flat assembler
Message board for the users of flat assembler.

Index > Windows > [SOLVED] Problem with RegQueryValueEx

Author
Thread Post new topic Reply to topic
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 03 Dec 2014, 23:25
I try to read an installation directory as REG_SZ from the registry with RegQueryValueEx.

Code:
include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\Installer\VMware Workstation',0
  lpValueName          db 'uninstaller',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               db ?
  lpcbData             dd $ - lpData

  lpFmt                db '[%hs]',0
  lpOut                db ?

  NULL                 equ 0
  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  ;Wrong result
  invoke wsprintf,lpOut,lpFmt,lpData
  invoke MessageBox,0,lpOut,lpSubKey,MB_OK

  ;Even worse
  invoke MessageBox,0,lpData,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start   
    


When I run my code, I get some weird result.
Correct would be: C:\ProgramData\VMware\VMware Workstation\Uninstaller\\uninstall.exe

Can anyone point me the direction?


Description:
Filesize: 10.03 KB
Viewed: 6725 Time(s)

reg.PNG




Last edited by upsurt on 07 Dec 2014, 10:29; edited 3 times in total
Post 03 Dec 2014, 23:25
View user's profile Send private message Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 03 Dec 2014, 23:42
Another test gives a better result, but still wrong. And I think it is NOT to way to do it.

>> lpFmt db lpcbData dup ('[%hs]',0,0)

Code:
include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\Installer\VMware Workstation',0
  lpValueName          db 'uninstaller',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               db ?
  lpcbData             dd $ - lpData

  lpFmt                db lpcbData dup ('[%hs]',0,0)
  lpOut                db ? ;MAX_PATH dup(0)

  NULL                 equ 0
  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  invoke wsprintf,lpOut,lpFmt,lpData
  invoke MessageBox,0,lpOut,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start
    


Description:
Filesize: 4.79 KB
Viewed: 6720 Time(s)

reg.PNG


Post 03 Dec 2014, 23:42
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 04 Dec 2014, 00:42
Your buffers are only one byte in length. You will need to make them longer.
Code:
lpData               rb 1024 ;make enough space to store the result
;...
lpOut                rb 1024 ;reserve space for the formatted output    
Post 04 Dec 2014, 00:42
View user's profile Send private message Visit poster's website Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 04 Dec 2014, 08:36
Thank you.

But now I get only an '-' back. (And with a different lpValueName I may get different char)

In OllyDbg it shows me 'C:\P- am Files (x86)\VMware\VMware Player\'


Description:
Filesize: 41.23 KB
Viewed: 6703 Time(s)

dbg.png




Last edited by upsurt on 04 Dec 2014, 08:41; edited 1 time in total
Post 04 Dec 2014, 08:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 04 Dec 2014, 08:41
Yup, looks like you are overwriting the output buffer with the DWORD 0x0000002d (45 decimal). So I expect your pointer to the result_length is within the result_string buffer.
Post 04 Dec 2014, 08:41
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 04 Dec 2014, 08:44
My guess is that your buffer is only 4 bytes in length and your length pointer comes immediately after that. But you have placed a larger value in the length than 4 so you tried to cheat the system by faking the buffer length. Amirite?
Post 04 Dec 2014, 08:44
View user's profile Send private message Visit poster's website Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 04 Dec 2014, 09:44
It looks like you're right, 0040103D points to '-'. But I don't get why?
Post 04 Dec 2014, 09:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 04 Dec 2014, 12:27
Show your code.
Post 04 Dec 2014, 12:27
View user's profile Send private message Visit poster's website Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 04 Dec 2014, 12:44
Thank you very much, revolution!

Code:
LONG WINAPI RegQueryValueEx(
  _In_         HKEY hKey,
  _In_opt_     LPCTSTR lpValueName,
  _Reserved_   LPDWORD lpReserved,
  _Out_opt_    LPDWORD lpType,
  _Out_opt_    LPBYTE lpData,
  _Inout_opt_  LPDWORD lpcbData
);
    


WRONG
invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData

CORRECT
invoke RegQueryValueEx,[phkResult],lpValueName,0,lpType,lpData,lpcbData

Somehow I added 'lpReserved' twice (once as 0 and second time as NULL) and didn't notice. Mad
Post 04 Dec 2014, 12:44
View user's profile Send private message Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 04 Dec 2014, 12:56
Here the working sample Idea

Code:
include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\VMware Workstation',0
  lpValueName          db 'InstallPath',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               rb 1024
  lpcbData             dd $ - lpData

  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  invoke MessageBox,0,lpData,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start    


revolution, I really appreciate your patience and your support Cool
Post 04 Dec 2014, 12:56
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 04 Dec 2014, 14:33
upsurt wrote:
Somehow I added 'lpReserved' twice (once as 0 and second time as NULL) and didn't notice. Mad
If you had used the parameter count checked include (win32axp) you would have caught a typo like that early on.
Post 04 Dec 2014, 14:33
View user's profile Send private message Visit poster's website Reply with quote
upsurt



Joined: 14 Jan 2014
Posts: 51
upsurt 04 Dec 2014, 15:15
haha nice Very Happy I was wondering what win32axp is good for ... now I know Very Happy

I expected it has something to do with the args passed to a console application. Rolling Eyes

thanks again Cool
Post 04 Dec 2014, 15:15
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.