Hello.
I was coding a tool that returns the offset address of a function of a specific library.
The problem is when I use GetProcAddress.
I save the return value:
mov resultado, eax
But when I show it:
invoke MessageBox, NULL, addr resultado, addr title, 0
The output are strange characters. I think I have to show it as hex. But how?
Other problem I have, is my StdOut doesn't run.
invoke StdOut, addr resultado
It doesn't throw errors, but it doesn't do nothing u.u
Thanks!
uhex$ macro will convert it to hex for you
refer to masm32\help\hlhelp.chm
StdOut is a console function
presumably, this is s GUI app
The message box is expecting Ascii characters & you have missed out the window handle (First parameter)
Quote from: dedndave on February 05, 2011, 03:51:38 PM
StdOut is a console function
presumably, this is s GUI app
You say is a GUI app because the MessageBox? I want to replace the MessageBoxes by StdOuts :toothy
Quote from: Neil on February 05, 2011, 04:04:12 PM
The message box is expecting Ascii characters
If StdOut works, I'll can show you how is the output (I can't copy it from the MessageBox) :dazzled:
The message box will work with a console application. Why not use print ustr$ (eax)
Quote from: Neil on February 05, 2011, 04:15:31 PM
The message box will work with a console application. Why not use print ustr$ (eax)
C:\Users\Pablo\Desktop\BuscaOffsets.asm(33) : error A2008: syntax error : ustr$
_
Assembly Error
I do:
print ustr$(eax)
or
print ustr$(addr resultado)
Have you got these includes at the start of your program?
include \masm32\include\masm32rt.inc
include \masm32\macros\macros.asm
ok
first - if you want to make a console app, use the correct batch file or link command line switch
the batch file to use is buildc.bat - build.bat is for GUI apps
second - it is important to note that the print macro will destroy the EAX contents
so, if you want to use the value later on...
push eax
print uhex$(eax),13,10 ;use uhex$ for hex output - ustr will show decimal - addresses make more sense in hex
pop eax
also, Neil is right - you have to include the right stuff - masm32rt.inc is the easy way
i am fairly certain that it already takes care of macros.asm, though :bg
have a look inside that file to see what it does for you
give me a few minutes and i'll post an example...
here you go....
Yes Dave you're right, masm32rt.inc does include macros.asm. I was trying to get some response as to what exactly had been coded.
Well.. See my code:
.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\masm32.inc
include \masm32\include\masm32rt.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\masm32.lib
Main PROTO
.data
libreria db "msvcrt.dll",0
funcion db "system",0
error db "No se encontro el proceso.",0
.code
codigo:
invoke Main
Main PROC
LOCAL resultado:DWORD
invoke LoadLibrary, addr libreria
invoke GetProcAddress, eax, addr funcion
mov resultado, eax
cmp resultado, NULL
je Error
invoke MessageBox, NULL, addr resultado, addr funcion, 0
print ustr$(addr resultado) ;nothing :S
invoke ExitProcess, 0
Error:
invoke MessageBox, NULL, addr error, addr libreria, 0
invoke ExitProcess, 0
Main ENDP
end codigo
Also I tried uhex$ and it isn't the output I want.
Thanks!
invoke GetProcAddress, eax, addr funcion, eax should contain the handle of the module, I cannot see where you get that in your code.
the way you structured the program, you are asking for a memory leak
that is because Main creates a local variable which is not released
you want to RET from Main, back to where you invoked it
also, i am still not convinced that you do not want hex output - lol
include \masm32\include\masm32rt.inc
Main PROTO
.data
libreria db "msvcrt.dll",0
funcion db "system",0
error db "No se encontro el proceso.",0
.code
codigo:
invoke Main
invoke ExitProcess, 0
Main PROC
LOCAL resultado:DWORD
invoke LoadLibrary, addr libreria
invoke GetProcAddress, eax, addr funcion
mov resultado, eax
cmp eax, NULL
je Error
invoke MessageBox, NULL, uhex$(addr resultado), addr funcion, 0
print ustr$(addr resultado) ;nothing :S
jmp short Exit_Main
Error:
invoke MessageBox, NULL, addr error, addr libreria, 0
Exit_Main:
ret
Main ENDP
end codigo
also show us your linker call - sounds like you are building an GUI app instead of an console application.
EDIT: BTW: as long as using masm32rt.inc (or msvcrt.inc/lib), you can directly call all CRT functions by adding the prefix 'crt_' to the function name:
invoke crt_system,...
I downloaded MASM32, so I'm using qeditor. I save and click Build All in Project menu.
EDIT
Sorry, I've just seen Console Build All", StdOut works now too.
Output:
C:\Users\Pablo\Desktop>BuscaOffsets
o▒3uö ↑
That characters?
that will use build.bat, i believe
not sure how to do it from QE, but from the command line:
buildc codigo
in QE - Console Build All
Quote from: dedndave on February 05, 2011, 06:05:52 PM
that will use build.bat, i believe
not sure how to do it from QE, but from the command line:
buildc codigo
in QE - Console Build All
Yes thanks, I've just modified my last post :U
Now I only have to research what is "
o▒3uö ↑".
probably you are passing an invalid pointer.
Quote from: qWord on February 05, 2011, 06:24:45 PM
probably you are passing an invalid pointer.
invoke GetProcAddress, eax, addr funcion
mov resultado, eax
In eax should be the return value of GetProcAddress, no?
it is not an invalid pointer
it is the ASCII representation of the binary address - lol
you have to convert it to decimal or hexidecimal or octal ASCII string prior to displaying it
i recommend hex :bg
DOH !
Okey, uhex$ so.
Firstly, the output doesn't display nothing, so I do:
C:\Users\Pablo\Desktop>BuscaOffsets>output.txt
C:\Users\Pablo\Desktop>type output.txt
0018FF80
C:\Users\Pablo\Desktop>
But it isn't the output I want.
I coded the same in C and the output is correctly:
#include <stdio.h>
#include <windows.h>
typedef VOID (*MYPROC)(LPTSTR);
int main (int argc, char **argv) {
char dll[100];
char funcion[100];
HINSTANCE libreria;
MYPROC procadd;
if (argc != 3){
printf ("Input 2 args\n");
return 1;
}
memset(dll,0,sizeof(dll));
memset(funcion,0,sizeof(funcion));
memcpy (dll, argv[1], strlen(argv[1]));
memcpy (funcion, argv[2], strlen(argv[2]));
libreria = LoadLibrary(dll);
procadd = (MYPROC)GetProcAddress (libreria,funcion);
printf ("Offset of %s in %s is %x", funcion, dll, procadd);
return 0;
}
C:\Users\Pablo\Desktop>offsets msvcrt.dll system
Offset of system in msvcrt.dll is 7533b16f
C:\Users\Pablo\Desktop>
7533b16f is the answer!
do not expect it to have the same offset as the compiled version
anyways, that is clearly a hexidecimal value
Quote from: dedndave on February 05, 2011, 07:14:05 PM
do not expect it to have the same offset as the compiled version
anyways, that is clearly a hexidecimal value
It cannot be correct, I try changing the function, and with
printf returns the same offset
you are printing the the address of the DWORD holding the function pointer - it must be:
print uhex$(resultado),13,10
Quote from: qWord on February 05, 2011, 07:41:34 PM
you are printing the the address of the DWORD holding the function pointer - it must be:
print uhex$(resultado),13,10
It works!! :clap: :dance: :cheekygreen:
Lots of thanks!!!
Last question, what are the differences between:
print uhex$(resultado),13,10
and
print uhex$(resultado)
?
The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)
Quote from: fearless on February 05, 2011, 08:29:23 PM
The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)
in decimal, they are 13,10
in hex, they are 0Dh,0Ah
Quote from: dedndave on February 05, 2011, 08:32:22 PM
Quote from: fearless on February 05, 2011, 08:29:23 PM
The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)
in decimal, they are 13,10
in hex, they are 0Dh,0Ah
Okey, lot of thanks, topic solved! :U
Hi xassiz:
This looks like you have clobbered a register that points to an Ascii String.
This data looks like code ie Not Data.
Causes 1. Un balanced stack ie more pushes than pops
2. typo ie bad code
3. Macro or other code is using this register
Regards herge