Thread: Questions in kernel32.dll of Win98

    Questions in kernel32.dll of Win98

    I use w32dasm to disassemble the kernel32.dll of win98, and see this:

    Exported fn(): BackupRead - Ord:007Fh
    Exported fn(): BackupWrite - Ord:0081h
    Exported fn(): CallNamedPipeW - Ord:008Ah
    Exported fn(): CreateFileW - Ord:00BCh
    Exported fn(): CreateRemoteThread - Ord:00C8h
    Exported fn(): FormatMessageW - Ord:012Eh
    Exported fn(): GetNamedPipeHandleStateW - Ord:0190h
    :BFFA9B8D 33C0 xor eax, eax
    :BFFA9B8F B107 mov cl, 07
    * Reference To: KERNEL32.Ordinal:0011
    :BFFA9B91 E98377FCFF jmp BFF71319

    I don't believe these export functions are the same, but why their address
    are all 0xBFFA9B8D?
    Well, it could easily be an ugly hack. Note, that the function performs a jump, not a ret. Hence, it might later determine what function was actually called, without doing it straight away.
    Don't think that's the case, tho. If it's kernel32 from 98, it shouldn't be using the xxxW api's unless memory serves me wrong. If they are not implemented, pointing them to the same dummy api wouldn't be out of the ordinary. That might be the same case with the other api's.


    ye, that is our W9x.
    that all functions are grouped togather because of same count of stack-params.
    & that functions not works on w9x, so kernel32 will just restore stack
    & jump back to caller.(also SetError mode)

    but why i am all this writing
    & why you are not researching yourself
    & why not in newbie forum??

    >but why i am all this writing
    You want to help him

    Reverse the code,Reverse Your Minds First

    Now it's in the newbie forum.


