Started by PJOTR, October 02, 2010, 11:14:28 AM

Hello all,

I am making my first experiences on Win32Asm, so I assembled a simple MessageBox and an ExitProcess, then I used IDA free to dissasemble to see the resulting code, MASM32 added a create thread after...

The source listing:

        push mb_ok             
        push lpCaption         
        push lpText             
        push hWnd               
        call MessageBoxA       
        push 12
        CALL    ExitProcess

The disassembler listing:

.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 push    0               
.text:00401002                 push    offset Caption
.text:00401007                 push    offset Text     
.text:0040100C                 push    0               
.text:0040100E                 call    MessageBoxA
.text:00401013                 push    0Ch             
.text:00401015                 call    ExitProcess
.text:0040101A             jmp     ds:CreateThread
.text:0040101A start           endp

I don't understand why does it jumps to createThread after the exit process, why is that?

Thanks in advance!


not sure why it is there
but, it doesn't appear that it will be executed
the ExitProcess call terminates all execution of the calling program


Yes, that's right I stepped into it and all ends after ExitProcess. The jump to CreateTread could be an IDA missinterpretation


What you are probably seeing are the stub functions.  When you link to a DLL from an import library, you instert a "stub function" at the end of your code, which performs a jump to the address stored in the import table (fixed up by the OS when you load).  These are usually inserted right after your code, and CALLS to those function go there, which then jump into the DLL.  In fact, you should actually see several of them (one for messagebox, one for exitprocess, etc).  As to why you only see CreateThread, and not the other ones, perhaps thas IDA's doing.

You have the option with MASM of two difference types of prototypes, the normal ones generate a lookup table at the end of the executable and this is what the function call is jumping to. The alternative is to use a tool in the masm32 project called L2EXTIA (in the tools directory which creates a different type of prototype.


LoadLibrary equ <LoadLibraryA>


externdef _imp__LoadLibraryA@4:PTR pr1
LoadLibrary equ <_imp__LoadLibraryA@4>

Note that the alternate form requires a macro to expand the arguments.

The alternate prototypes generate a direct address in MASM output like VC.
