flat assembler
Message board for the users of flat assembler.

Index > Windows > Converting binary values to decimal and hex

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello. I have question about GetProcAddress function. When I call that function I get not address of function, just some blablabla text.. here's code and tell me if I'm wrong.. Thanks.
Code:
format PE GUI 4.0
include 'WIN32AX.INC'
entry main
section '.data' data readable writeable
buffer rb 100
kerneldll db 'kernel32.dll',0
szSleep db 'Sleep',0
section '.text' code readable executable
proc main
invoke LoadLibraryA,kerneldll
invoke GetProcAddress,eax,szSleep
invoke MessageBox,0,eax,eax,MB_OK
invoke ExitProcess,0
endp
section '.idata' import data readable
library kernel32,'kernel32.dll',user32,'user32.dll'
import kernel32,LoadLibraryA,'LoadLibraryA',GetProcAddress,'GetProcAddress',ExitProcess,'ExitProcess'
import user32,MessageBox,'MessageBoxA'
section '.reloc' fixups data discardable    
Post 17 Oct 2010, 18:31
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
You are passing a pointer to function to MessageBox twice when you actually need pointers to null terminated strings. Convert the pointer to string first, then pass it to MessageBox.
Post 17 Oct 2010, 19:39
View user's profile Send private message Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
Code:
format PE GUI 4.0
include 'win32ax.inc'
.data
szAddr  rb  20
hExit   dd  ?
.code
proc main 
    invoke LoadLibrary,'kernel32.dll'
    invoke GetProcAddress,eax,'ExitProcess'
    mov    [hExit],eax
    invoke wsprintf,szAddr,'Address= %d',eax
    invoke MessageBox,0,szAddr,szAddr,MB_OK
    push   0
    call   [hExit]
endp 
.end main  

;Function wsprintf in user32 named is wsprintfA
    

have fun
Post 17 Oct 2010, 19:52
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Mate, I need to show the address of function not to call it.. I tried that code but it shows not valid address. on my OS ExitProcess address is 0x77e32aef and msgbox shows me 1983326959.. fix please ))
Post 18 Oct 2010, 10:25
View user's profile Send private message Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
You need to format the procedure address as a hex number, right? So, this should be exactly what you want:
Code:
format PE GUI 4.0  
include 'win32ax.inc'  

.data  
    szAddr  rb  20  

.code  
     main:
           invoke  LoadLibrary, "kernel32.dll"  
             invoke  GetProcAddress, eax, "Sleep"  
            invoke  wsprintf, szAddr, "Address = 0x%8.8x", eax  
              invoke  MessageBox, 0, szAddr, "Proc address", MB_OK  
            invoke  ExitProcess, 0  

.end main    
Post 18 Oct 2010, 11:00
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Thanks for reply but can u tell me why "0x%8.8x" for hex ? thanks.
Post 18 Oct 2010, 11:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
Overflowz: Rather than waiting here for answers you can also help yourself by searching for simple answers. wsprintf is documented very well by MS (and is also the very first result returned by Google).

http://msdn.microsoft.com/en-us/library/ms647550%28VS.85%29.aspx
Post 18 Oct 2010, 11:17
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
Overflowz wrote:
Thanks for reply but can u tell me why "0x%8.8x" for hex ? thanks.
  • '0x' for the two-byte prefix, which tells you that your number is denoted in a hexadecimal numbering system,

  • '%x' says that wsprintf should convert 32-bit number in eax to the hex representation (but without spare leading zeros),

  • '8.8' between '%' and 'x' says that whole string representation will have 8 chars with leading zeros (if needed)
One more thing: you can use '%#8.8x' instead '0x%8.8x' - gives the same effect. Wink
Post 18 Oct 2010, 11:17
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
MHajduk: cinvoke for wsprintf.
Post 18 Oct 2010, 11:18
View user's profile Send private message Visit poster's website Reply with quote
MHajduk



Joined: 30 Mar 2006
Posts: 6034
Location: Poland
MHajduk
revolution wrote:
MHajduk: cinvoke for wsprintf.
Yeah, right. Smile
Post 18 Oct 2010, 11:25
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Ahh got it.. Thank you! Smile
Post 18 Oct 2010, 11:37
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1288
Location: behind the arc
Picnic
Hi,

You can place MessageBox and wsprintf calls inside a small show macro which might be useful to view values.

Code:
macro show [fmt,arg] {
            pushad
            pushfd
            sub esp, MAX_PATH
            mov ebx, esp
            cinvoke wsprintf, ebx, fmt, arg
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK
            add esp, MAX_PATH
            popfd
            popad
            }
    



Now you can view the function address simply insert line in MHajduk sample,
Code:
    
            invoke  LoadLibrary, "kernel32.dll" 
            invoke  GetProcAddress, eax, "Sleep"
       show "Address = 0x%8.8x", eax
            invoke  ExitProcess, 0
    



Few more examples, macro param like this fmt,arg,fmt,arg,...
Code:
.data
            Temp1 dd 0x12345678
            Temp2 dd 0x87654321


.code
main:
            mov eax, 0FFFFh
            mov edi, Temp1

            show "Constant: %d", MAX_PATH
            show "Memory: 0x%X", dword [edi], "Memory: 0x%X", dword [edi+4]
            show "Register: 0x%X", eax, "Text: %s", "The End"
    


Have Fun.
Post 18 Oct 2010, 20:31
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Picnic,

Small modification will make it more like printf:
Code:
        include "Win32AX.Inc"
macro showf fmt,[arg] {
common; process all args at once
            pushad
            pushfd
            sub esp, MAX_PATH
            mov ebx, esp; beware: ebx can't be used in args
            cinvoke wsprintf, ebx, <fmt>, arg; angle brackets for compound strings
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK
            add esp, MAX_PATH
            popfd
            popad
            }

        .code
here:   invoke  LoadLibrary, "kernel32.dll"
        mov     esi, eax
        invoke  GetProcAddress, eax, "Sleep"
        showf <"Handle = %#10x", 10, "Address = 0x%8.8x">, esi, eax; format string contains LF, hence <>
        invoke  ExitProcess, 0

        .end    here    
Post 18 Oct 2010, 23:44
View user's profile Send private message Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1288
Location: behind the arc
Picnic
Ah, how nice Smile
Post 19 Oct 2010, 16:37
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
baldr: why MAX_PATH and wsprintf? Does wsprintf have hardcoded limit of MAX_PATH or just a random pick?

Also, on a very unrelated topic: if you decrease SP by more than page size, aren't you risking that you will skip stack guard page and page fault?
Post 19 Oct 2010, 18:08
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
vid,

MSDN says wsprintf() has limit of 1024 bytes for lpOutput; my post was about modification of Picnic's show macro (so I've changed only essentials).

Yes, unaware sub esp, something can miss guard page and cause fatal exception on subsequent access. Moreover, Windows won't display anything and just kills the offending process.


Last edited by baldr on 19 Oct 2010, 18:31; edited 1 time in total
Post 19 Oct 2010, 18:20
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
In that case, I suggest following for max convenience:
Code:
macro showf fmt,[arg] { 
common; process all args at once 
            pushad 
            pushfd 
            sub esp, 1024
            mov ebx, esp; beware: ebx can't be used in args 
            cinvoke wsprintf, ebx, <fmt>, arg; angle brackets for compound strings 
            invoke MessageBox, HWND_DESKTOP, ebx, "", MB_OK 
            add esp, 1024
            popfd 
            popad 
            }    
Post 19 Oct 2010, 18:28
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1288
Location: behind the arc
Picnic
Quote:
Yes, unaware sub esp, something can miss guard page and cause fatal exception on subsequent access.


No argue about that, even though MAX_PATH is a common Windows API constant.
Post 19 Oct 2010, 18:46
View user's profile Send private message Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
Code:
mov [hExit],eax
;Store values in eax to hExit
invoke wsprintf,szAddr,'Address= %d',eax 
;eax [register] for speed up
;it's can be
invoke wsprintf,szAddr,'Address= %d',DWORD[hExit]
invoke MessageBox,0,szAddr,szAddr,MB_OK
;replace it with
invoke MessageBox,0,szAddr,'Address of ExitProcess',0
;it's show 2 U address of ExitProcess
call [hExit] ;it's show 2 U it's really containt address of ExitProcess
; if it work with no error, it's really containt address of ExitProcess
    

fun!
Post 22 Oct 2010, 03:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
pearlz: cinvoke wsprintf,...
Post 22 Oct 2010, 04:17
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.