi, [esp+pad_size+4+4] mov ebx, edi mov eax, [edi+018h] mov esi, [edi+020h] mov ecx, eax mov [esp], eax add esi, [esp+pad_size+4+4] inc ecx sub esi, 4 .l1: add esi, 4 dec ecx jz .err mov edi, [esi] add edi, [esp+pad_size+4+4] push edi call hashz cmp eax, ebp jnz .l1 mov esi, [ebx+024h] neg ecx add ecx, [esp] shl ecx, 1 add esi, ecx add esi, [esp+pad_size+4+4] movzx eax, word [esi] mov esi, [ebx+01ch] shl eax, 2 add esi, [esp+pad_size+4+4] add esi, eax mov edi, [esi] add edi, [esp+pad_size+4+4] jmp .ret .err: xor eax, eax .ret: add esp, 4 mov [esp+pad_eax], edi popad retn 8 ;____________________________________________________________ ;iez ;-- ;inc esi until 0byte. esi=0byte+1 iez: push eax .l1: mov al, byte [esi] inc esi test al, al jnz .l1 pop eax retn ;____________________________________________________________ ;hashz ;str [esp+4] ;-- ;hash asciiZ-string hashz: pushad mov esi, dword [esp+pad_size+4] xor edx, edx xor eax, eax .l1: ror eax, 7 xor edx, eax lodsb test al, al jnz .l1 mov [esp+pad_eax], edx popad retn 4 ;____________________________________________________________________ ;____________________________________________________________________ ;data ;____________________________________________________________ msg db 'humm',0 capt db 'bleh',0 ;____________________________________________________________________ apihash LoadLibrary, 'LoadLibraryA' ;____________________________________________________________ ApiTable: kernel32 db 'kernel32',0 apihash Sleep, 'Sleep' dd 0 ;____________________________________________________________ user32 db 'user32',0 apihash MessageBox, 'MessageBoxA' dd 0 ;____________________________________________________________ dd 0;marks the end of the hashes ;____________________________________________________________________ ;____________________________________________________________________ ;IAT ;____________________________________________________________ krnl32: ExitProcess dd RVA _ExitProcess dw 0 _ExitProcess db 0,0,'ExitProcess',0 _krnl32 db 'kernel32' data import dd 0,0,0, RVA _krnl32, RVA krnl32 dd 0,0,0,0,0 end data ;____________________________________________________________________ ;____________________________________________________________________ ;reserved data ;____________________________________________________________ EOF rd 1 edit: code above is just an example how to not rely on GetProcAddressA@kernel32.dll, how to keep your executables IAT clean and how to hide your imports as there is no string pointing to APIs you use. btw. my gpaddr doesnt support forwarded-exports so incase it fails to get addr of some APIs like HeapAlloc@kernel32.dll you need to see where it's really located and there should be string which you see while it crashes under debugger(something like NTDLL.RtlAllocateHeap = make it import it directly from there...) _________________ When We Ride On Our Enemies support reverse smileys |: Last edited by okasvi on 05 Feb 2007, 11:55; edited 1 time in total |
|||
05 Feb 2007, 11:47 |
|
vid 05 Feb 2007, 11:50
dw0rek: you want to get rid of includes or of imports? First one is okay, just little harder. Second one is completely bad way for real world
|
|||
05 Feb 2007, 11:50 |
|
dw0rek 05 Feb 2007, 23:19
imports is to import the dlls used in the file right? if that is the case then the imports are ofcause to stay, but i mean the includes that defines the function names. I.E. MessageBoxA.
Oh and okasvi thanks for an awesome post man! cheers /dw0rek _________________ |
|||
05 Feb 2007, 23:19 |
|
okasvi 07 Feb 2007, 15:43
dw0rek wrote: i mean the includes that defines the function names. I.E. MessageBoxA. well, you could do it this way: Code: data import library kernel32, 'kernel32' ,\ user32, 'user32' import kernel32, \ ExitProcess, 'ExitProcess' ,\ ReadFile, 'ReadFile' ,\ WriteFile, 'WriteFile' ,\ Sleep, 'Sleep' import user32,\ MessageBox, 'MessageBoxA' end data instead of including INCLUDE\API\KERNEL32.INC & USER32.inc which do define the name of APIs you use... I hope I didnt miss the point of 'getting rid of includes' again _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
07 Feb 2007, 15:43 |
|
vid 07 Feb 2007, 16:09
okasvi: he still neds to include "INCLUDE\MACRO\import32.inc"
|
|||
07 Feb 2007, 16:09 |
|
okasvi 07 Feb 2007, 22:30
sure, but the code in first post includes win32w.inc and doesnt it include the macros? I thought he wanted to get rid of includes which define the API names etc.
|
|||
07 Feb 2007, 22:30 |
|
shoorick 08 Feb 2007, 05:38
i do use scan.exe by Vortex and do not care about API includes at all
|
|||
08 Feb 2007, 05:38 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.