Hello guys, I have some questions here. I was just testing the ASMLIB.DLL library from Genesys in a C program to see how it went and I noticed a few things.
My first question is about function name decoration. Almost all the functions in ASMLIB.DLL are STDCALL functions and yet I don't see any name decoration on them using Dependency Viewer. For instance, I figured that the Write function would appear as _Write@4 in Dependency Viewer because it's STDCALL but it's not decorated at all.
From what I understand, when I call the function InitConsole, I push the next instruction on the stack, I jump to a jump instruction that jumps inside my DLL. And when the function from this DLL returns, I come back to the next instruction in my code.
But I always thought that It was the function name that was decorated, but here I only see the IMPORT name decorated. It's all a bit confusing.
My other question is about this instruction :
00EF1000 E8 2B 00 00 00 call _InitConsole@0 (0EF1030h)
I figured that this was a relative CALL at +2B bytes from this instruction. But the actual jump to InitConsole is here
00EF1030
That's more than 2B !!!
However, 2B = 43. If I count every code bytes from this instruction to the jump entry, I end up with 44, not 43.
Did I make a mistake in my count somewhere?
8: int main()
9: {
10: InitConsole();
00EF1000 E8 2B 00 00 00 call _InitConsole@0 (0EF1030h)
11: Write("coucou\nJesuisbeau");
00EF1005 68 F4 20 EF 00 push offset string "coucou\nJesuisbeau" (0EF20F4h)
00EF100A E8 1B 00 00 00 call _Write@4 (0EF102Ah)
12: Writelnf("%d %d %d %d %d", 1,2,3,4,5);
00EF100F 6A 05 push 5
00EF1011 6A 04 push 4
00EF1013 6A 03 push 3
00EF1015 6A 02 push 2
00EF1017 6A 01 push 1
00EF1019 68 08 21 EF 00 push offset string "%d %d %d %d %d" (0EF2108h)
00EF101E E8 13 00 00 00 call _Writelnf (0EF1036h)
00EF1023 83 C4 18 add esp,18h
13:
14:
15:
16: //Writexy(15,10,'c');
17:
18: return 0;
00EF1026 33 C0 xor eax,eax
19:
20: }
00EF1028 C3 ret
--- No source file -------------------------------------------------------------
00EF1029 CC int 3 ; Count = 38 up to here
_Write@4:
00EF102A FF 25 AC 20 EF 00 jmp dword ptr [__imp__Write@4 (0EF20ACh)]
_InitConsole@0:
00EF1030 FF 25 A8 20 EF 00 jmp dword ptr [__imp__InitConsole@0 (0EF20A8h)]
_Writelnf:
00EF1036 FF 25 A4 20 EF 00 jmp dword ptr [__imp__Writelnf (0EF20A4h)]
Normally, the decorated form of external functions are visible in OMF \ MS COFF object modules, static libraries and import libraries. The final EXE \ DLL will import \ export the non-decorated version of the function name.
Thanks Vortex, I'm getting a clearer view now. It's really confusing because in object files it's decorated, in DLLs it's not, in GoAsm it's not, cdecl, stdcall, etc :D
2nd question:
00EF1000 E8 2B 00 00 00 call _InitConsole@0 (0EF1030h)
...
00EF1030 FF 25 A8 20 EF 00 jmp dword ptr [__imp__InitConsole@0 (0EF20A8h)]
Eip = 00EF1000, size of call instruction is 5 bytes, destination is 00EF1030
00EF1030 - (00EF1000+5) = 2B
or, destination minus return address (00EF1030 - 00EF1005 = 2B)
Ohh. I see. Thank you drizz, it's clear now :8)