0

I use IDA Pro to disassemble SPEC 2006 binaries on Windows 7 32 bit.

It generates a variable declared like this:

aKernel32_dll_0 unicode 0, <KERNEL32.DLL>,0

In the .text section, I find usage of this variable like this:

push    offset aKernel32_dll_0
call    ds:__imp__GetModuleHandleW@4
......

What I am trying to do is to make these code/data reassemble.

So my questions are:

  1. So basically declaration like **aKernel32_dll_0 unicode 0, ,0 ** can not be directly reassembled by masm/nasm, how should I adjust it?

  2. I simply adjust it into aKernel32_dll_0 dd 0 and the code is like this:

enter image description here

and it would run into a strange situation every time after call ds:__imp__GetModuleHandleW@4

Comparing to the original binary using Ollydbg:

enter image description here

So it seems that aKernel32_dll_0 is actually a extern variable? So is the correct way delete the declaration and extern declare this variable? If so, then what is the name of this variable? I don't think it is aKernel32_dll_0 as it looks like a random name generated by IDA Pro.

Could anyone give me some help? Thank you!

lllllllllllll
  • 8,519
  • 9
  • 45
  • 80

1 Answers1

1

You could of course just copy whatever bytes are there in your source material as a DB array. That said, we know GetModuleHandleW takes an unicode module name as argument. In nasm syntax it could look like:

aKernel32_dll_0 DW __utf16__('KERNEL32.DLL'), 0
Jester
  • 56,577
  • 4
  • 81
  • 125
  • `masm` doesn't seem to support utf16 out of the box, but there are macro libraries that do. For this simple ascii string however you can just insert 0 bytes manually, like `aKernel32_dll_0 DB 'K', 0, 'E', 0 ...` you get the idea. Should end with 3 zeroes (one is the high byte of the last wchar, the other two are the terminators). Or, you could store this as ansi and switch the function call to use `GetModuleHandleA`. – Jester Feb 24 '14 at 14:41