Bugs' Bounty HunterBugs' Bounty Hunter,
"Hi lingo. Do you have also code to emulate GetProcAddress?"

Yes, I have

My GetProcAddress is speed optimized (PIII) and more complicated
then Axial's code, because I use binary search algo to resolve
addresses of all functions from all dll's which I use in my windows programs

It is faster then original MS algo and allow me to start my windows programs faster
because in my import directory I have only one function (for W2k,XP compatibility)

I can post the code but I don't want to bother ppl like Vortex
My optimized code makes him go mad
You can see proof here:

Are you enough brave to tell us the source of your algo?
I think, it doesn't belong to you."

here: "lingo,you fool,why should I need speed optimisation for such a short code?"

and here:

"Now,look at here lingo kid,
Instead of studying C run-time DLLs,you are wasting your time by doing stupid
things.Your genius application contains only one section.This is your main trick.
Now,little kid,prove that you are a REAL MAN:tell us what is your problem with me?"

Where is the moderator?

So, just use Axial's code, it is sample and size optimized.

Posted on 2003-04-17 07:19:38 by lingo12
Lingo kid,

Now,pay a little attention here:First of all,you are unable to answer my

Second:Your optimised codes contains also mistakes,read the post of bitRAKE.

Third:Nobody is gealous of you,we have really very very experienced coders (+talented)
in the board.You know them.
What I am curious is your strange words which demonstrates bad
intention.What's your reason? What does mean "garbage" for you?

Four:I expect to see here a REAL man such you who will reply me moderately.

If you continue to play the monkey,that's your problem.

Now,try to show your personnality higher than your skills.
Don't try to hide behind the moderators. :)

That's all.

Posted on 2003-04-17 08:05:27 by Vortex
Okay, boys don't bicker over some misunderstandings and leave the playground fights out of the forums *PS: Don't come back wtih injuries...

I think you all are straying from the topic. pazuluo wanted to know why 0f800h was used in the snipplet and no one have yet to answer his question.
Posted on 2003-04-17 08:12:52 by roticv

That's O.K,you are right;but I don't let myself to be attacked by that person.
What wrong I made him? I try to help a little my friends here.Optimised
codes are O.K when they are necessary.Sometimes,non-optimised codes makes
easier to understand some coding tricks.Why to make a contest?


Posted on 2003-04-17 08:22:15 by Vortex
Just take it that both of you have opposing views and chill it. Forgive and forget. :alright:
Posted on 2003-04-17 09:15:35 by roticv
I agree with you Roticv,if everyone would be peaceful as you:alright:
Posted on 2003-04-17 09:24:41 by Vortex
hi all,

I'm so sorry to see the injuries here, coz it's not my original intention...:( :( Sorry for it, please stop.:)

BTW, my question still hasn't been solved, could anybody help for the 0f800h?

I want to thank you all above! :):)
Posted on 2003-04-17 10:01:35 by pazuluo
-- Editted to keep things simple and clear --

Posted on 2003-04-17 12:10:41 by Sliver
Like I said I think it is the address of the default (dummy) code segment. I could be wrong but it seems to make sense.
Posted on 2003-04-17 12:12:44 by donkey
I am happy that we can communicate in such an open and free manner. The maturity of the group is demonstrated by the individual respect given to each member and the understanding that not only are we different but the programming situations themselves are varied - requiring different specific solutions. It is wonderful that we can see the positive and negitive value of each piece of code without resulting in personal attacks. Although we may put much of ourselves into our work, we are separate from it. :)
Posted on 2003-04-17 17:10:11 by bitRAKE
The "test for weirdvalue" in the original algorithm is probably to avoid antiviral heuristics. It makes more sense to do it "the right way".

It is faster then original MS algo and allow me to start my windows programs faster
because in my import directory I have only one function (for W2k,XP compatibility)

Hah, as if you would be able to notice any speed difference. Silly statement. Does your proc handle forwarded exports?
Posted on 2003-04-18 07:40:41 by f0dder
I'm happy too, with my new boat...

"BTW, my question still hasn't been solved, could anybody help for the 0f800h?"

test dx, 0F800h is equal to

cmp dx, 800h
jae LoopAgain

It is just a filter to cut off all values greater then 00080000h, i.e.
the pointer to PE header 'e_lfanew' (which is 32 bits
long beginning at byte offset 60) of Kernel32.dll must be:
reg DX<800h, else loop again.

If you have all PE offsets of all Kernel32.dll of all Windows OS
you can get the biggest offset (for instance 200 0000h) and change
in DX register F800h with F200h,
i.e. test dx,0F200h or cmp dx,200h /jae LoopAgain) and
your algo will work just fine.

I believe that the author has found out the value 800h with debugger. Why?
Because in PE files this value has no limit, i.e.may be greater
then 800h. Why?
Because this value is a pointer for a place somewhere (PE header) AFTER DOS_Stub
and here is MSDN:

"Visual C++ Linker Options

STUB (MS-DOS Stub File Name)


An MS-DOS application.


The STUB option attaches an MS-DOS stub program to a Win32 program.

A stub program is invoked if the file is executed in MS-DOS. It usually displays an appropriate message;
however, any valid MS-DOS application can be a stub program.


i.e. any valid MS-DOS application can be a stub program, hence
DOS STUB may be greater then 800h and if so, the pointer to PE header will be
greater than 800h too.

I rewrote the algo:

mov eax, [esp] ; Return address of call to CreateProcess
and eax, 0FFFF1000h ; the last four are zeros because
LoopAgain: ; Kernel32.dll is memory 64 aligned
mov edx, [eax+3Ch-1000h] ; the pointer is 32 bits by definition
sub eax, 1000h ; rather then dec eax!!!
;test edx, 0FFFFF800h ; you can try with 0FFFFF200h too
;jnz LoopAgain ;
cmp edx, 800h ; you can try with 200h too
jae LoopAgain
cmp eax, [eax+edx+34h]
jnz LoopAgain

Posted on 2003-04-18 17:41:07 by lingo12
Thank you very much, lingo12!!!!!! :grin: :grin: :grin:

I love this forum! :tongue: :tongue:
Posted on 2003-04-18 22:38:07 by pazuluo
lingo12, I want to use your algo. Which one is the best and fastest the first one with out the loop or the one you rewrote.

Also can you post your GetProAddr if you got one for just regurlar 486 and small P500 and under.

Thanks in advance
Posted on 2003-06-26 19:25:45 by cmax
"Also can you post your GetProAddr"

imho the thread is closed...
"Hah, as if you would be able to notice any speed difference. Silly statement.
Does your proc handle forwarded exports?" by f0dder

First tell someone that he is silly and after that ask him how he is doing the job...Funny isn't it?
He can't imagine someone to know how to:
- look for imported modules without LdrpCheckForLoadedDll
- "recognize" forwarded API (for ex.HeapAlloc)
- search without LdrpSnapThunk and LdrpNameToOrdinal and imitate LdrpGetProcedureAddress etc.
- investigate every API that DLL imports from other DLLs in order to calculate a real address
and/or load additional DLLs and check to see if an API may have been forwarded on to another
procedure housed in another DLL
- bypass the address calculation and forwarded API processing with binding but
without using Bind.exe (see SDK for more info) etc...

I spent 3 weeks in writing and testing and I'm not so silly to post my code here...sorry

My advice to you is to try the fastest method (imho)
Just create two programs work.exe and setup.exe
With your setup.exe (you don't need speed here) you should:
- create and/or patch your work.exe program
- calculate all used API addresses by standard method and write them into work.exe
- optimize your work.exe for type of CPU, OS, protection, etc
Your work.exe will be the fastest and if the user changes the OS he/she must restart the setup.exe again

"Which one is the best and fastest the first one with out the loop or the one you rewrote."

First one without the loop. I rewrote the second algo just to answer pazuluo's question.

Posted on 2003-06-26 22:36:06 by lingo12
Thanks lingo12

And sorry about bringing up old dirt. I do remember when most of the guys here were more concerned about speed and saving even a byte. And they live for that ... and that only ...

Even though i was a super newbee it was a thrill to read some of what you guys were doings.

Those were the days :)
Posted on 2003-06-27 02:34:35 by cmax