I'm looking through the PE tutorials and I happened to tested out the PE tutorial 6's exe on reading the import table. When I use the program to open dlls, most of them would result in a crash on my computer. I am using win2k currently. Does it crash on other OS?

The following code caused it to crash

.while dword ptr [esi]!=0
test dword ptr [esi],IMAGE_ORDINAL_FLAG32
jnz ImportByOrdinal
invoke RVAToOffset,pMapping,dword ptr [esi]
mov edx,eax
add edx,pMapping
assume edx:ptr IMAGE_IMPORT_BY_NAME
mov cx, [edx].Hint
movzx ecx,cx
invoke wsprintf,addr temp,addr NameTemplate,ecx,addr [edx].Name1 <----- It crashed here
jmp ShowTheText
mov edx,dword ptr [esi]
and edx,0FFFFh
invoke wsprintf,addr temp,addr OrdinalTemplate,edx
invoke AppendText,hDlg,addr temp
add esi,4

I suspect that the .Name1 is corrupted along the way, but it seems to work fine on exes.
Posted on 2002-09-14 08:20:06 by roticv

DLL's do have the same format (PE) as EXE's on a win32 system. Am not advanced enough to understand that code ? So I reallr can't correct it, if their is an error.

Like I said, DLL have the same format as PE EXE's, so their should be a problem with using that example. I tested those examples on my commputer, and they worked fine :\ .....
Posted on 2002-09-16 06:13:06 by Dracton
It works fine for me too, WinXP
Posted on 2002-09-16 15:41:19 by david
You might want to review the Win32.hlp file:
Note Unlike other Windows functions, wsprintf uses the C calling convention (_cdecl), rather than the Pascal calling convention. As a result, it is the responsibility of the calling process to pop arguments off the stack, and arguments are pushed on the stack from right to left. In C-language modules, the C compiler performs this task.
Posted on 2002-09-22 03:29:34 by eet_1024

I did some testing, and expanded the .if and .while to cmp and jmps and compare with original i found out the code works fine if a cmp was used instead of test. What is the difference between test and cmp?
Posted on 2002-09-22 06:55:51 by roticv
test makes an and-operation, throw away the result, and set the flags accordingly
so just like and opcode except that no registers altered.
Posted on 2002-09-23 18:15:56 by david