Page 2 of 2 FirstFirst 12
Results 16 to 20 of 20

Thread: The Point-R technique

  1. #16
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    Quote Originally Posted by blurcode View Post
    1up to JMI, btw anyone knows how hmemcpy was found (was found in a manual, told by some microsoft's programmer, etc)?

    What was the purpose of the hPrevInstance parameter to WinMain?
    Once your average GUI program picks itself up off the ground, control begins at your WinMain function. The second parameter, hPrevInstance, is always zero in Win32 programs. Certainly it had a meaning at some point?

    Of course it did.

    In 16-bit Windows there was a function called GetInstanceData. This function took an HINSTANCE, a pointer, and a length, and copied memory from that instance into your current instance. (It's sort of the 16-bit equivalent to ReadProcessMemory, with the restriction that the second and third parameters had to be the same.)

    (Since 16-bit Windows had a common address space, the GetInstanceData function was really nothing more than a hmemcpy, and many programs relied on this and just used raw hmemcpy instead of using the documented API. Win16 was actually designed with the possibility of imposing separate address spaces in a future version - observe flags like GMEM_SHARED - but the prevalence of tricks like hmemcpy'ing your previous instance reduced this potential to an unrealized dream.)
    always ask raymond these odd question he has an answer all the times

    http://blogs.msdn.com/oldnewthing/archive/2004/06/15/156022.aspx

    it is a documented ? undocumented ? whoknowsmented api

    you can find referances to this api in some vb version 2.0 codes in msdn

    Code:
     Declare Sub hmemcpy Lib "kernel" (hpvDest As Any,
                                         ByVal hpvSource As Any,
                                         ByVal cbCopy As Long)
       Declare Sub hmemcpy2 Lib "kernel" Alias "hmemcpy" (hpvDest As Any,
                                                          hpvSource As Any,
                                                          ByVal cbCopy As Long)
    http://support.microsoft.com/kb/119395

    its an internal non exported function i believe that ends up in ntdll in later oses under the name RtlCopyMemory or RtlMoveMemeory

    A little research found another MSDN article taken from Bruce McKinney's excellent book "Hardcore Visual Basic". If you can find a copy, then you can follow the trail to Bruce McKinney's replacement for hmemcpy() - CopyMemory(). This is defined as an "alias" for the RtlMoveMemory() function that resides in the Kernel32 library. Bruce gets all of the credit for this and thus for most of what follows, excluding any mistakes - these are all mine.

    The code below can be downloaded (with a demonstration screen) as a zip file by clicking here (3 KB). Instructions for the demo can be found towards the end of this page.

    In order to use the following functions you will need to declare the following

    Declare Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" _(hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
    http://www.adit.co.uk/html/numbers.html
    Last edited by blabberer; November 1st, 2007 at 10:30.

  2. #17
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Also thanks blabberer, i visited the first site after searching on google but did poor reading (fast reading actually but it was poor also), i've seen the visual basic code on search results and skipped them ermmm because they were visual basic, shame on me
    A picture worth 1K words (or .5K DWORDS).

  3. #18

    some IDC tips :-)

    Hey upb (greets from another time and place),

    I realize you're taking the piss, but:

    Message(form("\nPoint-R at 0x%08X!\n", r));

    Message is already a variadic function, there's no need to call form(). E.g. this is functionally equivalent:

    Message("\nPoint-R at 0x%08X!\n", r);

    And furthermore, if you do this:

    Message("%lx: Point-R!\n", r);

    You will be able to double-click that line in IDA's status window to jump there immediately.

  4. #19
    Registered User upb's Avatar
    Join Date
    May 2003
    Posts
    50
    Blog Entries
    4
    Quote Originally Posted by habituallurker View Post
    Hey upb (greets from another time and place),
    hmmmmmmmm ?:P:P i knew you couldnt resist :P

    Thx for the advice
    Last edited by upb; November 6th, 2007 at 17:49.
    “The key to understanding complicated things is to know what not to look at and what not to compute and what not to think.”

  5. #20
    Quote Originally Posted by blurcode View Post
    Also thanks blabberer, i visited the first site after searching on google but did poor reading (fast reading actually but it was poor also), i've seen the visual basic code on search results and skipped them ermmm because they were visual basic, shame on me
    I do it too. It certainly is annoying to see loads of VB crap in the SERPs when all you want to do is find something in C/C++ I suppose ignoring them is just a habit that forms over time if you're not a VB "programmer".

Similar Threads

  1. Anti debugging technique?
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: November 26th, 2013, 01:18
  2. LINK: API Hooking: a new and fast technique
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: October 6th, 2005, 04:31
  3. No Point Of Attack
    By cisco in forum The Newbie Forum
    Replies: 3
    Last Post: February 10th, 2004, 00:54
  4. Replies: 7
    Last Post: March 17th, 2003, 01:06
  5. debuggin technique? dumping eip
    By fred in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: January 16th, 2003, 14:58

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •