Hi guys, needed same lil help to move same structures in ASM like :

1)Question:

003045B0 . 47 65 74 50 72 6F 63 65 73 73 48 65 61 70 00 ASCII "GetProcessHeap",0

moving this to for example same NOP byte like :
00407650 90 NOP
00407660 90 NOP
00407661 90 NOP

How can i move this ?

2)Question:

How can i move this big function (check the image under) ? ,where is the comments there is a structure i think ,how can i move all that small piece of code ,just for example so i can understand better this



here the Text version with expressions:
00305561 |. 6A 00 PUSH 0 ; /pModule = NULL
00305563 |. FF15 04104000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA

3)Question:

For example how is possible to rewrite this funtion in assemble mode :

CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]

?



Thanks so much in advance
cheers
iNNos

| Сообщение посчитали полезным:

What do you mean by termin "structure"? In your examples are usual API-functions, but not structures...

iNNos ?????:
3)Question:

For example how is possible to rewrite this funtion in assemble mode :

CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>]
About this, - for calling in assembly language program you can use this construction

invoke GetModuleHandle, ADDR lpModuleName,

where lpModuleName - address of module name to return handle for.
For detailed information read "Win32 Programmer's Reference".

-----
Программист SkyNet

| Сообщение посчитали полезным:

Hi FrenFolio ,yes i was meaning API structure/functions ,my english isn't so good srry ,then really thanks for the explaination of the 3* question ,i have understood quite well ,i'm reading the ebook you seggest me "Win32 Programmer's Reference" ,hope sameone will help me also with the previous 2 questions .
thanks so much in advance
cheers
iNNos

| Сообщение посчитали полезным:

00305561 |. 6A 00 PUSH 0 ; /pModule = NULL
00305563 |. FF15 04104000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ;

Indeed it's the same as:

call dword ptr [addr_func],

and also you can poke this bytes (FF15 04104000) (and push 0 too) anywhere - the command'd the same.

-----
The one derivative you manage is the one I abhore (c) Slipknot

| Сообщение посчитали полезным:

Thanks so much guys ,
just last question about this :
[quote]
and also you can poke this bytes (FF15 04104000) (and push 0 too) anywhere - the command'd the same.[/quote]

What mean exactly that ? didnt understood this ,like what mean "you can poke this bytes" ?
Only this didnt understood
Thanks again
/iNNos/

| Сообщение посчитали полезным:

iNNos ?????:
What mean exactly that ? didnt understood this ,like what mean "you can poke this bytes" ?

Expression "you can poke this bytes" means you must simply change these bytes to 90.
For this goal you can use any HEX-editor or debugger OllyDbg. Just find the signature "6A 00 FF 15 04 10 40 00" and change each byte to 90.
Opcode "90" equals to command NOP - "empty" command, which force the processor do no operations.

-----
Программист SkyNet

| Сообщение посчитали полезным:

Ok guys now all is okay thanks Chingachguk & FrenFolio for explainations ;)

| Сообщение посчитали полезным: