News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Overlapped structure

Started by Magnum, December 13, 2012, 04:05:55 PM

Previous topic - Next topic

Magnum

I have read the info on the OVERLAPPED structure, ReadFile, and WriteFile.

If I open test.exe in a hex editor, where should those 2 bytes, 75h and 15h be.



.data

FileName db "test.exe",0
AppName db "Fixit",0
Done db "File fixed succesfully !",0
NoFile db "Can't find test.exe !",0
ReFile db "Wrong version of test.exe !",0
WrFile db "Error writing to test.exe !",0

RBuffer db 75h, 15h

WBuffer db 90h,90h

; Specifies a file position at which to start the transfer. The file position is a byte offset
; from the start of the file. The calling process sets this member before calling the ReadFile or WriteFile function.
; This member is ignored when reading from or writing to named pipes and communications devices.

OffsetPos OVERLAPPED <NULL,NULL,53Fh,NULL,NULL>

Mark4 db "offsetpos End",0

.data?

hInstance HINSTANCE ?
CommandLine LPSTR ?
hwndname HWND ?
hFile HANDLE ?
Numb dd ?

Buffer db 2 dup(?)

.const

.code
start:

invoke GetModuleHandleA, NULL
mov hInstance,eax

invoke CreateFile,ADDR FileName, GENERIC_READ OR GENERIC_WRITE, FILE_SHARE_READ OR FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL

.IF eax!=INVALID_HANDLE_VALUE

    mov hFile, eax ; Store handle of file

; Read the 2 bytes we are going to fix

Invoke ReadFile, hFile, ADDR Buffer, 2, ADDR Numb, ADDR OffsetPos

    mov ax, word ptr [Buffer]
    .IF ax == word ptr [RBuffer] ; If they are the right ones (75h,15h) we replace them
        Invoke WriteFile, hFile, ADDR WBuffer, 2, ADDR Numb, ADDR OffsetPos   ; Write the new bytes (90h 90h)
        .IF Numb == 2
            push MB_OK
            push OFFSET AppName
            push OFFSET Done
        .ELSE
            push MB_OK OR MB_ICONINFORMATION
             push OFFSET AppName
             push OFFSET WrFile
        .ENDIF       
    .ELSE
          push MB_OK OR MB_ICONINFORMATION
          push OFFSET AppName
          push OFFSET ReFile       
    .ENDIF   

.ELSE
      push MB_OK OR MB_ICONINFORMATION
      push OFFSET AppName
      push OFFSET NoFile 
.ENDIF

push NULL
Call MessageBox
invoke CloseHandle, hFile
invoke ExitProcess,eax

end start
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

MichaelW

The easiest method would be to search for the strings. Those two bytes should immediately follow the null terminator for the last string:

00000000
. . .
000007F0  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000800  74 65 73 74 2E 65 78 65 - 00 46 69 78 69 74 00 46  test.exe.Fixit.F
00000810  69 6C 65 20 66 69 78 65 - 64 20 73 75 63 63 65 73  ile fixed succes
00000820  66 75 6C 6C 79 20 21 00 - 43 61 6E 27 74 20 66 69  fully !.Can't fi
00000830  6E 64 20 74 65 73 74 2E - 65 78 65 20 21 00 57 72  nd test.exe !.Wr
00000840  6F 6E 67 20 76 65 72 73 - 69 6F 6E 20 6F 66 20 74  ong version of t
00000850  65 73 74 2E 65 78 65 20 - 21 00 45 72 72 6F 72 20  est.exe !.Error
00000860  77 72 69 74 69 6E 67 20 - 74 6F 20 74 65 73 74 2E  writing to test.
00000870  65 78 65 20 21 00 75 15 - 90 90 00 00 00 00 00 00  exe !.u.........
. . .

Well Microsoft, here's another nice mess you've gotten us into.

qWord

#2
Quote from: Magnum on December 13, 2012, 04:05:55 PM
I have read the info on the OVERLAPPED structure, ReadFile, and WriteFile.
I'm sure that you don't need asynchron File IO (that means that Read/WriteFile immediately return without waiting until all bytes has been read/write) - always set lpOverlapped to NULL.The read/write position can be set using SetFilePointer().

EDIT: as Dubby point out, the OVERLAPPED structure can also used without FILE_FLAG_OVERLAPPE.
MREAL macros - when you need floating point arithmetic while assembling!

dedndave

yes - OVERLAPPED I/O is not an issue, Andy
that will just add confusion to what you are trying to do

Quote from: qWord on December 13, 2012, 05:35:13 PM
I'm sure that you don't need asynchron File IO (that means that Read/WriteFile immediately
return without waiting until all bytes has been read/write) - always set lpOverlapped to NULL.
The read/write position can be set using SetFilePointer().

well, unless you are using overlapped I/O   :lol:

i have played with overlapped I/O while working with a serial port
so - it does have its' uses   :t

ragdog

Hi

The best way to search a string in a File or replace a string is via FileMap

Then Search for a string and test the strings is Ascii char or not

A-Z,a-Z,0-9

The end of search can you use the filesize or check for Null bytes

Greets,

Dubby

see here:
http://blogs.msdn.com/b/oldnewthing/archive/2012/04/05/10290954.aspx
You can use an OVERLAPPED structure with synchronous I/O, too

the provided sample is in C though.

qWord

Quote from: Dubby on December 13, 2012, 06:19:41 PM
see here:
http://blogs.msdn.com/b/oldnewthing/archive/2012/04/05/10290954.aspx
You can use an OVERLAPPED structure with synchronous I/O, too

the provided sample is in C though.
Didn't know that - saves the call to SetFilePointer()  :icon14:
MREAL macros - when you need floating point arithmetic while assembling!

Magnum

Quote from: MichaelW on December 13, 2012, 05:27:45 PM
The easiest method would be to search for the strings. Those two bytes should immediately follow the null terminator for the last string:

00000000
. . .
000007F0  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00  ................
00000800  74 65 73 74 2E 65 78 65 - 00 46 69 78 69 74 00 46  test.exe.Fixit.F
00000810  69 6C 65 20 66 69 78 65 - 64 20 73 75 63 63 65 73  ile fixed succes
00000820  66 75 6C 6C 79 20 21 00 - 43 61 6E 27 74 20 66 69  fully !.Can't fi
00000830  6E 64 20 74 65 73 74 2E - 65 78 65 20 21 00 57 72  nd test.exe !.Wr
00000840  6F 6E 67 20 76 65 72 73 - 69 6F 6E 20 6F 66 20 74  ong version of t
00000850  65 73 74 2E 65 78 65 20 - 21 00 45 72 72 6F 72 20  est.exe !.Error
00000860  77 72 69 74 69 6E 67 20 - 74 6F 20 74 65 73 74 2E  writing to test.
00000870  65 78 65 20 21 00 75 15 - 90 90 00 00 00 00 00 00  exe !.u.........
. . .


Michael,

I didn't make myself very clear.

I am visual kind of guy.

The author of the original code included an .exe that this program opens up.
It searched for those 2 bytes at a certain position.

Unfortunately, the included program that this code opened up, did not have two two bytes anywhere in the file,
and I got the message that it was the wrong version.

If it had, it would have been easy to see where those two bytes were when I opened it up in a hex editor.

Could someone make a program that has those 2 bytes in the right position?

It would help me move on.  :t

Andy




 

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

hutch--

Andy,

Open the file, set the file pointer to the offset it is supposed to be at then read the two bytes at that offset. Simple.  :biggrin:

Magnum

Ragdog,

I will also be searching for some code sequences to change as well.

Andy
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

Magnum

Found some me#ory sc - a n -!er code in C.

Complex, but very interesting.

Andy

happynews.com

Hannover db "Courage: mental or moral strength to venture, persevere, and withstand danger, fear, or difficulty",0

Geist        db "Spirit also suggests a quality of temperament enabling one to hold one's own or keep up one's morale when opposed or threatened.",0
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

if the exe file is relatively small, you can read the entire file into memory
of course, if you know the exact offset, you can use the file pointer method that Hutch mentioned
but, if you have to search for it, and the whole EXE is less than, say, 100 kb...
allocate a buffer, read it in, find it, patch it, write it out