Page 1 of 2

problem with MadDisAsm

Posted: Thu Nov 23, 2006 11:46 am
by Storm
Hello!
I have a some questions (sorry for my english).

I have this asm code:

Code: Select all

include 'INCLUDE\win32ax.inc'
.data
Serial db 'Some program',0
_MsgCaption db 'Disasm this',0
.code
start:
push 0
push Serial
push _MsgCaption
push 0
call MessageBox
push 0
call ExitProcess
retn
.end start
and have this compiled application:
http://rapidshare.com/files/4496667/HELLO.EXE.html

After disassembling (with MadDisAsm) a have this code:

Code: Select all

0011fbfc   push    0
0011fbfe   push    $401000
0011fc03   push    $40100d
0011fc08   push    0
0011fc0a   call    +$1069 ($120c78)
0011fc0f   push    0
0011fc11   call    +$1044 ($120c5a)
0011fc16   ret
Can you transfer +$1069 ($120c78) in MessageBox?

Posted: Thu Nov 23, 2006 2:23 pm
by madshi
What does madDisAsm do if you ask it to disassemble "$120c78" for you?

Posted: Thu Nov 23, 2006 7:09 pm
by Storm
How to dissasm this string via maddissasm?

Posted: Thu Nov 23, 2006 9:45 pm
by madshi
That's not what I meant. I want to know what $120c78 looks like. So I can understand why madDisAsm doesn't translate it to MessageBox. Normally it should do that.

Posted: Mon Nov 27, 2006 1:23 pm
by Storm

Posted: Mon Nov 27, 2006 1:45 pm
by madshi
If you don't answer my question, there's not much else I can do for you. I need to know what code is at $120c78.

Posted: Tue Nov 28, 2006 10:36 am
by Storm
Function MessageBoxA is (on data PETools) to the address 00003084. Though, maybe, I do not understand a question, explain more precisely.

PS. Instead of you could make a small demo - example disassembling an exe-file?

Posted: Tue Nov 28, 2006 11:05 am
by madshi
madDisAsm is not meant to disassemble a file from harddisk. It is meant to do in memory disassembling of loaded modules. There's an important difference: Loaded modules are made up by the OS loader. Files on disk are stored in a rather raw format and look different than loaded modules. If you want to disassemble a file from harddisk then madDisAsm is probably not really what you need.

Posted: Tue Nov 28, 2006 11:20 am
by Storm
Then you could not create a small example use MadDisAsm?

Posted: Tue Nov 28, 2006 11:49 am
by madshi
Example for what? Disassembling a file from harddisk? As I said, that's not what madDisAsm is meant for.

P.S: You could use LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES). Maybe then madDisAsm works better for you. I've not tested that, though.

Posted: Wed Nov 29, 2006 8:36 am
by Storm
Ok, whether you can create those an example of use madDisAsm. (it is simple an example for what can it is required madDisAsm)

Posted: Wed Nov 29, 2006 9:02 am
by madshi

Code: Select all

var disAsm : string;
begin
  ParseFunction(GetProcAddress(GetModuleHandle('kernel32.dll'), 'CreateFileA'), disAsm);
This should give you something like this:

http://help.madshi.net/CreateFileADisAsm.htm

Posted: Wed Nov 29, 2006 9:17 am
by Storm
And it is possible also an example for ParseCode?

Posted: Wed Nov 29, 2006 10:11 am
by madshi
Just replace ParseFunction with ParseCode in the example above... :)

Posted: Wed Nov 29, 2006 11:09 am
by Storm
Also let last question a little not in a theme. Whether it is possible to take from a file text lines (for example parameters)?