Inside invoke?

[Dromiceius]

Hello all,

I'm not sure how to ask this, but, how can I find out exactly what I'm Invoking when using Invoke? I understand that when I use

invoke CreateWindowEx [parameters]

that there'll be a lot of mov/push/pop going on, but where are the details?

Sorry in advance if this is a painfully stupid question. ;)

[hutch--]

Hi Dromiceius,

Welcome on board. The trick is to write the code with a number of NOPS beore and after it then disassembler the code and find it from the multiple nops.

Code Select Expand


nop
nop
nop

invoke MyFunc,arg,num,etc ,,,,

nop
nop
nop


Disassemble it and look for the three nops. Between the first three and the second tree is exactly how invoke works as direct mnemonic code.

[Jimg]

Or you can just ask for an listing by including the  /Fl  option on your assembly.
For example, invoke messagebox comes out in the listing as something like-

Code Select Expand

invoke MessageBox,0,addr AboutMsg,addr ProgName,0
00001112  6A 00    *     push   +000000000h
00001114  68 00000008 R   *     push   OFFSET ProgName
00001119  68 00000020 R   *     push   OFFSET AboutMsg
0000111E  6A 00    *     push   +000000000h
00001120  E8 00000000 E   *     call   MessageBoxA


To cut down on the size of the listing, be sure to include a .nolist before your large library includes and a .listall afterward to turn the listing back on.  e.g.

Code Select Expand

.nolist
include Windows.inc

uselib MACRO libname:req
    include    libname.inc
    includelib libname.lib
ENDM

uselib user32
uselib kernel32
uselib shell32
uselib comctl32
uselib comdlg32
uselib gdi32
.listall


[Tedd]

Understanding your question in a slightly different manner..

It's down to the "calling convention" of the function you're invoking.
For almost all windows api functions, the convention is simply to push the arguments on the stack (in 'reverse' order) and then call the function. The function will clean up the arguments off the stack on returning, and provide the result in eax.
All invoke does (in this case) is push the arguments and call the function. For C-style functions, it additionally cleans the stack up afterwards, as C functions don't do that for you on returning.

[Dromiceius]

Disassemble it and look for the three nops. Between the first three and the second tree is exactly how invoke works as direct mnemonic code.

Aha. I was expecting a "look in filename.ext" kind of response. I guess I can stop looking for it if it doesn't exist. Thanks for the reply.

Or you can just ask for an listing by including the  /Fl  option on your assembly.
For example, invoke messagebox comes out in the listing as something like-

Success! :cheekygreen:

It's down to the "calling convention" of the function you're invoking.
For almost all windows api functions, the convention is simply to push the arguments on the stack (in 'reverse' order) and then call the function. The function will clean up the arguments off the stack on returning, and provide the result in eax.
All invoke does (in this case) is push the arguments and call the function. For C-style functions, it additionally cleans the stack up afterwards, as C functions don't do that for you on returning.

Right. That's pretty much what I wanted know about. Still glad I figured out how to use ML in a command line, though.  :lol