Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #31  
Old 04-07-2013, 22:03
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by ragdog View Post
To convert it to compile it with masm is to many works
What make _tolower convert it uppercase letter to lower?

Example ABCD to abcd?
Hi ragdog,

Yes, just convert it uppercase letter to lower. In fact, we can set this whole function as library function instead of including the code of this function in the ASM code. I study it just want to learn more thing.

By your opinion, with right definition of including kernel32.lib, setting below is not must, right?

pr1 typedef PROTO : DWORD
externdef [email protected]:PTR pr1
GetModuleHandleA equ <[email protected]>

With this way, I have passed the LINK steps, but the results is not right, I'm still checking what's wrong.

I'll try to build up a small test case, hope you can help me to have a check, many thanks.

By the way, may I check with you whether you can run lib2inc22.exe succesfully?
Reply With Quote
  #32  
Old 04-08-2013, 03:26
ragdog ragdog is offline
Friend
 
Join Date: Feb 2011
Posts: 57
Rept. Given: 2
Rept. Rcvd 25 Times in 7 Posts
Thanks Given: 9
Thanks Rcvd at 6 Times in 4 Posts
ragdog Reputation: 25
Why use you not the apis crt__tolower or CharLower
Reply With Quote
  #33  
Old 04-08-2013, 17:25
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by ragdog View Post
Why use you not the apis crt__tolower or CharLower
The code dump from IDA, just want to study the methodology to modify and compile the dumped code to boj, then call by VC.
Reply With Quote
  #34  
Old 04-08-2013, 17:31
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Hi ragdog,

Would you help check this small test case, Why failed when do LINK?
( I use the include based on your suggestion)

1. compile newtolower.asm to get newtolower.obj
2. run build.cmd to get newtest.exe(not succesful, can't find newtolower function)

Thanks,
bridgeic
Attached Files
File Type: rar c_call_asm_new.rar (31.7 KB, 3 views)
Reply With Quote
  #35  
Old 04-08-2013, 18:08
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by bridgeic View Post
Hi ragdog,

Would you help check this small test case, Why failed when do LINK?
( I use the include based on your suggestion)

1. compile newtolower.asm to get newtolower.obj
2. run build.cmd to get newtest.exe(not succesful, can't find newtolower function)

Thanks,
bridgeic
After change as below based on other friend's help, the newtest.exe generated, but error reported when run, I attached it here. Although still have errors, the metholodgy ragdog mentioned should be ok, thanks ragdog. If anyone would like help debug the generated newtest.exe run error, I will provide original file that IDA disassembled for reference.
newtolower proc near ,argv1: DWORD
Attached Files
File Type: rar c_call_asm_new.rar (61.7 KB, 3 views)
Reply With Quote
  #36  
Old 04-08-2013, 20:19
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
Quote:
Although still have errors, the metholodgy ragdog mentioned should be ok
not exactly...

again a problem of calling conventions...
newtolower() must be CDECL since the stack is adjusted on return by the caller.. Please google for calling conventions...

In first newtolower.asm you will obtain a decorated name [email protected]: that's not ok, it is a STDCALL decoration with 0 bytes as arguments

In second newtolower.asm you will obtain a decorated name [email protected]:
that's not ok, it is a STDCALL decoration with 4 bytes as arguments (it gots linked because the function declaration is coherent in both files, but the stack will be corrupted).

So the correct ASM must be:
Code:
newtolower proc near c
But also newtest.c is not correct, since newtolower must not declared as WINAPI (stdcall). Remove it (the default is CDECL):
Code:
extern int newtolower(int);
Finally, the program will yet trap because __getptd is calling
Code:
call dword_57E704
which is a call to 0!

Best regards, bilbo
Reply With Quote
  #37  
Old 04-09-2013, 09:55
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Dear bilbo,

Thank you so much for your warm help, seems "call dword_57E704" will be a Gordian knot£¨do you have any suggestion how to solve this issue?
Reply With Quote
  #38  
Old 04-09-2013, 22:09
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by bilbo View Post
Code:
call dword_57E704
which is a call to 0!
Hi Bilbo,

Trace with ollydbg, seems the value is assigned outside the newtolower function, I'm not sure whether it is this way, still studying.

dword_57E704 dd 7C8097D0h ; kernel32.TlsGetValue
Reply With Quote
  #39  
Old 04-10-2013, 01:52
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
In fact, the trap in your EXE is no more related to that call...

To debug the trap: run it with your preferred debugger... It will break at
Code:
004699E0  mov         byte ptr [esi],dl
where ESI is 514808

If you look at program memory map (for example through Process Hacker), you will see that memory 514000-51D000 (presumably allocated by LMCRYPT, look at memory content in the debugger) is read-only!
Hence the trap due to Access Violation.

Best regards, bilbo
Reply With Quote
  #40  
Old 04-10-2013, 12:32
bridgeic bridgeic is offline
Friend
 
Join Date: Jun 2012
Posts: 88
Rept. Given: 7
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 6 Posts
bridgeic Reputation: 3
Quote:
Originally Posted by bilbo View Post
In fact, the trap in your EXE is no more related to that call...

To debug the trap: run it with your preferred debugger... It will break at
Code:
004699E0  mov         byte ptr [esi],dl
where ESI is 514808

If you look at program memory map (for example through Process Hacker), you will see that memory 514000-51D000 (presumably allocated by LMCRYPT, look at memory content in the debugger) is read-only!
Hence the trap due to Access Violation.

Best regards, bilbo
Dear bilbo,

I guess I may understand your means, test with ollydbg, if give parameters as "-i input.txt -o output.txt", then it won't run to 004699E0. Seems it will be bottleneck here. :-)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Compile eror rcer General Discussion 8 06-25-2013 18:21
Why this error report in RadASM? bridgeic General Discussion 3 04-02-2013 17:36


All times are GMT +8. The time now is 12:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )