I cut the opcode and Mnemonics from their dissassembler and pasted into an array in AHK(see script).
The Debug is needed at first to get offsets into the Masm, just paste into an empty file.
Go here for Masm: https://www.masm32.com/board/index.php
Modal dialog box from "DialogBoxIndirectParamW" in memory.
Code: Select all
#Include MsOpCodes.ahk
;Debug := "`n"
;Windows Constants
WS_VISIBLE := 0x10000000
WS_CHILD := 0x40000000
WS_OVERLAPPEDWINDOW := 0x00C00000|0x00030000|0x00080000
DS_CENTER := 0x0800
DS_SETFONT := 0x0040
WS_EX_DLGMODALFRAME := 1
BS_CENTER := 0x0300
BS_DEFPUSHBUTTON := 1
SS_CENTER := 1
;Win32 API Calls
WinApi := ["CreateSolidBrush","SetBkMode","SetTextColor","DestroyWindow","DialogBoxIndirectParamW","LoadIconW","SendMessageW","ExitProcess"
,"GlobalAlloc","GlobalFree","MultiByteToWideChar"]
WinLib := ["gdi32","user32","kernel32"]
WinBuf := [],WinPtr := [],ndx := 0
;Build API Ptrs
Loop WinApi.Length{
WinBuf.Push Buffer(4,0)
WinPtr.Push Hex(Swap(WinBuf[A_Index].Ptr))
Switch A_Index{
Case 1,2,3:
ndx := 1
Case 4,5,6,7:
ndx := 2
Default:
ndx := 3
}
NumPut "ptr",DllCall("GetProcAddress","ptr",DllCall("LoadLibrary","str",WinLib[ndx],"ptr"),"astr",WinApi[A_Index],"ptr"),WinBuf[A_Index]
}
;Dialog Text Data
TextBuf := [],TextPtr := []
Text := ["In Memory Dialog Box AutoHotkey " A_AhkVersion,"Indirect Dialog Box Written In MS-ASM32","Times New Roman","Q u i t"]
;Dialog Title
;Static Control Text
;Font Name
;Button Text
;Build Text Sizes And Ptrs
Loop Text.Length{
TextBuf.Push Buffer(StrPut(Text[A_Index]),0) ;Text Buffer
StrPut Text[A_Index],TextBuf[A_Index],"cp0" ;Update Buffer
TextPtr.Push Hex(TextBuf[A_Index].Size,2) ;Text Size [1][3][5][7]
TextPtr.Push Hex(Swap(TextBuf[A_Index].Ptr)) ;Text Ptr [2][4][6][8]
}
;Dialog Memory Data
pBrush := Buffer(4,0) ;Brush Buffer
MemData := [Hex(Swap(512)),Hex(Swap(16,2),4),Hex(Swap(43978)),Hex(Swap(0xFF0000)),Hex(Swap(0x00FFFF)),Hex(Swap(pBrush.Ptr)),139]
;Dialog Memory Size
;Font Size
;Points to DLGPROC CallBack CAAB0000=43978 Replaced With pAsm.Ptr
;Background Color
;Text Color
;Brush Ptr
;Start Main OffSet - Added to pAsm.Ptr On Call
;DLGTEMPLATE structure
DialogIO := [Hex(Swap(DS_SETFONT|DS_CENTER|WS_OVERLAPPEDWINDOW)), ;Win Styles
Hex(Swap(WS_EX_DLGMODALFRAME)), ;Win EX Styles
Hex(Swap(2,2),4), ;Control Count
Hex(0,4), ;Left
Hex(0,4), ;Top
Hex(Swap(150,2),4), ;Width
Hex(Swap(100,2),4)] ;Height
;DLGITEMTEMPLATE structure
ControlIO := [Hex(Swap(WS_VISIBLE|WS_CHILD|BS_CENTER|BS_DEFPUSHBUTTON)), ;Button Styles
Hex(0), ;Button EX Styles
Hex(Swap(100,2),4), ;Left
Hex(Swap(65,2),4), ;Top
Hex(Swap(30,2),4), ;Width
Hex(Swap(20,2),4), ;Height
Hex(Swap(69,2),4), ;Button Id
Hex(Swap(WS_VISIBLE|WS_CHILD|SS_CENTER)), ;Static Styles
Hex(0), ;Static EX Styles
Hex(Swap(2,2),4), ;Left
Hex(Swap(20,2),4), ;Top
Hex(Swap(140,2),4), ;Width
Hex(Swap(9,2),4), ;Height
Hex(Swap(70,2),4)] ;Static Id
;Indirect Dialog Box Written In MS-ASM32
OpCodes := [
;Points to DLGPROC CallBack CAAB0000=43978 Replaced With pAsm.Ptr
["55", "push ebp"],
["8BEC", "mov ebp,esp"],
["8B450C", "mov eax,[ebp+0Ch]"],
["3D10010000", "cmp eax,110h"],
["752D", "jnz loc_0040103A"],
["68" MemData[4], "push " MemData[4]],
["E8C1010000", "call jmp_CreateSolidBrush"],
["A3" MemData[6], "mov " MemData[6] ",eax"],
["68047F0000", "push 7F04h"],
["6A00", "push 0"],
["E8CE010000", "call jmp_LoadIconW"],
["50", "push eax"],
["6A01", "push 1"],
["6880000000", "push 80h"],
["FF7508", "push dword ptr [ebp+8]"],
["E8C4010000", "call jmp_SendMessageW"],
["EB4B", "jmp loc_00401085"],
;loc_0040103A:
["3D11010000", "cmp eax,111h"],
["7516", "jnz loc_00401057"],
["837D1002", "cmp dword ptr [ebp+10h],2"],
["7406", "jz loc_0040104D"],
["837D1045", "cmp dword ptr [ebp+10h],45h"],
["7538", "jnz loc_00401085"],
;loc_0040104D:
["FF7508", "push dword ptr [ebp+8]"],
["E895010000", "call jmp_DestroyWindow"],
["EB2E", "jmp loc_00401085"],
;loc_00401057:
["3D38010000", "cmp eax,138h"],
["7407", "jz loc_00401065"],
["3D36010000", "cmp eax,136h"],
["7520", "jnz loc_00401085"],
;loc_00401065:
["6A01", "push 1"],
["FF7510", "push dword ptr [ebp+10h]"],
["E86F010000", "call jmp_SetBkMode"],
["68" MemData[5], "push " MemData[3]],
["FF7510", "push dword ptr [ebp+10h]"],
["E868010000", "call jmp_SetTextColor"],
["A1" MemData[6], "mov eax," MemData[4]],
["C9", "leave "],
["C21000", "ret 10h"],
;loc_00401085:
["33C0", "xor eax,eax"],
["C9", "leave "],
["C21000", "ret 10h"],
;Start Main OffSet - Added to pAsm.Ptr
["68" MemData[1], "push " MemData[1]],
["6A40", "push 40h"],
["E871010000", "call jmp_GlobalAlloc"],
["8BF0", "mov esi,eax"],
["8BFE", "mov edi,esi"],
;Setup Dialog Box
["C707" DialogIO[1], "mov dword ptr [edi]," DialogIO[1]],
["C74704" DialogIO[2], "mov dword ptr [edi+4]," DialogIO[2]],
["66C74708" DialogIO[3], "mov word ptr [edi+8]," DialogIO[3]],
["66C7470A" DialogIO[4], "mov word ptr [edi+0Ah]" DialogIO[4]],
["66C7470C" DialogIO[5], "mov word ptr [edi+0Ch]," DialogIO[5]],
["66C7470E" DialogIO[6], "mov word ptr [edi+0Eh]," DialogIO[6]],
["66C74710" DialogIO[7], "mov word ptr [edi+10h]," DialogIO[7]],
["83C716", "add edi,16h"],
["6A" TextPtr[1], "push " TextPtr[1]],
["57", "push edi"],
["6AFF", "push -1"],
["68" TextPtr[2], "push offset " TextPtr[2]],
["6A01", "push 1"],
["6A00", "push 0"],
["E838010000", "call jmp_MultiByteToWideChar"],
["83C74E", "add edi,4Eh"],
["66C707" MemData[2], "mov word ptr [edi]," MemData[2]],
["83C702", "add edi,2"],
["6A" TextPtr[5], "push " TextPtr[5]],
["57", "push edi"],
["6AFF", "push -1"],
["68" TextPtr[6], "push offset " TextPtr[6]],
["6A01", "push 1"],
["6A00", "push 0"],
["E81A010000", "call jmp_MultiByteToWideChar"],
["83C720", "add edi,20h"],
["83C703", "add edi,3"],
["83E7FC", "and edi,-4"],
;Setup Button Control
["C707" ControlIO[1], "mov dword ptr [edi]," ControlIO[1]],
["C74704" ControlIO[2], "mov dword ptr [edi+4]," ControlIO[2]],
["66C74708" ControlIO[3], "mov word ptr [edi+8]," ControlIO[3]],
["66C7470A" ControlIO[4], "mov word ptr [edi+0Ah]," ControlIO[4]],
["66C7470C" ControlIO[5], "mov word ptr [edi+0Ch]," ControlIO[5]],
["66C7470E" ControlIO[6], "mov word ptr [edi+0Eh]," ControlIO[6]],
["66C74710" ControlIO[7], "mov word ptr [edi+10h]," ControlIO[7]],
["66C74712FFFF", "mov word ptr [edi+12h],0FFFFh"],
["66C747148000", "mov word ptr [edi+14h],80h"],
["83C716", "add edi,16h"],
["6A" TextPtr[7], "push " TextPtr[7]],
["57", "push edi"],
["6AFF", "push -1"],
["68" TextPtr[8], "push offset " TextPtr[8]],
["6A01", "push 1"],
["6A00", "push 0"],
["E8C4000000", "call jmp_MultiByteToWideChar"],
["83C710", "add edi,10h"],
["83C701", "add edi,1"],
["83E7FE", "and edi,-2"],
["83C702", "add edi,2"],
["83C703", "add edi,3"],
["83E7FC", "and edi,-4"],
;Setup Static Control
["C707" ControlIO[8], "mov dword ptr [edi]," ControlIO[8]],
["C74704" ControlIO[9], "mov dword ptr [edi+4]," ControlIO[9]],
["66C74708" ControlIO[10], "mov word ptr [edi+8]," ControlIO[10]],
["66C7470A" ControlIO[11], "mov word ptr [edi+0Ah]," ControlIO[11]],
["66C7470C" ControlIO[12], "mov word ptr [edi+0Ch]," ControlIO[12]],
["66C7470E" ControlIO[13], "mov word ptr [edi+0Eh]," ControlIO[13]],
["66C74710" ControlIO[14], "mov word ptr [edi+10h]," ControlIO[14]],
["66C74712FFFF", "mov word ptr [edi+12h],0FFFFh"],
["66C747148200", "mov word ptr [edi+14h],82h"],
["83C716", "add edi,16h"],
["6A" TextPtr[3], "push " TextPtr[3]],
["57", "push edi"],
["6AFF", "push -1"],
["68" TextPtr[4], "push offset " TextPtr[4]],
["6A01", "push 1"],
["6A00", "push 0"],
["E865000000", "call jmp_MultiByteToWideChar"],
["83C750", "add edi,50h"],
["83C701", "add edi,1"],
["83E7FE", "and edi,-2"],
["83C702", "add edi,2"],
["6A00", "push 0"],
;Points to DLGPROC CallBack CAAB0000=43978 Replaced With pAsm.Ptr
["68" MemData[3], "push offset " MemData[3]],
["6A00", "push 0"],
["56", "push esi"],
["6A00", "push 0"],
["E824000000", "call jmp_DialogBoxIndirectParamW"],
["56", "push esi"],
["E83C000000", "call jmp_GetModuleHandleW"],
["50", "push eax"],
["E82A000000", "call jmp_ExitProcess"],
;jmp_CreateSolidBrush:
["FF25" WinPtr[1], "jmp dword ptr " WinPtr[1]],
;jmp_SetBkMode:
["FF25" WinPtr[2], "jmp dword ptr " WinPtr[2]],
;jmp_SetTextColor:
["FF25" WinPtr[3], "jmp dword ptr " WinPtr[3]],
;jmp_DestroyWindow:
["FF25" WinPtr[4], "jmp dword ptr " WinPtr[4]],
;jmp_DialogBoxIndirectParamW
["FF25" WinPtr[5], "jmp dword ptr " WinPtr[5]],
;jmp_LoadIconW:
["FF25" WinPtr[6], "jmp dword ptr " WinPtr[6]],
;jmp_SendMessageW:
["FF25" WinPtr[7], "jmp dword ptr " WinPtr[7]],
;jmp_ExitProcess:
["FF25" WinPtr[8], "jmp dword ptr " WinPtr[8]],
;jmp_GlobalAlloc:
["FF25" WinPtr[9], "jmp dword ptr " WinPtr[9]],
;GlobalFree:
["FF25" WinPtr[10], "jmp dword ptr " WinPtr[10]],
;jmp_MultiByteToWideChar:
["FF25" WinPtr[11], "jmp dword ptr " WinPtr[11]]]
;SetUp OpCodes
SetUp_OpCodes
;Call Asm
DllCall pAsm.Ptr+MemData[MemData.Length]
Code: Select all
Hex(val,iSize:=8){
Switch iSize{
Case 4:
Return SubStr(Format("{:04X}",val),-4)
Case 2:
Return SubStr(Format("{:02X}",val),-2)
Case 8:
Return SubStr(Format("{:08X}",val),-8)
Case 16:
Return SubStr(Format("{:016X}",val),-16)
}
}
Swap(val,iSize:=4){
Switch iSize{
Case 4:
Return (((val>>24)&0x000000FF)|((val>>8)&0x0000FF00)|((val<<8)&0x00FF0000)|((val<<24)&0xFF000000))
Case 2:
Return (((val>>8)&0x00FF)|((val<<8)&0xFF00))
Case 8,16:
val := ((val<<8)&0xFF00FF00FF00FF00)|((val>>8)&0x00FF00FF00FF00FF)
val := ((val<<16)&0xFFFF0000FFFF0000)|((val>>16)&0x0000FFFF0000FFFF)
Return (val<<32)|((val>>32)&0xFFFFFFFF)
}
}
;For Debug
I_Pad(iLen,Pad){
io := ""
Loop (Pad-iLen)
io .= A_Space
Return io
}
SetUp_OpCodes(){
Global
Loop OpCodes.Length{
AsmCode .= OpCodes[A_Index][1]
If(Debug){
OffSet += StrLen(OpCodes[A_Index][1])//2
A_Clipboard .= OpCodes[A_Index][1] I_Pad(StrLen(OpCodes[A_Index][1]),25) OpCodes[A_Index][2] I_Pad(StrLen(OpCodes[A_Index][2]),45) OffSet DeBug
}
}
pAsm := Buffer(StrLen(AsmCode)//2,0)
AsmCode := StrReplace(AsmCode,"CAAB0000",Hex(Swap(pAsm.Ptr)))
If(Debug){
A_Clipboard := StrReplace(A_Clipboard,"CAAB0000",Hex(Swap(pAsm.Ptr)))
ExitApp
}
Loop pAsm.Size
NumPut "char","0x" SubStr(AsmCode,2*A_Index-1,2),pAsm,A_Index-1
}
;Global Vars
AsmCode := Debug := A_Clipboard := pAsm := "",OffSet := 0
