i want to know the works of a API function.
some one can tell me how to disassembly it?
Posted on 2004-11-17 01:30:14 by geegle
You will need:
(1) obviously a disassembler... look for IDA: it is the best, because it can argue function arguments, local variables and library calls
(2) the symbols of the DLL containing the API you want to disassembly.

Requisite 2 is not mandatory, but will help you a lot in your reverse engineering. Retrieve the symbols using Microsoft debugging tools or Compuware Symbol Retriever (it comes with DriverStudio)

Regards, bilbo
Posted on 2004-11-17 02:54:25 by bilbo
Personally I prefer to trace into interesting APIs with win-ice, to filter out the less-interesting parts of it and understand stuff better. And indeed, the debugging symbols will help you.
Posted on 2004-11-17 03:03:30 by lifewire
mabye like this: http://biw.rult.at/refs/benimports.txt
?
Posted on 2004-11-17 03:37:14 by wizzra
i want to know the works of a API function.
some one can tell me how to disassembly it?


Is it allowed to ask such questions here?
Posted on 2004-11-17 04:55:50 by Vortex
i don't see why not,
its a relevant question on knowing how disassembler understand apis used in pe editor.
see above txt
Posted on 2004-11-17 06:15:55 by wizzra
I think there is nothing much to learn from the API. Even if you trace, you will realise that the ascii version of the function ends up calling the unicode verison and somehow ends up calling syscall or something like that.
Posted on 2004-11-17 08:07:09 by roticv
i woulkd suggest using ollydbg, it is a great FREEWARE debugger so you can write a small app which calls the api you want to have a look at.
open the prog up in olly and jump into the dll call so you can follow the dll code while running.

Roticv has a point, some api's use a syscall or something to let windows handle some things the api itself can not (like bitblt for example).

Which api do you want to look at and why? (if i may ask :))
Posted on 2004-11-17 10:20:16 by Scorpie


Which api do you want to look at and why?

hi,Scorpie,i just want to know the works of CreateDialogParam,DialogBoxParam and EndDialog.
Bucause i have seen from MSDN library that we
can not end a dialog box which create with CreateDialogParam use EndDialog but DialogBoxParam.i want to know the works of
the to API and EndDialog API.
Posted on 2004-11-17 20:35:59 by geegle
ok, i would still suggest ollydbg, since im a cracker and reverser i use it a lot so if yo have any questions about it you can ask me

edit: here is the download link Ollydbg
Posted on 2004-11-17 21:05:50 by Scorpie
Scorpie,thank you very much,i will try it.
Posted on 2004-11-17 21:33:19 by geegle
Just a heads-up that OllyDebug contains a known exploit - it is possible to have Olly execute arbitrary code from the target executable and without user intervention simply by opening it for disassembly.
It is therefore possible to write code protected from Olly, and other more evil purposes.
Posted on 2004-11-18 02:46:20 by Homer
hi,Scorpie.
i load the dll user32.dll contains the api DialogBoxParam use ollydbg,how can i determine which code is for DialogBoxParam?
Posted on 2004-11-18 05:19:07 by geegle
@Evilhomer, yes i am aware of that exploit but geegle already said he wants to disassemble "CreateDialogParam,DialogBoxParam and EndDialog" this exploits doesnt concern him since the standard windows api's dont contain any exploit code for ollydbg, but i should have mentioned it, it slipped my mind :oops:

@geegle, as i said before, write a small prog in assembly which calls the function you want to have a look at.
then trace your own code to the call and press F7 on the call to jump into the call, resulting in a direct jump to the code part of the api you just called.
Posted on 2004-11-18 13:16:39 by Scorpie
EvilHomer is correct, I loaded up one of my programs and it just crashes just after I load it on my secondary machine. I'm not sure why maybe I'm doing osmething wrong? How do u work around this exploit?
Posted on 2004-11-19 19:50:32 by x86asm