News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

underscore usage

Started by joerbanno, June 06, 2007, 10:07:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

joerbanno

June 06, 2007, 10:07:02 AM
Well still learning assembly and more specifically Masm32, I came across some code that I don't quite comprehend.

It is code of the form:

Code Select

.data
Kernel32 db "kernel32.dll",0
Sleepfunc db "Sleep",0

.data?
KernelBase dd ?

.code
invoke GetModuleHandleA, addr Kernel32
mov KernelBase, eax
invoke GetProcAddress, KernelBase, addr Sleepfunc
mov [_Sleep], eax


I don't understand what happens with the statement mov [_Sleep],eax
Somehow the address of the function sleep gets written to where _Sleep points to, but _Sleep is never defined, so what is the semantics of this underscore?
And what does teh statement accomplish?

Thnx Joero

hutch--

#1
June 06, 2007, 11:15:25 AM
Joero,

The code appears to be incomplete, there is no variable declaraion for thew variable "_Sleep". All the code is doing is getting its start address in the DLL so it can be called directly.

Code Select

push 100
call _Sleep


You would normally put the _Sleep variable in either the .DATA? section or as a local in a procedure,

Code Select

LOCAL _Sleep  :DWORD


Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

joerbanno

#2
June 06, 2007, 02:40:58 PM
Yeah I looked further and there it was:
sleepy:
        push          INFINITE           
        db            0bbh             
        _Sleep        dd 0
        call          ebx   

but I don't understand how this works, is this Position independent Code?

Vortex

#3
June 06, 2007, 05:13:30 PM
It looks like that data and code are mixed on the same section.

joerbanno

#4
June 11, 2007, 08:24:30 AM
Hmmm,

A somehow related question is, why is the first move
Code Select

mov KernelBase, eax

as opposed to the second
Code Select

mov [_Sleep], eax

Aren't they both pointers?

zooba

#5
June 11, 2007, 09:21:31 AM
Actually, that snippet appears to be self-modifying code. The address of the actual Sleep function is inserted at run time and sleepy is called to call Sleep with -1 as the number of milliseconds.

If it is written in MASM, the extra brackets around _Sleep are ignored. Both KernelBase and _Sleep are pointer-sized variables (ie. 32-bit integers) and the two move commands shown are assigning pointers to these variables. To dereference one of them (as the brackets imply) you need to mov eax, KernelBase and use DWORD PTR [eax].

It looks as if it could be position-independent code, but I don't see any reason to bother. Windows will automatically "rebase" your code if required.

Cheers,

Zooba :U
Print
Go Up Pages1
User actions