flat assembler
Message board for the users of flat assembler.
Index
> Windows > Understanding basic code |
Author |
|
revolution 18 Sep 2008, 04:28
Why can't you use LoadLibrary and GetProcAddress like everyone else? What you are trying to do is not guaranteed to work in all situations and it looks like the sort of thing that virus code does to try and hide itself from AVs.
|
|||
18 Sep 2008, 04:28 |
|
iic2 18 Sep 2008, 04:42
Quote: Im attempting to have dynamically import every API by finding I have not check your code yet but can it match this little Rocket. Win95 --- Xp sp3 Code: ;---- Get ;---- Kernel Base M Z mov eax, [fs:30h] mov edx, 0B8h mov ecx, [eax+30h] test eax, eax jns KI_1 mov ebx, [eax+34h] test ecx, ecx jnz KI_2 KI_1: mov eax, [eax+0Ch] sub edx, 0B0h mov eax, [eax+1Ch] mov ebx, [eax] KI_2: mov eax, [ebx+edx] mov [BUFFER_0], eax xor eax, eax mov eax, [fs:00h] revolution, ... It's fun. You beat me by seconds. I been using this for years. Forget about the bad guys. We need to learn and to help ourselfs also instead of getting a bag full of suprizes. The bad guy will pay in the long run because I will seek, find and destroy. ... ... |
|||
18 Sep 2008, 04:42 |
|
iic2 18 Sep 2008, 05:15
revolution, knows better than most of us anyway by law. But now that i read what you are trying to do, you do sound like our asmcoder which some of us is beginning to have a little faith in.
OK, simply find some code that works, like above. Use messagebox as your debugger to see what you get... surf the web for all of those 1000 questions in a row. Than ask a few that you did not read understand while searching... Good luck and no homework please. It's all about what you find or come up with to make it efficient, better and faster so all can enjoy. .... .... |
|||
18 Sep 2008, 05:15 |
|
Alphonso 18 Sep 2008, 09:07
Your code is probably crashing because it is trying to access inaccessible memory. Try this
Code: find_kernel32: push esi push ecx xor ecx, ecx mov eax, [fs:ecx] ;exchanged for mov esi, [fs:ecx] not ecx find_kernel32_seh_loop: mov esi,eax ;instead of destroying pointer esi with mov esi, eax lodsd cmp eax, ecx ;not [eax] jne find_kernel32_seh_loop find_kernel32_seh_loop_done: mov eax, [esi] ;esi has already been incremented by lodsd find_kernel32_base_loop: dec eax xor ax, ax cmp word [eax], 0x5A4D jne find_kernel32_base_loop find_kernel32_base_finished: pop ecx pop esi ret But why don't you simply use... Code: invoke GetModuleHandle,'Kernel32' |
|||
18 Sep 2008, 09:07 |
|
JohnCal 19 Sep 2008, 01:06
Thanks iic2 and Alphonso for those code snippets and anyone else who helped. No this is not viral code, I'm just trying to understand how this works. Thanks again guys
|
|||
19 Sep 2008, 01:06 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.