Hi all,

how to load a DWORD in to eax register from a specified address
I try this ?
mov eax, DWORD PTR ;

is this right ?
and are there any tool for me to watch the regirster's values while my code is executed
Thank you
m
Posted on 2003-08-19 01:32:27 by nvm
To use a memory address directly you have to dereference it:

First mov the address into a register (I use esi but any GP register will do):

mov esi,MemAddress

Then you dereference the address using square brackets:

mov eax,

Since the assembler know that eax is 4 bytes wide there is no need to specify DWORD

If you have an address in your program you have probably assigned a label to it, in that case you can use the label directly:

MyVar dd 0

mov eax,MyVar
Posted on 2003-08-19 02:06:58 by donkey
Hi Donkey,
my case as follow:
I have a text buffer which difine
TextBuffer db 512 dup(?)
and I want to load the first 4 bytes of TextBuffer in to eax

lea edi, TexBuffer
mov eax,

is that ok ?

m
Posted on 2003-08-19 02:55:24 by nvm
Hi, nvm

That's OK

In your example you use TextBuffer at constant address, i suggest "mov edi, offset TexBuffer"
and are there any tool for me to watch the regirster's values while my code is executed

This tool is called "debugger"
OllyDbg or W32Dasm for example
Posted on 2003-08-19 03:25:11 by S.T.A.S.
Well, please look at my asm code I don't what's wrong but I can not get the 1st 4 bytes out a buffer !!!
....
TextBuffer db 32 dup(?)
....
invoke MessageBox, NULL, addr TextBuffer, addr TextBuffer, MB_OK
;just want to see the value of TextBuffer and it right
lea edi, TextBuffer
mov eax,
;and now the eax contains the diffrent value
Posted on 2003-08-19 04:58:36 by nvm
TextBuffer db 32 dup(?)

Windows uses null-terminated string as standart, so when you use db (?) (usually ?=0)
you're using null-size sting

try this:
.386	

.model flat,stdcall ;win32 memory model
option casemap :none ;case sensitive
include windows.inc
include user32.inc
includelib user32.lib
.DATA
TextBuffer db "dummy string",0;32 dup(?)
.CODE
start:
;lea edi, TextBuffer
mov edi, offset TextBuffer
invoke MessageBox, NULL, edi, edi, MB_OK
ret
end start
Posted on 2003-08-19 05:54:45 by S.T.A.S.
try the opcode lodsd.
Posted on 2003-08-19 06:25:09 by roticv
Hi nvm,

Remember that the label you assign something can be used directly with the OFFSET directive so :
.386	

.model flat,stdcall ;win32 memory model
option casemap :none ;case sensitive
include windows.inc
include user32.inc
includelib user32.lib
.DATA
TextBuffer db "dummy string",0;32 dup(?)
.CODE
start:
invoke MessageBox, NULL,[b] offset TextBuffer, offset TextBuffer, [/b]MB_OK
ret
end start
Is just fine as well. If the buffer is local in scope use the ADDR directive in place of OFFSET. Note that you cannot mov eax,ADDR TextBuffer however as the assembler does not know the address at compile time, in the case of locally scoped labels you must use LEA to place the address in a register.
Posted on 2003-08-19 07:04:40 by donkey
nvm,
If you use TextBuffer, i suppose you should use CHARS (ASCII CHAR=BYTE) not DWORDS
For that, use instuction like:
mov al,
movzx eax, byte ptr
lodsb
the last one is more complex to use, so bugs are wery possible (at first time)
i'm avoid useng this, since it's slooower on newer CPU

Remember that the label you assign something can be used directly with the OFFSET directive

but here it costs additional 8 bytes :)

Take an advantage of debugger. This is REALLY usefull thing :alright:

P.S. there are really two different "Far Easts" in the World ;)
Posted on 2003-08-19 07:17:48 by S.T.A.S.
the last one is more complex to use, so bugs are wery possible (at first time)

But small in size. 1byte only. :grin: One reason why i still use string opcodes.
Posted on 2003-08-19 07:19:25 by roticv


But small in size. 1byte only. :grin: One reason why i still use string opcodes.

This one byte can execute longer than anoter 10
Posted on 2003-08-19 07:29:37 by S.T.A.S.
Hi gurus,
Thank for you replies, now I can see the first 4 bytes of the string

invoke MessageBox, NULL, edi, edi, MB_OK
;The message box show me exactly the processid value that I want to kill
;and I move it to eax reg before calling the OpenPrecess
mov eax, edi
;I notice that this is the hex value of the processid
invoke OpenProcess, PROCESS_TERMINATE, 0, eax

and the strange thing here is the return value in eax is NULL that mean there is no processid = value of eax !!!
But in case I move the processid value directly into eax (ex: mov eax, 044ch)
and call OpenProcess like this

mov eax, 044ch
invoke OpenProcess, PROCESS_TERMINATE, 0, eax

and it works :confused:
any idea on this problem ?
Posted on 2003-08-19 09:49:57 by nvm
Here, create a dialog with two buttons, ID's 1001 and 1002 and a listbox with ID 1003. Press button 1 (1001) to enumerate your processes and button 2 (1002) to terminate the process.
DlgProc proc uses ebx esi edi hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM

LOCAL hProcess :DWORD

mov eax,uMsg
.IF eax == WM_INITDIALOG
mov eax,hWin
mov hDlg,eax

.ELSEIF eax == WM_COMMAND
mov eax,wParam
mov dx,ax
mov eax, wParam
shr eax, 16
.IF dx == 1001
invoke SearchForProcess
.ELSEIF dx == 1002
invoke SendDlgItemMessage,hDlg,1003,LB_GETCURSEL,0,0
invoke SendDlgItemMessage,hDlg,1003,LB_GETITEMDATA,eax,0
invoke OpenProcess,PROCESS_TERMINATE,FALSE,eax
.IF eax
mov hProcess,eax
invoke TerminateProcess,hProcess,0
invoke CloseHandle,hProcess
.ENDIF
.ENDIF

.ELSEIF eax == WM_CLOSE
invoke EndDialog,hWin,0

.ELSE
mov eax,FALSE
ret

.ENDIF

mov eax,TRUE
ret

DlgProc endp

SearchForProcess proc
LOCAL pe32 :PROCESSENTRY32
LOCAL me32 :MODULEENTRY32
LOCAL hProcessSnap :HANDLE
LOCAL hModuleSnap :HANDLE

mov pe32.dwSize,SIZEOF PROCESSENTRY32
mov me32.dwSize,SIZEOF MODULEENTRY32

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
.IF eax == -1
ret
.ENDIF
mov hProcessSnap,eax
invoke Process32First,hProcessSnap,ADDR pe32
.IF eax==0
ret
.ENDIF

.WHILE eax
invoke SetLastError,0
invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,pe32.th32ProcessID
mov hModuleSnap,eax
invoke Module32First,hModuleSnap,ADDR me32
invoke CloseHandle,hModuleSnap
invoke SendDlgItemMessage, hDlg, 1003, LB_ADDSTRING,0, ADDR me32.szExePath
invoke SendDlgItemMessage, hDlg, 1003, LB_SETITEMDATA, eax, pe32.th32ProcessID
invoke Process32Next,hProcessSnap,ADDR pe32
.ENDW
invoke CloseHandle,hProcessSnap

ret
SearchForProcess endp
Posted on 2003-08-19 10:12:07 by donkey