problem with MadDisAsm

delphi package - full disassembler
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

problem with MadDisAsm

Post by Storm »

Hello!
I have a some questions (sorry for my english).

I have this asm code:

Code: Select all

include 'INCLUDE\win32ax.inc'
.data
Serial db 'Some program',0
_MsgCaption db 'Disasm this',0
.code
start:
push 0
push Serial
push _MsgCaption
push 0
call MessageBox
push 0
call ExitProcess
retn
.end start
and have this compiled application:
http://rapidshare.com/files/4496667/HELLO.EXE.html

After disassembling (with MadDisAsm) a have this code:

Code: Select all

0011fbfc   push    0
0011fbfe   push    $401000
0011fc03   push    $40100d
0011fc08   push    0
0011fc0a   call    +$1069 ($120c78)
0011fc0f   push    0
0011fc11   call    +$1044 ($120c5a)
0011fc16   ret
Can you transfer +$1069 ($120c78) in MessageBox?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

What does madDisAsm do if you ask it to disassemble "$120c78" for you?
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

How to dissasm this string via maddissasm?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

That's not what I meant. I want to know what $120c78 looks like. So I can understand why madDisAsm doesn't translate it to MessageBox. Normally it should do that.
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

If you don't answer my question, there's not much else I can do for you. I need to know what code is at $120c78.
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

Function MessageBoxA is (on data PETools) to the address 00003084. Though, maybe, I do not understand a question, explain more precisely.

PS. Instead of you could make a small demo - example disassembling an exe-file?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

madDisAsm is not meant to disassemble a file from harddisk. It is meant to do in memory disassembling of loaded modules. There's an important difference: Loaded modules are made up by the OS loader. Files on disk are stored in a rather raw format and look different than loaded modules. If you want to disassemble a file from harddisk then madDisAsm is probably not really what you need.
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

Then you could not create a small example use MadDisAsm?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Example for what? Disassembling a file from harddisk? As I said, that's not what madDisAsm is meant for.

P.S: You could use LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES). Maybe then madDisAsm works better for you. I've not tested that, though.
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

Ok, whether you can create those an example of use madDisAsm. (it is simple an example for what can it is required madDisAsm)
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Code: Select all

var disAsm : string;
begin
  ParseFunction(GetProcAddress(GetModuleHandle('kernel32.dll'), 'CreateFileA'), disAsm);
This should give you something like this:

http://help.madshi.net/CreateFileADisAsm.htm
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

And it is possible also an example for ParseCode?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Just replace ParseFunction with ParseCode in the example above... :)
Storm
Posts: 16
Joined: Tue Jul 18, 2006 8:22 am

Post by Storm »

Also let last question a little not in a theme. Whether it is possible to take from a file text lines (for example parameters)?
Post Reply