sending keystrokes, 'esp not properly saved' error

[nofx]

Hey, i made a small program with asm code that sends out the F2 keystroke. The following code works, and gives no errors at all:

Code Select Expand


__asm {

push        ebp 
mov         ebp,esp
sub         esp,0C0h

mov         esi,esp
push        0   
push        0   
push        0   
push        71h

mov         eax, 0x75c9d93c
call          eax

mov         esi,esp
push        0   
push        2   
push        0   
push        71h

mov        eax, 0x75c9d93c
call         eax

mov         esi,esp
push        1   


mov       eax, 0x772c3b54
call        eax
}

But when i try to remove the ExitProcess code at the bottom then the trouble is starting. The lines that i remove are:
mov       eax, 0x772c3b54
call        eax

When i run the program after i romved those lines it succesfully presses the F2 button and right after that it says something like:
"The value of ESP was not properly saved across a function call"

As you can see i have everything in inline __asm{}. I have a C++ code with a timer, and in the function of the timer is this asm code. Here is the foll C++ code i have, maybe that would help better.
I used this site to see what keypresses occured:
http://www.quirksmode.org/js/keys.html

Anyone any idea how i can fix this error??

Code Select Expand


#ifndef POINTER_64
#define POINTER_64
#endif

#include <windows.h>

void CALLBACK TimerProc(HWND, UINT, UINT_PTR, DWORD);

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
MSG msg;
UINT nRet;
nRet = SetTimer(NULL, 1, 4000,(TIMERPROC)TimerProc);

        while ( GetMessage ( &msg,0,0,0 ) > 0 )
        DispatchMessage(&msg);

return 1;
}


void CALLBACK TimerProc(HWND, UINT, UINT_PTR, DWORD)
{

__asm {

push        ebp 
mov         ebp,esp
sub         esp,0C0h

mov         esi,esp
push        0   
push        0   
push        0   
push        71h

mov         eax, 0x75c9d93c
call          eax

mov         esi,esp
push        0   
push        2   
push        0   
push        71h


mov         eax, 0x75c9d93c
call           eax

mov         esi,esp
push        1   

mov         eax, 0x772c3b54
call           eax

//mov      eax, 0x75c9d93c
//call        eax

}
}


[BlackVortex]

Sorry, but I think this is the worst asm code ever   :'(

You're using static API addresses, you're executing useless commands, you're not correcting the stack before returning from the call etc etc.

[nofx]

I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??

[BlackVortex]

I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??

Align the stack at the end of the function. (the esp register)

The function reserves 0C0h bytes for local stack, so you need to compensate for that, then pop ebp,then ret (unless the compiler puts it in automatically)

I think it should be something like this at the end :
add esp, 0C0h
pop ebp
(maybe ret)

[Farabi]

I know its not pretty, but thats not whats important in my case. I used static API addresses for a reason.
But any idea how i can fix my problem with the code i have??

:dazzled: My GOD, can you tell me how did you get the static address?

[hutch--]

The nod seems to be that this type of code is used for code injection, something that among other the virus brigade practice. let us know what you are doing or this topic will be closed.

[BlackVortex]

Kinda off-topic, but which API is that ?

I see VK_F2 as one of the parameters (71h)

I can't find which API it is, this is useful, I might as well learn about it now. I searched around for suitable APIs but I didn't find any that directly takes a keycode as a parameter.

EDIT: Maybe it's the RegisterHotKey  API ...

[Tedd]

The code's a mess - no wonder it doesn't work. You obviously don't understand it, so it's a copy-paste job?

The hard-coded indirect calls are so the code can be injected into the host exe and make use of its dll call jump table.

What reason to do you have for simulating pressing of F2 every 4 seconds?


What the code's meant to be doing:

Code Select Expand


keybd_event(VK_F2,0,0,0)                  //key down
keybd_event(VK_F2,0,KEYEVENTF_KEYUP,0)    //key up

ExitProcess(1)


[BlackVortex]

Aha !  keybd_even, haven't seen it before

Maybe this is for game botting or something. Give the poor guy a break, it's only a key !       :green :toothy :green

[nofx]

Im just toying around with security applications. Perhaps this sounds kind of sinister, but my goal is to convert this into shellcode aka bytecode and see what happends. I have to use something like keybd_event cause those are listed as blocked API calls. Im just fooling around, which is the best way of learning new things if you ask me. So its really not intended for any malicious reasons.
But this isn't really relevant to the topic. Im absolutely no guru with ASM so thats why i didn't really know what to do. I tried add esp, 16 at the end the of the 4 push commands. (4*4=16), but that didn't do the trick.

As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.

[BlackVortex]

You don't have to compensate for the pushed variables because windows APIs use the stdcall convention. You need to compensaste for the sub esp, 0C0h at the start.

You can use GetProcAddress to find the API addresses.

...
As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.

hahaha !

[nofx]

...
As for finding the addresses of the API's. It differs with every OS and Service Pack you have installed, but i wrote a small app in C++ which reads out the address of the API in a specific dll. In my case user32.dll. If you want this app, just pm me and ill send it to you.

hahaha !

Are you saying that its not true?  ::)

[hutch--]

I have closed the topic as I am not happy with the answer, we have rules that exclude content of this type.