Fasm to masm

ragdog · April 11, 2010, 07:41:47 PM

Hi

I have found a fasm source an have a problem with add this file to my project

_Lib file 'test.dat'
_libproc1 = _Lib + 9158h

Must i add this file as hex?

jj2007 · April 11, 2010, 08:45:39 PM

Looks like the equivalent of GetProcAddress. Can you load it into memory, point a reg to the offset, and see through Olly what happens if you do a jmp eax?

ragdog · April 11, 2010, 08:57:28 PM

Hi

No This crash in my masm source after compile

Here is a dissa.. code from this

Code Select


 push    185C8h                                     ;---------- _size
                 push    offset dword_40A270 ;-----------My_file
                 push    GetProcAddress
                 push    GetModuleHandleA
                 call    sub_40A158                ;-----------_libproc1

I Understand not correct this source

Here is the fasm source

push _size My_file [GetProcAddress][GetModuleHandle]
call _libproc1

donkey · April 11, 2010, 09:48:26 PM

Quote from: ragdog on April 11, 2010, 08:57:28 PM
Hi

No This crash in my masm source after compile

Here is a dissa.. code from this

Code Select Expand
push 185C8h ;---------- _size push offset dword_40A270 ;-----------My_file push GetProcAddress push GetModuleHandleA call sub_40A158 ;-----------_libproc1

I Understand not correct this source

Here is the fasm source

push _size My_file [GetProcAddress][GetModuleHandle]
call _libproc1

Is this for API hooking or code injection ? It looks like it anyway, passing the addresses to those 2 particular functions and the base and size of a PE file (since it obviously has exports it must be a PE) is a bit suspect. Anyway it looks suspicious to me...

Edgar

ragdog · April 11, 2010, 10:03:30 PM

QuoteIs this for API hooking or code injection ?

No!!

'test.dat' is a memory dump of a dll

qWord · April 11, 2010, 10:10:28 PM

The snippets your are showing make no sense - give us more code

dedndave · April 11, 2010, 10:52:11 PM

apparently, test.dat is a ".LIB" file ???
at offset 9158h in that file is a proc ?
does the proc have a name ?

ragdog · April 25, 2010, 11:57:14 AM

Ok i have it solved with a other way dll2lib tool
Thanks

Now have i a other with this macro to encrypt

macro encrypt dstart,dsize {
local ..char,..key,..shift
..key = 0FFh
repeat dsize
   load ..char from dstart+%-1
   ..char = ..char xor ..key
   store ..char at dstart+%-1
   ..shift = ..char and 03h
   ..key = ((..key shr ..shift) and 0FFh) + ((..key shl (08-..shift)) and 0FFh)
   ..key = ..key xor 0AAh
   ..shift = (..char shr 4) and 03h
   ..key = ((..key shr ..shift) and 0FFh) + ((..key shl (08-..shift)) and 0FFh)
   ..key = (..key + ..char) and 0FFh
end repeat
}

Can any translate it please to masm32 ?

Ghandi · April 25, 2010, 01:12:38 PM

Memory dll's, code encryption... Very dangerous questions on this board...

HR,
Ghandi

qWord · April 25, 2010, 02:25:47 PM

Quote from: ragdog on April 25, 2010, 11:57:14 AM
Can any translate it please to masm32 ?

no, there is no equivalent to fasm's load and store directives in masm. You must use an external tool for encrypting your code/data.

ragdog · April 25, 2010, 03:28:49 PM

No Ghandi ::)

This if not for dll encyption or anything.

use an external tool for encrypting your code/data.?
No this fasm source works without any external tool

BogdanOntanu · April 25, 2010, 03:41:25 PM

This looks suspiciouse indeed and the OP failed to answer two questions about the purpose of this code.
Locked.

News:

Fasm to masm