Extract Value from CreateThreads Func proc

AgentSmithers · June 30, 2009, 07:55:11 AM


mov I, 4
mov  eax,OFFSET ThreadProcOne
invoke CreateThread, 0, NULL, EAX, ADDR i, NORMAL_PRIORITY_CLASS, ESI ;Invoke Uses EAX, ECX, EDX

Code Select

ThreadProcOne PROC Param:DWORD 

            local LocalI

            mov eax, Param
            mov LocalI, eax

            ret

How do I extract the Actual value 4 into EAX? Cant seem to figure this out...

Mov Byte Ptr is to a Address held in a Register, But what about the other way around?

BogdanOntanu · June 30, 2009, 02:44:54 PM

Please learn to ask questions the smart way

Those links may help:
http://catb.org/esr/faqs/smart-questions.html#explicit

And the general idea:
http://catb.org/esr/faqs/smart-questions.html

AgentSmithers · July 01, 2009, 12:15:34 AM

The Question is Simple, I sorry i cant see how I can be any more Specific for you, I have another thread and I want to Extract the Value 4 into eax as show being passed in the example in "ThreadProcOne". Right now eax is holding the Address to the value "4"

dedndave · July 01, 2009, 12:32:59 AM

i don't understand why you persist in using this forum
it really isn't where you want to be
there are probably 100 good reverse engineering/crack forums where you would be welcomed

answer:

mov eax,4

qWord · July 01, 2009, 12:35:25 AM

hi,
what about this:

Code Select


invoke CreateThread, 0, NULL, EAX, 1234567, NORMAL_PRIORITY_CLASS, ESI
....
ThreadProcOne PROC Param:DWORD 

            mov eax, Param 
            ; eax = 1234567
            ret
ThreadProcOne endp

AgentSmithers · July 01, 2009, 12:40:50 AM

Quote from: dedndave on July 01, 2009, 12:32:59 AM
i don't understand why you persist in using this forum
it really isn't where you want to be
there are probably 100 good reverse engineering/crack forums where you would be welcomed

answer:

mov eax,4

How the hell dose this even relate closely to reverse engineering?! It was a simple ASM question.

AgentSmithers · July 01, 2009, 12:42:13 AM

Quote from: qWord on July 01, 2009, 12:35:25 AM
hi,
what about this:
Code Select Expand
invoke CreateThread, 0, NULL, EAX, 1234567, NORMAL_PRIORITY_CLASS, ESI .... ThreadProcOne PROC Param:DWORD mov eax, Param ; eax = 1234567 ret ThreadProcOne endp

Thanks! Now the issue is with this is that i cant change that during runtime considering it is hardcoded, How would I get that into a variable?

AgentSmithers · July 01, 2009, 12:43:42 AM

I got it, Thanks Qword, I just need to pass "I" not "ADDR I", But just to learn if I passed "ADDR I" how would I extract the value 4 into eax when I pass the Address?

Edit:

I got it, The issue was I needed to extract from the extracted address twice

Code Select

mov eax, [Param]
mov eax, [eax]

Thanks QWORD!

qWord · July 01, 2009, 12:45:37 AM

Code Select

mov eax,Param
mov eax,DWORD ptr [eax]

Mark Jones · July 03, 2009, 02:22:32 AM

Dave, even if he went to Spook's forum, he would find himself in much friendler company. Many other high-profile names frequent that place too, so there is no lack of like-minded folk. They too must abide by legal red-tape, so will not answer blatent H/P/A/V/C questions, but are much more relaxed in what they term "legal." Here, where a topic can be flamed regularly just because the name of the poster appears questionable, it would not even cause a ripple over there... Plus, there are more posts and more concurrent users. He is doing things the hard way, here.

dedndave · July 03, 2009, 02:34:08 AM

he insults our intelligence - lol
"how do you make building block C ?"
"how do you make building block A ?"
"how do you make building block T ?"
like we can't tell he is trying to spell "cat" - lol

disintx · July 03, 2009, 07:59:21 AM

Quote from: dedndave on July 03, 2009, 02:34:08 AM
he insults our intelligence - lol
"how do you make building block C ?"
"how do you make building block A ?"
"how do you make building block T ?"
like we can't tell he is trying to spell "cat" - lol

See his website for more details on his new CAT

News:

Extract Value from CreateThreads Func proc

disintx