Converting binary values to decimal and hex

Index > Windows > Converting binary values to decimal and hex

Goto page 1, 2 Next

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 17 Oct 2010, 18:31

Hello. I have question about GetProcAddress function. When I call that function I get not address of function, just some blablabla text.. here's code and tell me if I'm wrong.. Thanks.

Code:

format PE GUI 4.0
include 'WIN32AX.INC'
entry main
section '.data' data readable writeable
buffer rb 100
kerneldll db 'kernel32.dll',0
szSleep db 'Sleep',0
section '.text' code readable executable
proc main
invoke LoadLibraryA,kerneldll
invoke GetProcAddress,eax,szSleep
invoke MessageBox,0,eax,eax,MB_OK
invoke ExitProcess,0
endp
section '.idata' import data readable
library kernel32,'kernel32.dll',user32,'user32.dll'
import kernel32,LoadLibraryA,'LoadLibraryA',GetProcAddress,'GetProcAddress',ExitProcess,'ExitProcess'
import user32,MessageBox,'MessageBoxA'
section '.reloc' fixups data discardable

17 Oct 2010, 18:31

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4623
Location: Argentina

LocoDelAssembly 17 Oct 2010, 19:39

You are passing a pointer to function to MessageBox twice when you actually need pointers to null terminated strings. Convert the pointer to string first, then pass it to MessageBox.

17 Oct 2010, 19:39

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 17 Oct 2010, 19:52

Code:

format PE GUI 4.0
include 'win32ax.inc'
.data
szAddr  rb  20
hExit   dd  ?
.code
proc main 
    invoke LoadLibrary,'kernel32.dll'
    invoke GetProcAddress,eax,'ExitProcess'
    mov    [hExit],eax
    invoke wsprintf,szAddr,'Address= %d',eax
    invoke MessageBox,0,szAddr,szAddr,MB_OK
    push   0
    call   [hExit]
endp 
.end main  

;Function wsprintf in user32 named is wsprintfA

have fun

17 Oct 2010, 19:52

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 18 Oct 2010, 10:25

Mate, I need to show the address of function not to call it.. I tried that code but it shows not valid address. on my OS ExitProcess address is 0x77e32aef and msgbox shows me 1983326959.. fix please ))

18 Oct 2010, 10:25

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 18 Oct 2010, 11:00

You need to format the procedure address as a hex number, right? So, this should be exactly what you want:

Code:

format PE GUI 4.0  
include 'win32ax.inc'  

.data  
    szAddr  rb  20  

.code  
     main:
           invoke  LoadLibrary, "kernel32.dll"  
             invoke  GetProcAddress, eax, "Sleep"  
            invoke  wsprintf, szAddr, "Address = 0x%8.8x", eax  
              invoke  MessageBox, 0, szAddr, "Proc address", MB_OK  
            invoke  ExitProcess, 0  

.end main

18 Oct 2010, 11:00

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 18 Oct 2010, 11:05

Thanks for reply but can u tell me why "0x%8.8x" for hex ? thanks.

18 Oct 2010, 11:05

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20685
Location: In your JS exploiting you and your system

revolution 18 Oct 2010, 11:17

Overflowz: Rather than waiting here for answers you can also help yourself by searching for simple answers. wsprintf is documented very well by MS (and is also the very first result returned by Google).

http://msdn.microsoft.com/en-us/library/ms647550%28VS.85%29.aspx

18 Oct 2010, 11:17

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 18 Oct 2010, 11:17

Overflowz wrote:

Thanks for reply but can u tell me why "0x%8.8x" for hex ? thanks.

'0x' for the two-byte prefix, which tells you that your number is denoted in a hexadecimal numbering system,
'%x' says that wsprintf should convert 32-bit number in eax to the hex representation (but without spare leading zeros),
'8.8' between '%' and 'x' says that whole string representation will have 8 chars with leading zeros (if needed)

One more thing: you can use '%#8.8x' instead '0x%8.8x' - gives the same effect. Wink

18 Oct 2010, 11:17

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20685
Location: In your JS exploiting you and your system

revolution 18 Oct 2010, 11:18

MHajduk: cinvoke for wsprintf.

18 Oct 2010, 11:18

MHajduk

Joined: 30 Mar 2006
Posts: 6113
Location: Poland

MHajduk 18 Oct 2010, 11:25

revolution wrote:

MHajduk: cinvoke for wsprintf.

Yeah, right. Smile

18 Oct 2010, 11:25

Overflowz

Joined: 03 Sep 2010
Posts: 1044

Overflowz 18 Oct 2010, 11:37

Ahh got it.. Thank you! Smile

18 Oct 2010, 11:37

Picnic

Joined: 05 May 2007
Posts: 1434
Location: Piraeus, Greece

Picnic 18 Oct 2010, 20:31

Hi,

You can place MessageBox and wsprintf calls inside a small show macro which might be useful to view values.

Code:

macro show [fmt,arg] {
            pushad
            pushfd
            sub esp, MAX_PATH
            mov ebx, esp
            cinvoke wsprintf, ebx, fmt, arg
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK
            add esp, MAX_PATH
            popfd
            popad
            }

Now you can view the function address simply insert line in MHajduk sample,

Code:

    
            invoke  LoadLibrary, "kernel32.dll" 
            invoke  GetProcAddress, eax, "Sleep"
       show "Address = 0x%8.8x", eax
            invoke  ExitProcess, 0

Few more examples, macro param like this fmt,arg,fmt,arg,...

Code:

.data
            Temp1 dd 0x12345678
            Temp2 dd 0x87654321


.code
main:
            mov eax, 0FFFFh
            mov edi, Temp1

            show "Constant: %d", MAX_PATH
            show "Memory: 0x%X", dword [edi], "Memory: 0x%X", dword [edi+4]
            show "Register: 0x%X", eax, "Text: %s", "The End"

Have Fun.

18 Oct 2010, 20:31

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 18 Oct 2010, 23:44

Picnic,

Small modification will make it more like printf:

Code:

        include "Win32AX.Inc"
macro showf fmt,[arg] {
common; process all args at once
            pushad
            pushfd
            sub esp, MAX_PATH
            mov ebx, esp; beware: ebx can't be used in args
            cinvoke wsprintf, ebx, <fmt>, arg; angle brackets for compound strings
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK
            add esp, MAX_PATH
            popfd
            popad
            }

        .code
here:   invoke  LoadLibrary, "kernel32.dll"
        mov     esi, eax
        invoke  GetProcAddress, eax, "Sleep"
        showf <"Handle = %#10x", 10, "Address = 0x%8.8x">, esi, eax; format string contains LF, hence <>
        invoke  ExitProcess, 0

        .end    here

18 Oct 2010, 23:44

Picnic

Joined: 05 May 2007
Posts: 1434
Location: Piraeus, Greece

Picnic 19 Oct 2010, 16:37

Ah, how nice Smile

19 Oct 2010, 16:37

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7103
Location: Slovakia

vid 19 Oct 2010, 18:08

baldr: why MAX_PATH and wsprintf? Does wsprintf have hardcoded limit of MAX_PATH or just a random pick?

Also, on a very unrelated topic: if you decrease SP by more than page size, aren't you risking that you will skip stack guard page and page fault?

19 Oct 2010, 18:08

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 19 Oct 2010, 18:20

vid,

MSDN says wsprintf() has limit of 1024 bytes for lpOutput; my post was about modification of Picnic's show macro (so I've changed only essentials).

Yes, unaware sub esp, something can miss guard page and cause fatal exception on subsequent access. Moreover, Windows won't display anything and just kills the offending process.

Last edited by baldr on 19 Oct 2010, 18:31; edited 1 time in total

19 Oct 2010, 18:20

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7103
Location: Slovakia

vid 19 Oct 2010, 18:28

In that case, I suggest following for max convenience:

Code:

macro showf fmt,[arg] { 
common; process all args at once 
            pushad 
            pushfd 
            sub esp, 1024
            mov ebx, esp; beware: ebx can't be used in args 
            cinvoke wsprintf, ebx, <fmt>, arg; angle brackets for compound strings 
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK 
            add esp, 1024
            popfd 
            popad 
            }

19 Oct 2010, 18:28

Picnic

Joined: 05 May 2007
Posts: 1434
Location: Piraeus, Greece

Picnic 19 Oct 2010, 18:46

Quote:

Yes, unaware sub esp, something can miss guard page and cause fatal exception on subsequent access.

No argue about that, even though MAX_PATH is a common Windows API constant.

19 Oct 2010, 18:46

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 03:21

Code:

mov [hExit],eax
;Store values in eax to hExit
invoke wsprintf,szAddr,'Address= %d',eax 
;eax [register] for speed up
;it's can be
invoke wsprintf,szAddr,'Address= %d',DWORD[hExit]
invoke MessageBox,0,szAddr,szAddr,MB_OK
;replace it with
invoke MessageBox,0,szAddr,'Address of ExitProcess',0
;it's show 2 U address of ExitProcess
call [hExit] ;it's show 2 U it's really containt address of ExitProcess
; if it work with no error, it's really containt address of ExitProcess

fun!

22 Oct 2010, 03:21

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20685
Location: In your JS exploiting you and your system

revolution 22 Oct 2010, 04:17

pearlz: cinvoke wsprintf,...

22 Oct 2010, 04:17

Goto page 1, 2 Next

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum