Problem with a return value and StdOut

[dedndave]

that will use build.bat, i believe
not sure how to do it from QE, but from the command line:
buildc codigo

in QE - Console Build All

[xassiz]

that will use build.bat, i believe
not sure how to do it from QE, but from the command line:
buildc codigo

in QE - Console Build All

Yes thanks, I've just modified my last post :U

Now I only have to research what is "o▒3uö ↑".

[qWord]

probably you are passing an invalid pointer.

[xassiz]

probably you are passing an invalid pointer.

Code Select Expand

    invoke GetProcAddress, eax, addr funcion
    mov resultado, eax
In eax should be the return value of GetProcAddress, no?

[dedndave]

it is not an invalid pointer
it is the ASCII representation of the binary address - lol
you have to convert it to decimal or hexidecimal or octal ASCII string prior to displaying it
i recommend hex   :bg
DOH !

[xassiz]

Okey, uhex$ so.

Firstly, the output doesn't display nothing, so I do:

Code Select Expand


C:\Users\Pablo\Desktop>BuscaOffsets>output.txt

C:\Users\Pablo\Desktop>type output.txt
0018FF80
C:\Users\Pablo\Desktop>


But it isn't the output I want.

I coded the same in C and the output is correctly:

Code Select Expand


#include <stdio.h>
#include <windows.h>

typedef VOID (*MYPROC)(LPTSTR);

int main (int argc, char **argv) {
    char dll[100];
    char funcion[100];
   
    HINSTANCE libreria;   
    MYPROC procadd;

    if (argc != 3){
        printf ("Input 2 args\n");
        return 1;
    }
       
    memset(dll,0,sizeof(dll));
    memset(funcion,0,sizeof(funcion));
    memcpy (dll, argv[1], strlen(argv[1]));
    memcpy (funcion, argv[2], strlen(argv[2]));
   
    libreria = LoadLibrary(dll);
    procadd = (MYPROC)GetProcAddress (libreria,funcion);
   
    printf ("Offset of %s in %s is %x", funcion, dll, procadd);
    return 0;
}


Code Select Expand

C:\Users\Pablo\Desktop>offsets msvcrt.dll system
Offset of system in msvcrt.dll is 7533b16f
C:\Users\Pablo\Desktop>

7533b16f is the answer!

[dedndave]

do not expect it to have the same offset as the compiled version
anyways, that is clearly a hexidecimal value

[xassiz]

do not expect it to have the same offset as the compiled version
anyways, that is clearly a hexidecimal value

It cannot be correct, I try changing the function, and with printf returns the same offset

[qWord]

you are printing the the address of the DWORD holding the function pointer - it must be:

Code Select Expand

print uhex$(resultado),13,10

[xassiz]

you are printing the the address of the DWORD holding the function pointer - it must be:

Code Select Expand

print uhex$(resultado),13,10

It works!! :clap: :dance: :cheekygreen:

Lots of thanks!!!

Last question, what are the differences between:

Code Select Expand


print uhex$(resultado),13,10

and

Code Select Expand


print uhex$(resultado)

?

[fearless]

The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)

[dedndave]

The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)

in decimal, they are 13,10
in hex, they are 0Dh,0Ah

[xassiz]

The 13,10 prints a new line with a CR LF (carriage return & linefeed character - in hex these are 13h and 10h)

in decimal, they are 13,10
in hex, they are 0Dh,0Ah

Okey, lot of thanks, topic solved! :U

[herge]

Hi  xassiz:

This looks like you have clobbered a register that points to an Ascii String.
This data looks like code ie Not Data.

Causes 1. Un balanced stack ie more pushes than pops
           2. typo ie bad code
           3. Macro or other code is using this register

Regards herge