Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Finding export information

freak52freak52 Member Posts: 4
Hi!

I have following question:

I have a dll, created and compiled with Delphi, but I don't have the source of it.

Now, I'm trying to rebuilt the dll using the export table of the original.

I succesfully rebuilt some function calls but I still have one more problem.
in the dll there is no information about function/procedure , calling convention , parameters and so on..

There is a call that should be get data from exe, but I can't find it where it's located.

Here is the function:

;------------------------------------------------------------------------------
Align 4
_DMXWrite:
push ebp
mov ebp,esp
push ebx
mov ebx,[ebp+08h]
cmp ebx,00000200h
jle L00401FF8
mov ebx,00000200h
L00401FF8:
push ebx
push 00000000h
push 00000000h
call SUB_L0040212C
add esp,0000000Ch
test al,al
jz L00402018
mov eax,[ebp+0Ch]
push eax
push ebx
call SUB_L004022C4
add esp,00000008h
jmp L0040201D
L00402018:
xor eax,eax
pop ebx
pop ebp
retn
;------------------------------------------------------------------------------
L0040201D:
mov eax,ebx
pop ebx
pop ebp
retn
;------------------------------------------------------------------------------
SUB_L0040212C:
push ebp
mov ebp,esp
push ebx
mov dx,[ebp+10h]
mov eax,[ebp+08h]
mov [L00417600],al
not al
mov [L00417601],al
mov ax,[ebp+0Ch]
push L00417600
mov [L00417602],ax
push 00000006h
mov [L00417604],dx
call SUB_L004021F4
add esp,00000008h
mov ebx,eax
mov [L004175FE],bl
test bl,bl
jz L00402174
mov al,01h
pop ebx
pop ebp
retn
;------------------------------------------------------------------------------
SUB_L004022C4:
push ebp
mov ebp,esp
push ebx
push esi
mov esi,[ebp+08h]



_DMXWrite is the function call that i'm looking for. Someone could tell me where it get its data from and plz give the Delphi code
This is what I thought and doesnt work:

procedure _DMXWrite (a,b :Pansistring) Stdcall;
begin

Messagebox(0,b ,a,MB_OK);

End;

messagebox for testing purpose

Comments

  • JonathanJonathan Member Posts: 2,914
    : _DMXWrite is the function call that i'm looking for. Someone could tell me where it get its data from and plz give the Delphi code
    : This is what I thought and doesnt work:
    :
    : procedure _DMXWrite (a,b :Pansistring) Stdcall;
    Were it using stdcall calling conventions I'd expect the function itself to be clearing the stack. I don't spot it doing that (but I am kinda tired ;-)) so maybe try some other calling convention. Maybe ccdecl would work? It appears to take two parameters, like you suggest, though.

    Jonathan

    ###
    for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
    (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
    /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

  • shaolin007shaolin007 Member Posts: 1,018
    : Hi!
    :
    : I have following question:
    :
    : I have a dll, created and compiled with Delphi, but I don't have the source of it.
    :
    : Now, I'm trying to rebuilt the dll using the export table of the original.
    :
    : I succesfully rebuilt some function calls but I still have one more problem.
    : in the dll there is no information about function/procedure , calling convention , parameters and so on..
    :
    : There is a call that should be get data from exe, but I can't find it where it's located.
    :
    : Here is the function:
    :
    : ;------------------------------------------------------------------------------
    : Align 4
    : _DMXWrite:
    : push ebp
    : mov ebp,esp
    : push ebx
    : mov ebx,[ebp+08h]
    : cmp ebx,00000200h
    : jle L00401FF8
    : mov ebx,00000200h
    : L00401FF8:
    : push ebx
    : push 00000000h
    : push 00000000h
    : call SUB_L0040212C
    : add esp,0000000Ch
    : test al,al
    : jz L00402018
    : mov eax,[ebp+0Ch]
    : push eax
    : push ebx
    : call SUB_L004022C4
    : add esp,00000008h
    : jmp L0040201D
    : L00402018:
    : xor eax,eax
    : pop ebx
    : pop ebp
    : retn
    : ;------------------------------------------------------------------------------
    : L0040201D:
    : mov eax,ebx
    : pop ebx
    : pop ebp
    : retn
    : ;------------------------------------------------------------------------------
    : SUB_L0040212C:
    : push ebp
    : mov ebp,esp
    : push ebx
    : mov dx,[ebp+10h]
    : mov eax,[ebp+08h]
    : mov [L00417600],al
    : not al
    : mov [L00417601],al
    : mov ax,[ebp+0Ch]
    : push L00417600
    : mov [L00417602],ax
    : push 00000006h
    : mov [L00417604],dx
    : call SUB_L004021F4
    : add esp,00000008h
    : mov ebx,eax
    : mov [L004175FE],bl
    : test bl,bl
    : jz L00402174
    : mov al,01h
    : pop ebx
    : pop ebp
    : retn
    : ;------------------------------------------------------------------------------
    : SUB_L004022C4:
    : push ebp
    : mov ebp,esp
    : push ebx
    : push esi
    : mov esi,[ebp+08h]
    :
    :
    :
    : _DMXWrite is the function call that i'm looking for. Someone could tell me where it get its data from and plz give the Delphi code
    : This is what I thought and doesnt work:
    :
    : procedure _DMXWrite (a,b :Pansistring) Stdcall;
    : begin
    :
    : Messagebox(0,b ,a,MB_OK);
    :
    : End;
    :
    : messagebox for testing purpose
    :

    [green]
    Looks like 3 dword parameters are passed on the stack and the function
    call SUB_L0040212C works on those parameters.There is a nested call to SUB_L004021F4 but I don't see the code for that function but allocates 2 dword local variables that it cleans up afterwards with add esp, 8h. Return from call SUB_L004021F4 cleans up 12 bytes from the 3 push instructions before call. And so on and so on...

    So it looks probably like this but I could be wrong.

    [code]

    function1 ( ebp+8h, ebp+0ch, ebp+10h)
    {
    function2(push long, push long, push ebx)
    {
    long function3(long?, long?, long?)
    {
    variable1;
    variable2;
    ret long?;
    }
    }
    function4 (push ebx, push eax)
    {
    }
    }
    [/code]
    But to me without knowing the values, I have no clue to what is going on in the code. It might as well be jibberish in other words. Sorry I don't know Delphi only C.
    [/green]
  • freak52freak52 Member Posts: 4
    ok i've tried to change stdcall to cdecl. The program doesn't lock up anymore, but it still doesn't what I expected..
    The code is called when a scrollbar is changed, so normally it has to send that value to the dll. I think some more information is sent with it, i gues 2 or 3 parameters.
    I've modyfied my function so I can see what values are send, but i always get the same value..

    procedure _DMXWrite (a,b :integer) cdecl;

  • shaolin007shaolin007 Member Posts: 1,018
    : ok i've tried to change stdcall to cdecl. The program doesn't lock up anymore, but it still doesn't what I expected..
    : The code is called when a scrollbar is changed, so normally it has to send that value to the dll. I think some more information is sent with it, i gues 2 or 3 parameters.
    : I've modyfied my function so I can see what values are send, but i always get the same value..
    :
    : procedure _DMXWrite (a,b :integer) cdecl;
    :
    :

    [green]
    If it's calls to the Windows API then they use _stdcall by default.
    [/green]

  • freak52freak52 Member Posts: 4
    : : ok i've tried to change stdcall to cdecl. The program doesn't lock up anymore, but it still doesn't what I expected..
    : : The code is called when a scrollbar is changed, so normally it has to send that value to the dll. I think some more information is sent with it, i gues 2 or 3 parameters.
    : : I've modyfied my function so I can see what values are send, but i always get the same value..
    : :
    : : procedure _DMXWrite (a,b :integer) cdecl;
    : :
    : :
    :
    : [green]
    : If it's calls to the Windows API then they use _stdcall by default.
    : [/green]
    :
    :

    I know, but if I use stdcall, my app simply locks up :(
    when I use : procedure _DMXWrite (a,b,c :integer) register;
    i can recover value b, a & c are still corrupt

    _DMXWrite:
    push ebp
    mov ebp,esp
    push ebx
    mov ebx,[ebp+08h]
    cmp ebx,00000200h => checks if value < 512, in my case, it always is =>jump
    jle L00401FF8
    mov ebx,00000200h
    L00401FF8:
    push ebx
    push 00000000h
    push 00000000h
    call SUB_L0040212C => it calls sub (see v)
    add esp,0000000Ch
    test al,al
    jz L00402018
    mov eax,[ebp+0Ch]
    push eax
    push ebx
    call SUB_L004022C4
    add esp,00000008h
    jmp L0040201D

    SUB_L0040212C:
    push ebp => what does it here?
    mov ebp,esp
    push ebx
    mov dx,[ebp+10h]
    mov eax,[ebp+08h]
    mov [L00417600],al
    not al
    mov [L00417601],al
    mov ax,[ebp+0Ch]
    push L00417600
    mov [L00417602],ax
    push 00000006h
    mov [L00417604],dx => untill here?
    call SUB_L004021F4
    add esp,00000008h
    mov ebx,eax
    mov [L004175FE],bl
    test bl,bl
    jz L00402174
    mov al,01h
    pop ebx
    pop ebp
    retn

Sign In or Register to comment.