Page 1 of 2
problem with MadDisAsm
Posted: Thu Nov 23, 2006 11:46 am
by Storm
Hello!
I have a some questions (sorry for my english).
I have this asm code:
Code: Select all
include 'INCLUDE\win32ax.inc'
.data
Serial db 'Some program',0
_MsgCaption db 'Disasm this',0
.code
start:
push 0
push Serial
push _MsgCaption
push 0
call MessageBox
push 0
call ExitProcess
retn
.end start
and have this compiled application:
http://rapidshare.com/files/4496667/HELLO.EXE.html
After disassembling (with MadDisAsm) a have this code:
Code: Select all
0011fbfc push 0
0011fbfe push $401000
0011fc03 push $40100d
0011fc08 push 0
0011fc0a call +$1069 ($120c78)
0011fc0f push 0
0011fc11 call +$1044 ($120c5a)
0011fc16 ret
Can you transfer +$1069 ($120c78) in MessageBox?
Posted: Thu Nov 23, 2006 2:23 pm
by madshi
What does madDisAsm do if you ask it to disassemble "$120c78" for you?
Posted: Thu Nov 23, 2006 7:09 pm
by Storm
How to dissasm this string via maddissasm?
Posted: Thu Nov 23, 2006 9:45 pm
by madshi
That's not what I meant. I want to know what $120c78 looks like. So I can understand why madDisAsm doesn't translate it to MessageBox. Normally it should do that.
Posted: Mon Nov 27, 2006 1:23 pm
by Storm
Posted: Mon Nov 27, 2006 1:45 pm
by madshi
If you don't answer my question, there's not much else I can do for you. I need to know what code is at $120c78.
Posted: Tue Nov 28, 2006 10:36 am
by Storm
Function MessageBoxA is (on data PETools) to the address 00003084. Though, maybe, I do not understand a question, explain more precisely.
PS. Instead of you could make a small demo - example disassembling an exe-file?
Posted: Tue Nov 28, 2006 11:05 am
by madshi
madDisAsm is not meant to disassemble a file from harddisk. It is meant to do in memory disassembling of loaded modules. There's an important difference: Loaded modules are made up by the OS loader. Files on disk are stored in a rather raw format and look different than loaded modules. If you want to disassemble a file from harddisk then madDisAsm is probably not really what you need.
Posted: Tue Nov 28, 2006 11:20 am
by Storm
Then you could not create a small example use MadDisAsm?
Posted: Tue Nov 28, 2006 11:49 am
by madshi
Example for what? Disassembling a file from harddisk? As I said, that's not what madDisAsm is meant for.
P.S: You could use LoadLibraryEx(DONT_RESOLVE_DLL_REFERENCES). Maybe then madDisAsm works better for you. I've not tested that, though.
Posted: Wed Nov 29, 2006 8:36 am
by Storm
Ok, whether you can create those an example of use madDisAsm. (it is simple an example for what can it is required madDisAsm)
Posted: Wed Nov 29, 2006 9:02 am
by madshi
Code: Select all
var disAsm : string;
begin
ParseFunction(GetProcAddress(GetModuleHandle('kernel32.dll'), 'CreateFileA'), disAsm);
This should give you something like this:
http://help.madshi.net/CreateFileADisAsm.htm
Posted: Wed Nov 29, 2006 9:17 am
by Storm
And it is possible also an example for ParseCode?
Posted: Wed Nov 29, 2006 10:11 am
by madshi
Just replace ParseFunction with ParseCode in the example above...
Posted: Wed Nov 29, 2006 11:09 am
by Storm
Also let last question a little not in a theme. Whether it is possible to take from a file text lines (for example parameters)?