flat assembler
Message board for the users of flat assembler.

Index > Main > [MASM] Unicode macro

Author
Thread Post new topic Reply to topic
nasaa_0528



Joined: 30 Mar 2016
Posts: 2
Location: Anywhere
nasaa_0528 30 Mar 2016, 02:44
Hello all,
I have a problem with reversing exe file. I used IDA pro and got assembler instructions but I don't quite understand what the macro means,

The macro is following

Code:
unicode        macro page,string,zero
                   irpc c,<string>
                   db '&c', page
                   endm
                   ifnb <zero>
                   dw zero endif

endm
                   .686p
                   .mmx
                   .model flat    


Also, assembler code used msvbvm.dll, but I do not understand what it does to my code.


Thanks all,
BR., Nas

Edit by revolution: Added "code" tags and changed the title to show the MASM connection

_________________
=====================
Keep calm and Hack the planet
=====================
Post 30 Mar 2016, 02:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 30 Mar 2016, 03:29
That is not fasm syntax. That is MASM syntax.

And you will have to provide more context. There is no way of knowing what is intended by just looking at the macro. I assume 'page' is placed in the UNICODE high order byte and 'string' provides the low order bytes.

How is the macro used in context?
Post 30 Mar 2016, 03:29
View user's profile Send private message Visit poster's website Reply with quote
nasaa_0528



Joined: 30 Mar 2016
Posts: 2
Location: Anywhere
nasaa_0528 30 Mar 2016, 04:59
revolution wrote:
That is not fasm syntax. That is MASM syntax.

And you will have to provide more context. There is no way of knowing what is intended by just looking at the macro. I assume 'page' is placed in the UNICODE high order byte and 'string' provides the low order bytes.

How is the macro used in context?


I attached a screenshot of context with unicode.
I guess it might be doing keylog. Does it have any possibilities to keylog??
It also uses a MSVBVM60.dll. I have searched it from the web search unfortunately I got no success.


Description:
Filesize: 58.43 KB
Viewed: 4818 Time(s)

Untitled.png



_________________
=====================
Keep calm and Hack the planet
=====================
Post 30 Mar 2016, 04:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 30 Mar 2016, 05:26
In fasm you can use 'du' since all the "page" parameters are 0.
Code:
du 'Wait ',0
du 'Page Sayed',0
;...    
Post 30 Mar 2016, 05:26
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.