Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page EXE files and apis
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-01-2005, 16:17
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
  
Join Date: Mar 2005
Posts: 211
Rept. Given: 16
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 137 Times in 41 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
Hello:

If you disassemble the code of your a.exe, you could see imports (with wdasm32, for instance) and there all the apis used by the application. Then, select in the import window "ExitProcess" and display it, then you are getting a "call [<address of ExitProcess>]".

You could write down in your new code a call like that you have got, or a jmp to the RVA of that call.

Cheers

Nacho_dj
Reply With Quote
  #2  
Old 09-01-2005, 20:26
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
  
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
you don't need an API.
MOV EAX,101
PUSH 0 (exit code)
PUSH -1
MOV EDX,ESP
INT 2E

code directly converted in short form from Debug Me 0.2 / Teerayoot
Reply With Quote
  #3  
Old 09-02-2005, 16:53
SnipER.UA
 
Posts: n/a
Quote:
Originally Posted by MaRKuS-DJM
you don't need an API.
MOV EAX,101
PUSH 0 (exit code)
PUSH -1
MOV EDX,ESP
INT 2E
Very interesting, but does this code work on Windows 9x? I think no. Maybe INT 20 (VxDCall) is usable for this...
Interrupts are platform dependent and using call to ExitProcess is much more versatelite. Interrupts are good to avoiding fast detection 'cause I look first for some API call or SEH usage but not for INT's.
Reply With Quote
  #4  
Old 09-02-2005, 16:59
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
  
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
yeah, i forgot to mention this only works on NT-based systems. Windows ME for example will show you the blue screen of death also a way to get the application to shutdown, but not very nice
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
APIs in Olly jump General Discussion 3 09-25-2013 19:03
help patching apis Shub-Nigurrath General Discussion 7 01-26-2006 17:16


All times are GMT +8. The time now is 19:36.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )