News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Difference in SendMessage between XP and Win7

Started by silentenigma, November 05, 2010, 05:45:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

silentenigma

November 05, 2010, 05:45:30 AM
Hello
when i am using SendMessage API in XP the the returning value of a strings lenght is written in both ecx and eax register.
Bun when i debugged the proggy in Win7 i saw that same codes make different results. SendMessage API doesnt returned the lenght of that string in ecx but only eax register!

How can i know these differences?
My heart is ripped out,
Chained on my boots
Look deep inside mey soul with pain,
Witness the fall of a hero

theunknownguy

#1
November 05, 2010, 06:18:42 AM
Quote from: silentenigma on November 05, 2010, 05:45:30 AM
Hello
when i am using SendMessage API in XP the the returning value of a strings lenght is written in both ecx and eax register.
Bun when i debugged the proggy in Win7 i saw that same codes make different results. SendMessage API doesnt returned the lenght of that string in ecx but only eax register!

How can i know these differences?

EAX is the default used register for return values after calling an API.

Has you can read on MSDN for SendMessage:

Code Select

Return Value

LRESULT

The return value specifies the result of the message processing; it depends on the message sent.

Its meaning the return on EAX, while the same value is present on ECX regist, seems nothing more than a "coincidence" and you can check it ofcourse by debug SendMessage:

SendMessage API:

Code Select
7E3AF3FC                                                                 6A 01                                      PUSH 1
7E3AF3FE                                                                 FF75 14                                    PUSH DWORD PTR SS:[EBP+14]
7E3AF401                                                                 FF75 10                                    PUSH DWORD PTR SS:[EBP+10]
7E3AF404                                                                 56                                         PUSH ESI
7E3AF405                                                                 50                                         PUSH EAX
7E3AF406                                                                 E8 A89DFFFF                                CALL USER32.7E3A91B3

Inside the Call that does the whole job:


Code Select
7E3A9260                                                                 6A 01                                      PUSH 1
7E3A9262                                                                 53                                         PUSH EBX
7E3A9263                                                                 FF75 14                                    PUSH DWORD PTR SS:[EBP+14]
7E3A9266                                                                 FF75 10                                    PUSH DWORD PTR SS:[EBP+10]
7E3A9269                                                                 57                                         PUSH EDI                                                          ; ntdll.7C920208
7E3A926A                                                                 FF75 F8                                    PUSH DWORD PTR SS:[EBP-8]                                         ; kernel32.7C817070
7E3A926D                                                                 FF76 60                                    PUSH DWORD PTR DS:[ESI+60]
7E3A9270                                                                 FFB6 9C000000                              PUSH DWORD PTR DS:[ESI+9C]
7E3A9276                                                                 E8 E4F4FEFF                                CALL USER32.7E39875F
7E3A927B                                                                 8BC8                                       MOV ECX,EAX
7E3A927D                                                                 A1 80103F7E                                MOV EAX,DWORD PTR DS:[7E3F1080]
7E3A9282                                                                 F640 02 04                                 TEST BYTE PTR DS:[EAX+2],4
7E3A9286                                                                 0F85 6C700000                              JNZ USER32.7E3B02F8
7E3A928C                                                                 8BC1                                       MOV EAX,ECX

Has you can see MOV EAX, ECX is telling you the whole deal in the end. Probably removed on Win7.

But you should really stick that EAX hold the return value, in case you want to know any other "coincidence" like this, just open your debugger.  :toothy

silentenigma

#2
November 05, 2010, 07:20:26 AM
Of course i had opened IDA and searched through it and find out what happens  :green2

Thanks a lot for the answer!
My heart is ripped out,
Chained on my boots
Look deep inside mey soul with pain,
Witness the fall of a hero

hutch--

#3
November 05, 2010, 10:02:24 AM
enigma,

The trick with Windows API function across versions is to use the PUBLISHED return values, not what you can extract through a debugger in any particular version. What SendMessage() does is dependent on the message it is processing and the only reliable way to use it is to check the reference material for each message. We all learnt this stuff the hard way after massive internal changes between Win9x and the NT4 and later family of Windows versions. The published techniques almost exclusively still worked where many of the tricks did not.

Current NT4 based executables work correctly under Vista/Win7 even though it has a different code base to the NT4 based Windows versions.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

silentenigma

#4
November 05, 2010, 10:27:29 PM
Thanks hutch-- i have got the message ;)
My heart is ripped out,
Chained on my boots
Look deep inside mey soul with pain,
Witness the fall of a hero
Print
Go Up Pages1
User actions