Hello
when i am using SendMessage API in XP the the returning value of a strings lenght is written in both ecx and eax register.
Bun when i debugged the proggy in Win7 i saw that same codes make different results. SendMessage API doesnt returned the lenght of that string in ecx but only eax register!
How can i know these differences?
Quote from: silentenigma on November 05, 2010, 05:45:30 AM
Hello
when i am using SendMessage API in XP the the returning value of a strings lenght is written in both ecx and eax register.
Bun when i debugged the proggy in Win7 i saw that same codes make different results. SendMessage API doesnt returned the lenght of that string in ecx but only eax register!
How can i know these differences?
EAX is the default used register for return values after calling an API.
Has you can read on MSDN for SendMessage:
Return Value
LRESULT
The return value specifies the result of the message processing; it depends on the message sent.Its meaning the return on EAX, while the same value is present on ECX regist, seems nothing more than a "coincidence" and you can check it ofcourse by debug SendMessage:
SendMessage API:7E3AF3FC 6A 01 PUSH 1
7E3AF3FE FF75 14 PUSH DWORD PTR SS:[EBP+14]
7E3AF401 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7E3AF404 56 PUSH ESI
7E3AF405 50 PUSH EAX
7E3AF406 E8 A89DFFFF CALL USER32.7E3A91B3Inside the Call that does the whole job:
7E3A9260 6A 01 PUSH 1
7E3A9262 53 PUSH EBX
7E3A9263 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7E3A9266 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7E3A9269 57 PUSH EDI ; ntdll.7C920208
7E3A926A FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; kernel32.7C817070
7E3A926D FF76 60 PUSH DWORD PTR DS:[ESI+60]
7E3A9270 FFB6 9C000000 PUSH DWORD PTR DS:[ESI+9C]
7E3A9276 E8 E4F4FEFF CALL USER32.7E39875F
7E3A927B 8BC8 MOV ECX,EAX
7E3A927D A1 80103F7E MOV EAX,DWORD PTR DS:[7E3F1080]
7E3A9282 F640 02 04 TEST BYTE PTR DS:[EAX+2],4
7E3A9286 0F85 6C700000 JNZ USER32.7E3B02F8
7E3A928C 8BC1 MOV EAX,ECXHas you can see MOV EAX, ECX is telling you the whole deal in the end. Probably removed on Win7.
But you should really stick that EAX hold the return value, in case you want to know any other "coincidence" like this, just open your debugger. :toothy
Of course i had opened IDA and searched through it and find out what happens :green2
Thanks a lot for the answer!
enigma,
The trick with Windows API function across versions is to use the PUBLISHED return values, not what you can extract through a debugger in any particular version. What SendMessage() does is dependent on the message it is processing and the only reliable way to use it is to check the reference material for each message. We all learnt this stuff the hard way after massive internal changes between Win9x and the NT4 and later family of Windows versions. The published techniques almost exclusively still worked where many of the tricks did not.
Current NT4 based executables work correctly under Vista/Win7 even though it has a different code base to the NT4 based Windows versions.
Thanks hutch-- i have got the message ;)