The MASM Forum Archive 2004 to 2012

Hello Community,
i hope this is here the right place.
Ok i have a Flat Assembler (FASM) code syntax but i need it convert to MASM syntax (I don´t have knowledge about MASM).
This code is dynamic loading DLL at runtime. When i using my FASM i can compiled it to a binary (*.bin) and afterwards i can copy/include the binary with a hex-editor to an executable. But before i need the MASM syntax, then i can using a tool called snipped creator



IMAGE_BASE = 0x04000000
                     
_LoadLibrary = 0x5929C + IMAGE_BASE
_GetProcAddress = 0x592E4 + IMAGE_BASE
_CopyFileA = 0x5936C


IMPORT_ENTRY_NAME_PANDA = 0x5B308
IMPORT_ENTRY_PANDA_FIRST_THUNK = 0x5977C
BACK_TO_EP = 0x55700 + IMAGE_BASE

use32

mov ebx,IMAGE_BASE

mov edx,IMPORT_ENTRY_NAME_PANDA
add edx,ebx

push edx
call dword [_LoadLibrary]

mov edx,IMPORT_ENTRY_PANDA_FIRST_THUNK
mov edi,IMPORT_ENTRY_PANDA_FIRST_THUNK

add edx,ebx
add edi,ebx

.load_api_addresses:

cmp dword [edx],0
jz .finished_api_loading

mov ecx,[edx]

inc ecx
inc ecx

add ecx,ebx

push edx
push eax

push ecx
push eax
call dword [_GetProcAddress]

stosd

pop eax
pop edx

add edx,4
jmp .load_api_addresses

.finished_api_loading:

push BACK_TO_EP
ret

here the same code in Ollydbg


004556E6 > $ BB 00004000    MOV EBX,patch.00400000                   ;  ASCII "MZP"
004556EB   . BA 08B30500    MOV EDX,5B308
004556F0   . 01DA           ADD EDX,EBX
004556F2   . 52             PUSH EDX                                 ; /FileName => "wsock32.dll"
004556F3   . FF15 9C924500  CALL NEAR DWORD PTR DS:[<&kernel32.LoadL>; \LoadLibraryA
004556F9   . BA 7C970500    MOV EDX,5977C
004556FE   . BF 7C970500    MOV EDI,5977C
00455703   . 01DA           ADD EDX,EBX
00455705   . 01DF           ADD EDI,EBX
00455707   > 833A 00        CMP DWORD PTR DS:[EDX],0
0045570A   . 74 18          JE SHORT patch.00455724
0045570C   . 8B0A           MOV ECX,DWORD PTR DS:[EDX]
0045570E   . 41             INC ECX
0045570F   . 41             INC ECX
00455710   . 01D9           ADD ECX,EBX
00455712   . 52             PUSH EDX
00455713   . 50             PUSH EAX
00455714   . 51             PUSH ECX                                 ; /ProcNameOrOrdinal
00455715   . 50             PUSH EAX                                 ; |hModule
00455716   . FF15 E4924500  CALL NEAR DWORD PTR DS:[<&kernel32.GetPr>; \GetProcAddress
0045571C   . AB             STOS DWORD PTR ES:[EDI]
0045571D   . 58             POP EAX
0045571E   . 5A             POP EDX
0045571F   . 83C2 04        ADD EDX,4
00455722   .^EB E3          JMP SHORT patch.00455707
00455724   > 55             PUSH EBP
00455725   . 8BEC           MOV EBP,ESP
00455727   . 83C4 F4        ADD ESP,-0C
0045572A   . 53             PUSH EBX
0045572B   . B8 D8544500    MOV EAX,patch.004554D8
00455730   . 68 84564500    PUSH patch.00455684
00455735   . C3             RETN                                     ;  RET used as a jump to 00455684


regards,
herman2k

This looks to me like using a delta trick/offset and a load DLL by hand all this is specific to Vx, RtPackand injection...

Questions:

The "snippet creator" I know of is not very honorable... besides AFAIK FASM is capable to output PE diirectly...so why compile to a .BIN file?

What exactly do you want to do?

Is this your code?

What does this have to do with compiler technology?

BTW... read The Rules :D
We do not allow some kind of requests into this forums

Yes,

The tool was originally used to add sections to a PE file that is an existing binary file and the rules of the forum specifically prohibit this type of code or posting.

This topic is closed.