Why I am getting an Access violation exception?


I am trying to make a messagebox in pure assembly. Here are the steps I have taken so far:

Find kernel32.dll base address:

xor ecx, ecx
mov eax, fs:[ecx + 0x30]  ; EAX = PEB
mov eax, [eax + 0xc]      ; EAX = PEB->Ldr
mov esi, [eax + 0x14]     ; ESI = PEB->Ldr.InMemOrder
lodsd                     ; EAX = Second module
xchg eax, esi             ; EAX = ESI, ESI = EAX
lodsd                     ; EAX = Third(kernel32)
mov ebx, [eax + 0x10]     ; EBX = Base address

Find the export table of kernel32.dll:

mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew
add edx, ebx          ; EDX = PE Header
mov edx, [edx + 0x78] ; EDX = Offset export table
add edx, ebx          ; EDX = Export table
mov esi, [edx + 0x20] ; ESI = Offset names table
add esi, ebx          ; ESI = Names table
xor ecx, ecx          ; EXC = 0

Find GetProcAddress function name:

inc ecx                              ; Increment the ordinal
lodsd                                ; Get name offset
add eax, ebx                         ; Get function name
cmp dword ptr[eax], 0x50746547       ; GetP
jnz Get_Function
cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA
jnz Get_Function
cmp dword ptr[eax + 0x8], 0x65726464 ; ddre
jnz Get_Function

Find the address of GetProcAddress function:

mov esi, [edx + 0x24]    ; ESI = Offset ordinals
add esi, ebx             ; ESI = Ordinals table
mov cx, [esi + ecx * 2]  ; CX = Number of function
dec ecx
mov esi, [edx + 0x1c]    ; ESI = Offset address table
add esi, ebx             ; ESI = Address table
mov edx, [esi + ecx * 4] ; EDX = Pointer(offset)
add edx, ebx             ; EDX = GetProcAddress

Find the LoadLibrary function address:

xor ecx, ecx    ; ECX = 0
push ebx        ; Kernel32 base address
push edx        ; GetProcAddress
push ecx        ; 0
push 0x41797261 ; aryA
push 0x7262694c ; Libr
push 0x64616f4c ; Load
push esp        ; "LoadLibrary"
push ebx        ; Kernel32 base address
call edx        ; GetProcAddress(LL)

Load user32.dll library:

add esp, 0xc    ; pop "LoadLibraryA"
pop ecx         ; ECX = 0
push eax        ; EAX = LoadLibraryA
push ecx
mov cx, 0x6c6c  ; ll
push ecx
push 0x642e3233 ; 32.d
push 0x72657375 ; user
push esp        ; "user32.dll"
call eax        ; LoadLibrary("user32.dll")

Get MessageBoxA function address:

add esp, 0x10; Clean stack
mov edx, [esp + 0x4]; EDX = GetProcAddress
xor ecx, ecx; ECX = 0
push ecx
mov ecx, 0x6141786f; aAxo
push ecx
sub dword ptr[esp + 0x3], 0x61; Remove "a"
push 0x42656761; Bega
push 0x7373654d; sseM
push esp; "messageboxa"
push eax; user32.dll address
call edx; GetProc(messageboxa)

Call MessageBoxA function:

add esp, 0x14; Cleanup stack  <-----was 0x10 in my OP, corrected this
xor ecx, ecx; ECX = 0
push 0x0; mb_icon_ok
push 0x0; text
push 0x0; title
push 0x0; hwnd
call eax; call messageboxa

Get ExitProcess function address:

add esp, 0x10; Clean stack
pop edx; GetProcAddress
pop ebx; kernel32.dll base address
mov ecx, 0x61737365; 
push ecx
sub dword ptr[esp + 0x3], 0x61; Remove "a"
push 0x636f7250; corP
push 0x74697845; itxE
push esp
push ebx; kernel32.dll base address
call edx; GetProc(Exec)

Call the ExitProcess function:

xor ecx, ecx; ECX = 0  <-----exception raised here
push ecx; Return code = 0
call eax; ExitProcess

I know this is a lot to go through, but it'd be nice if someone could help me understand. I am still new to this.

EDIT: updated code now it makes only one messagebox and a new exception arises:

Unhandled exception at 0x002D8000 inMsgBoxShell.exe : 0xC0000005 : Access violation writing location 0x00000001.

asked on Stack Overflow Nov 22, 2019 by user3813360 • edited Jan 18, 2021 by peterh - Reinstate Monica

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0