delphi package - full disassembler
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Thu Nov 23, 2006 11:46 am
Hello!
I have a some questions (sorry for my english).
I have this asm code:
Code: Select all
include 'INCLUDE\win32ax.inc'
.data
Serial db 'Some program',0
_MsgCaption db 'Disasm this',0
.code
start:
push 0
push Serial
push _MsgCaption
push 0
call MessageBox
push 0
call ExitProcess
retn
.end start
and have this compiled application:
http://rapidshare.com/files/4496667/HELLO.EXE.html
After disassembling (with MadDisAsm) a have this code:
Code: Select all
0011fbfc push 0
0011fbfe push $401000
0011fc03 push $40100d
0011fc08 push 0
0011fc0a call +$1069 ($120c78)
0011fc0f push 0
0011fc11 call +$1044 ($120c5a)
0011fc16 ret
Can you transfer +$1069 ($120c78) in MessageBox?
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Nov 23, 2006 2:23 pm
What does madDisAsm do if you ask it to disassemble "$120c78" for you?
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Thu Nov 23, 2006 7:09 pm
How to dissasm this string via maddissasm?
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Thu Nov 23, 2006 9:45 pm
That's not what I meant. I want to know what $120c78 looks like. So I can understand why madDisAsm doesn't translate it to MessageBox. Normally it should do that.
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Mon Nov 27, 2006 1:23 pm
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Mon Nov 27, 2006 1:45 pm
If you don't answer my question, there's not much else I can do for you. I need to know what code is at $120c78.
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Tue Nov 28, 2006 10:36 am
Function MessageBoxA is (on data PETools) to the address 00003084. Though, maybe, I do not understand a question, explain more precisely.
PS. Instead of you could make a small demo - example disassembling an exe-file?
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Tue Nov 28, 2006 11:05 am
madDisAsm is not meant to disassemble a file from harddisk. It is meant to do in memory disassembling of loaded modules. There's an important difference: Loaded modules are made up by the OS loader. Files on disk are stored in a rather raw format and look different than loaded modules. If you want to disassemble a file from harddisk then madDisAsm is probably not really what you need.
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Tue Nov 28, 2006 11:20 am
Then you could not create a small example use MadDisAsm?
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Tue Nov 28, 2006 11:49 am
Example for what? Disassembling a file from harddisk? As I said, that's not what madDisAsm is meant for.
P.S: You could use LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES). Maybe then madDisAsm works better for you. I've not tested that, though.
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Wed Nov 29, 2006 8:36 am
Ok, whether you can create those an example of use madDisAsm. (it is simple an example for what can it is required madDisAsm)
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Wed Nov 29, 2006 9:17 am
And it is possible also an example for ParseCode?
madshi
Site Admin
Posts: 10764 Joined: Sun Mar 21, 2004 5:25 pm
Post
by madshi » Wed Nov 29, 2006 10:11 am
Just replace ParseFunction with ParseCode in the example above...
Storm
Posts: 16 Joined: Tue Jul 18, 2006 8:22 am
Post
by Storm » Wed Nov 29, 2006 11:09 am
Also let last question a little not in a theme. Whether it is possible to take from a file text lines (for example parameters)?