The invoke macro and masm compiler makes jump thunk tables.
But how is the manual setting in use32 ?
.486
.mmx
.model flat,stdcall
option casemap :none
.data
pMessageBoxA:
extrn MessageBoxA:dword
pT DB "My Title here",0
pM DB "Message",0
.code
start:
PUSH 0
PUSH offset pT
PUSH offset pM
PUSH 0
CALL Jump
RETN
Jump:
; $-FF25 00104000
JMP [offset pMessageBoxA] ; masm creates this automatic, i want to determine the jmp place
end
that's going to crash because you are pointing at the jump instruction, not the operand
and - the operand is a pointer to a table that has another pointer to the code :P
btw - we call it an IAT - import address table
http://www.masmforum.com/board/index.php?topic=17073.msg142389#msg142389 (http://www.masmforum.com/board/index.php?topic=17073.msg142389#msg142389)
Hello Dave and thx for ur answer but the link did not help me.
Yes my source does not work , its only to show i was not lazy.
And just i have no idea, would be great if u could fix my code snippet :)
looking at your code,
.data
pMessageBoxA:
extrn MessageBoxA:dword
this doesn't work
the colon is used for code labels only - not data declarations
also - you want to include files and import libraries to make life much easier :P
let's start with a "normal" asm program with a message box
;#################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;#################################################################
.DATA
szMsg db 'Message',0
szTitle db 'Title',0
;*****************************************************************
; .DATA?
;#################################################################
.CODE
;*****************************************************************
WinMain PROC
INVOKE MessageBox,0,offset szMsg,offset szTitle,MB_OK
INVOKE ExitProcess,eax
WinMain ENDP
;#################################################################
END WinMain
once you are able to build that and make it work, we will move to the next step :t
done and i´m waiting of step 2 :)
as you may already understand, INVOKE is a macro (internal to masm)
we can generate exactly the same EXE with this code
WinMain PROC
push MB_OK
push offset szTitle
push offset szMsg
push 0
CALL MessageBox
INVOKE ExitProcess,eax
WinMain ENDP
but, let's back up a minute and see what is going on at "offset MessageBox"
we can use the masm32 "uhex$" macro to simplify the code
WinMain PROC
mov edx,offset MessageBox
movzx ecx,word ptr [edx]
INVOKE MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
INVOKE ExitProcess,eax
WinMain ENDP
we will see the FF25 JMP instruction, with the bytes reversed
we know that the operand of that branch is encoded in the 4 bytes that follow
WinMain PROC
mov edx,offset MessageBox
mov ecx,[edx+2]
INVOKE MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
INVOKE ExitProcess,eax
WinMain ENDP
FF25 is an opcode for JMP dword ptr [address]
meaning that the operand is a memory location that contains the target address
what we really want to see is that address
WinMain PROC
mov edx,offset MessageBox
mov edx,[edx+2]
mov ecx,[edx]
INVOKE MessageBox,0,uhex$(ecx),offset szTitle,MB_OK
INVOKE ExitProcess,eax
WinMain ENDP
that is the actual address of the code
now, we can put it all together and call that address, rather than MessageBox from the IAT
WinMain PROC
mov edx,offset MessageBox
mov edx,[edx+2]
mov ecx,[edx]
push MB_OK
push offset szTitle
push offset szMsg
push 0
CALL ecx
INVOKE ExitProcess,eax
WinMain ENDP
The code stores the IAT to the called ECX, yeah good to know ...
but how i can determine the offset address from the compiled jmp2iat entries.
For example, i want to have it upside the entrypoint :)
you will have to explain the a little better
i don't understand what you want to do :P
Quotei want to have it upside the entrypoint
:redface:
are you saying that you want to call the code, directly ?
(http://www7.pic-upload.de/thumb/27.03.13/tz6kg35xyhuj.png) (http://www.pic-upload.de/view-18697627/desk.png.html)
i meant the jumps should be between iat & entrypoint.
i am still not sure i understand what you are trying to do - lol
i guess you are trying to create your own IAT in the .CODE section ?
maybe what you want to study is the PE file format
maybe you are missing an important point
the address of the code is not known until the operating system loads the PE EXE and runs it
during the load process, the operating system looks in the PE header and gets the address of the IAT
then, it fills it in with table addresses before transfering control to the EXE code
so, you can create your own IAT, but you have to alter the PE header to let the OS know where it is
Sinsi was telling me, the other day, that FASM allows you to do this fairly easily
http://masm32.com/board/index.php?topic=1681.msg17136#msg17136 (http://masm32.com/board/index.php?topic=1681.msg17136#msg17136)
i have never tried it, but if he says it works, it probably does :P
The iat is created by masm (with /MERGE settings) to rva 0x00401000
And the jmp´s entries are at 0x00401030 & 0x00401036, also created by masm.
and i want have(move) it to 0x00401010 address :)
edit:
that the point, i did start with fasm, also i´m new with asm,
so isn´t possible with masm... i did´nt know that .
Thx for your time and help dedndave :)
the only way i can think of is to "manually" alter the PE file
some of the other guys might know a better way
but, sooner or later, someone is going to want to know why you want to do this
and, they may point you at the forum rules and lock the thread :P
Dont worry, i'm just an empowered citizen and i dont like that always is automatic,
i want to have the power for my own. Or is that against the forum rules ?
Quote from: herman_the_german on March 28, 2013, 04:59:34 AM
that the point, i did start with fasm, also i´m new with asm,
so isn´t possible with masm... i did´nt know that .
Actually, fasm is able to do so because it supports formats that don't need a link step.
Masm has no such support. It is the linker that generates the IAT ( and also adds the "jmp"-thunks ), and you cannot fully control the linker from inside the assembly source.
thx the for info bro