i want to know the works of a API function.
some one can tell me how to disassembly it?
some one can tell me how to disassembly it?
You will need:
(1) obviously a disassembler... look for IDA: it is the best, because it can argue function arguments, local variables and library calls
(2) the symbols of the DLL containing the API you want to disassembly.
Requisite 2 is not mandatory, but will help you a lot in your reverse engineering. Retrieve the symbols using Microsoft debugging tools or Compuware Symbol Retriever (it comes with DriverStudio)
Regards, bilbo
(1) obviously a disassembler... look for IDA: it is the best, because it can argue function arguments, local variables and library calls
(2) the symbols of the DLL containing the API you want to disassembly.
Requisite 2 is not mandatory, but will help you a lot in your reverse engineering. Retrieve the symbols using Microsoft debugging tools or Compuware Symbol Retriever (it comes with DriverStudio)
Regards, bilbo
Personally I prefer to trace into interesting APIs with win-ice, to filter out the less-interesting parts of it and understand stuff better. And indeed, the debugging symbols will help you.
mabye like this: http://biw.rult.at/refs/benimports.txt
?
?
i want to know the works of a API function.
some one can tell me how to disassembly it?
some one can tell me how to disassembly it?
Is it allowed to ask such questions here?
i don't see why not,
its a relevant question on knowing how disassembler understand apis used in pe editor.
see above txt
its a relevant question on knowing how disassembler understand apis used in pe editor.
see above txt
I think there is nothing much to learn from the API. Even if you trace, you will realise that the ascii version of the function ends up calling the unicode verison and somehow ends up calling syscall or something like that.
i woulkd suggest using ollydbg, it is a great FREEWARE debugger so you can write a small app which calls the api you want to have a look at.
open the prog up in olly and jump into the dll call so you can follow the dll code while running.
Roticv has a point, some api's use a syscall or something to let windows handle some things the api itself can not (like bitblt for example).
Which api do you want to look at and why? (if i may ask :))
open the prog up in olly and jump into the dll call so you can follow the dll code while running.
Roticv has a point, some api's use a syscall or something to let windows handle some things the api itself can not (like bitblt for example).
Which api do you want to look at and why? (if i may ask :))
Which api do you want to look at and why?
hi,Scorpie,i just want to know the works of CreateDialogParam,DialogBoxParam and EndDialog.
Bucause i have seen from MSDN library that we
can not end a dialog box which create with CreateDialogParam use EndDialog but DialogBoxParam.i want to know the works of
the to API and EndDialog API.
ok, i would still suggest ollydbg, since im a cracker and reverser i use it a lot so if yo have any questions about it you can ask me
edit: here is the download link Ollydbg
edit: here is the download link Ollydbg
Scorpie,thank you very much,i will try it.
Just a heads-up that OllyDebug contains a known exploit - it is possible to have Olly execute arbitrary code from the target executable and without user intervention simply by opening it for disassembly.
It is therefore possible to write code protected from Olly, and other more evil purposes.
It is therefore possible to write code protected from Olly, and other more evil purposes.
hi,Scorpie.
i load the dll user32.dll contains the api DialogBoxParam use ollydbg,how can i determine which code is for DialogBoxParam?
i load the dll user32.dll contains the api DialogBoxParam use ollydbg,how can i determine which code is for DialogBoxParam?
@Evilhomer, yes i am aware of that exploit but geegle already said he wants to disassemble "CreateDialogParam,DialogBoxParam and EndDialog" this exploits doesnt concern him since the standard windows api's dont contain any exploit code for ollydbg, but i should have mentioned it, it slipped my mind :oops:
@geegle, as i said before, write a small prog in assembly which calls the function you want to have a look at.
then trace your own code to the call and press F7 on the call to jump into the call, resulting in a direct jump to the code part of the api you just called.
@geegle, as i said before, write a small prog in assembly which calls the function you want to have a look at.
then trace your own code to the call and press F7 on the call to jump into the call, resulting in a direct jump to the code part of the api you just called.
EvilHomer is correct, I loaded up one of my programs and it just crashes just after I load it on my secondary machine. I'm not sure why maybe I'm doing osmething wrong? How do u work around this exploit?