Hey, i made a small program with asm code that sends out the F2 keystroke. The following code works, and gives no errors at all:
__asm {
push ebp
mov ebp,esp
sub esp,0C0h
mov esi,esp
push 0
push 0
push 0
push 71h
mov eax, 0x75c9d93c
call eax
mov esi,esp
push 0
push 2
push 0
push 71h
mov eax, 0x75c9d93c
call eax
mov esi,esp
push 1
mov eax, 0x772c3b54
call eax
}
But when i try to remove the ExitProcess code at the bottom then the trouble is starting. The lines that i remove are:
mov eax, 0x772c3b54
call eax
When i run the program after i romved those lines it succesfully presses the F2 button and right after that it says something like:
"The value of ESP was not properly saved across a function call"
As you can see i have everything in inline __asm{}. I have a C++ code with a timer, and in the function of the timer is this asm code. Here is the foll C++ code i have, maybe that would help better.
I used this site to see what keypresses occured:
http://www.quirksmode.org/js/keys.html
Anyone any idea how i can fix this error??
#ifndef POINTER_64
#define POINTER_64
#endif
#include <windows.h>
void CALLBACK TimerProc(HWND, UINT, UINT_PTR, DWORD);
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
MSG msg;
UINT nRet;
nRet = SetTimer(NULL, 1, 4000,(TIMERPROC)TimerProc);
while ( GetMessage ( &msg,0,0,0 ) > 0 )
DispatchMessage(&msg);
return 1;
}
void CALLBACK TimerProc(HWND, UINT, UINT_PTR, DWORD)
{
__asm {
push ebp
mov ebp,esp
sub esp,0C0h
mov esi,esp
push 0
push 0
push 0
push 71h
mov eax, 0x75c9d93c
call eax
mov esi,esp
push 0
push 2
push 0
push 71h
mov eax, 0x75c9d93c
call eax
mov esi,esp
push 1
mov eax, 0x772c3b54
call eax
//mov eax, 0x75c9d93c
//call eax
}
}
Sorry, but I think this is the worst asm code ever :'(
You're using static API addresses, you're executing useless commands, you're not correcting the stack before returning from the call etc etc.
I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??
Quote from: nofx on July 24, 2008, 09:18:44 PM
I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??
Align the stack at the end of the function. (the esp register)
The function reserves 0C0h bytes for local stack, so you need to compensate for that, then pop ebp,then ret (unless the compiler puts it in automatically)
I think it should be something like this at the end :
add esp, 0C0h
pop ebp
(maybe ret)
Quote from: nofx on July 24, 2008, 09:18:44 PM
I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??
:dazzled: My GOD, can you tell me how did you get the static address?
The nod seems to be that this type of code is used for code injection, something that among other the virus brigade practice. let us know what you are doing or this topic will be closed.
Kinda off-topic, but which API is that ?
I see VK_F2 as one of the parameters (71h)
I can't find which API it is, this is useful, I might as well learn about it now. I searched around for suitable APIs but I didn't find any that directly takes a keycode as a parameter.
EDIT: Maybe it's the RegisterHotKey API ...
The code's a mess - no wonder it doesn't work. You obviously don't understand it, so it's a copy-paste job?
The hard-coded indirect calls are so the code can be injected into the host exe and make use of its dll call jump table.
What reason to do you have for simulating pressing of F2 every 4 seconds?
What the code's meant to be doing:
keybd_event(VK_F2,0,0,0) //key down
keybd_event(VK_F2,0,KEYEVENTF_KEYUP,0) //key up
ExitProcess(1)
Aha ! keybd_even, haven't seen it before
Maybe this is for game botting or something. Give the poor guy a break, it's only a key ! :green :toothy :green
Im just toying around with security applications. Perhaps this sounds kind of sinister, but my goal is to convert this into shellcode aka bytecode and see what happends. I have to use something like keybd_event cause those are listed as blocked API calls. Im just fooling around, which is the best way of learning new things if you ask me. So its really not intended for any malicious reasons.
But this isn't really relevant to the topic. Im absolutely no guru with ASM so thats why i didn't really know what to do. I tried add esp, 16 at the end the of the 4 push commands. (4*4=16), but that didn't do the trick.
As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.
You don't have to compensate for the pushed variables because windows APIs use the stdcall convention. You need to compensaste for the sub esp, 0C0h at the start.
You can use GetProcAddress to find the API addresses.
Quote from: nofx on July 25, 2008, 01:27:58 PM
...
As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.
hahaha !
Quote from: nofx on July 25, 2008, 01:27:58 PM
...
As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.
hahaha !
Are you saying that its not true? ::)
I have closed the topic as I am not happy with the answer, we have rules that exclude content of this type.