News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

CreateFile - CreateFileMapping - MapViewOfFile Questions!!!

Started by s4ng3r, August 28, 2013, 06:14:27 AM

Previous topic - Next topic

s4ng3r

Hi guys!

I have the follow problem:

This is part of my code:

mov  ebp, esp
sub  esp, 08h ;
;mov  byte ptr DS:[ebp-09h], 6dh  ; 'm'
mov  byte ptr DS:[ebp-08h], 73h  ; 's'
mov  byte ptr DS:[ebp-07h], 67h  ; 'g'
mov  byte ptr DS:[ebp-06h], 62h  ; 'b'
mov  byte ptr DS:[ebp-05h], 2eh  ; '.'
mov  byte ptr DS:[ebp-04h], 65h  ; 'e'
mov  byte ptr DS:[ebp-03h], 78h  ; 'x'
mov  byte ptr DS:[ebp-02h], 65h  ; 'e'
mov  byte ptr DS:[ebp-01h], 00h  ; '0x00'
lea  ebx, [ebp-08h]
invoke CreateFile,ebx,GENERIC_EXECUTE+GENERIC_WRITE+GENERIC_READ,NULL,NULL,OPEN_EXISTING,NULL,NULL
mov ebx,eax
invoke CreateFileMapping,ebx,NULL,SEC_IMAGE+PAGE_EXECUTE_READWRITE,NULL,NULL,NULL
mov ebx,eax
invoke MapViewOfFile,ebx,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL


I need see the code of the program sgb.exe, the EAX register gets the value 0x380000 when call MapViewOfFile but in the value 0x381000 i see:


00381000   6A 00            PUSH 0
00381002   68 4B304000      PUSH 40304B
00381007   68 00304000      PUSH 403000
0038100C   6A 00            PUSH 0
0038100E   E8 07000000      CALL 0038101A                            ; JMP to kernel32.MapViewOfFile
00381013   6A 00            PUSH 0
00381015   E8 06000000      CALL 00381020                            ; JMP to kernel32.CreateFileMappingA
0038101A  -FF25 08204000    JMP DWORD PTR DS:[<&kernel32.MapViewOfFi>; kernel32.MapViewOfFile
00381020  -FF25 00204000    JMP DWORD PTR DS:[<&kernel32.CreateFileM>; kernel32.CreateFileMappingA


How i can get the code of the program sgb.exe? this only call any msgbox:

   
    push 0
    push offset title
    push offset message
    push 0
    call MessageBox


thanks for your replys,

regards
s4ng3r 8)



Tedd

msgb.exe is malware.

Why would you like the source code?

That would be a nope.
Potato2

s4ng3r



Tedd

Potato2

qWord

Well, I assume msgbox.exe is this one
Quote from: s4ng3r on August 28, 2013, 06:14:27 AM
   
    push 0
    push offset title
    push offset message
    push 0
    call MessageBox

and he want to load it unpacked- the question is for what purpose?
The rules of the forum
MREAL macros - when you need floating point arithmetic while assembling!

s4ng3r

Quote from: qWord on August 29, 2013, 01:41:20 AM
Well, I assume msgbox.exe is this one
Quote from: s4ng3r on August 28, 2013, 06:14:27 AM
   
    push 0
    push offset title
    push offset message
    push 0
    call MessageBox

and he want to load it unpacked- the question is for what purpose?
The rules of the forum
To modify and repackaging, how a debugger :P