Daily Dose of Assembly

[Toymaker]

In this thread I will administer a dose of assembly education each day. This is not a game hacking, or assembly programming, tutorial - it is however practical concepts you can apply...

DaY 1:

Introduction:

In the windows platform, there are modules naturally in active process i.e. kernel32.dll in which with out, your software could not exit properly (the API known as ExitProcess). Your CPU assigns a new memory space per request, on application load, but still allows accessibility to such functions.

You can not only call them in your programs, such as exit(0); in cplusplus or invoke exitprocess,0 in mASM but, you can at any point in time make use of them in your hacks, or debugging session.

Practical Uses:

• Your own hot keys in your hacks
• Your own exception/error handling
• Defeating game's own limitations
• Simulating Key Syncs

HowTo: Manipulate ExitProcess:

I have created a quick example program in cplusplus (as it looks the cleanest in disassembly) in where I use exit(0); (which calls Kernel32.ExitProcess). You'll notice in both programmatic examples i've given, there is one parameter to it, and it's 0. Any way, it looks like this:

Code:

004013C6  |. C70424 00000000         MOV DWORD PTR SS:[ESP],0                         ; |
004013CD  |. E8 8EF20000             CALL <JMP.&msvcrt.exit>                          ; exit

If you try using a CALL EXITPROCESS yourself, you'll notice the address that commonly represents that <JMP.&msvcrt.exit> is 7C81CDEA but may vary. Any way, it is basically all the same. You establish the one parameter and then call the ExitProcess function, in which it passes too. Therefore, you can add...

Code:

mov esp,0
call ExitProcess

...to your hacks and force a termination of execution. You could also try a CMP to detect last key pressed, etc. If you are interested in how to use the ESCAPE key as a hotkey, you can look up which parameter / value represents the ESC_Key and pass it to the GetKeySync function:

Code:

004013BA  |> C70424 1B000000         /MOV DWORD PTR SS:[ESP],1B                             ; |
004013C1  |. E8 0AF50000             |CALL <JMP.&USER32.GetKeyState>                        ; GetKeyState

Code:

mov esp,1b
call GetKeySync

...although it's actually in user32.dll, another example pre-process module. If you wonder why [ESP] is used, its because it handles the last information for going to and returning from a CALL. It's part of the stack / unique memory space I mentioned, in a sense. That concludes the daily dose of assembly for June 03 2009. Tomorrow will come another, but some one should reply so I don't have to double post and we can keep this thread alive, lawl.