Assembly Language (any cpu) | Problem calling FindNextFile

Author	Message	Time
BreW	[code] //#define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #define MAX_FILENAME_LEN 256 char path[] = "C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\"; char string01[] = "Invalid file handle."; int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) { __asm { //initalization push 0 call dword ptr [SetLastError] mov dword ptr [ebp - 748h], 0 // 748h == # of filenames - 4 bytes //strcpy path into tofind push offset path lea eax, [ebp - 244h] //244h == ToFind 32 push eax call strcpy add esp, 8 //strlen push eax call strlen pop ebx //simplified strcat (somewhat) mov word ptr [ebp - 244h + eax], 2Ah //calling api and storing results lea eax, [ebp - 140h] //140h == finddata struct push eax lea eax, [ebp - 244h] push eax call dword ptr [FindFirstFile] mov dword ptr [ebp - 144h], eax //144h == find file handle //compare result with invalid handle mov eax, dword ptr [ebp - 144h] cmp eax, 0FFh //INVALID_HANDLE_VALUE jne _filefill //messagebox xor eax, eax push eax push eax push offset string01 push eax call dword ptr [MessageBox] jmp _done _filefill: //compare GetLastError with no moar files call dword ptr [GetLastError] cmp eax, ERROR_NO_MORE_FILES je _mainloop //calling FindNextFile lea eax, [ebp - 140h] push eax lea eax, [ebp - 144h] push eax call dword ptr [FindNextFile] //<-----CRASHES HERE //ima-llocing sum... memory push MAX_FILENAME_LEN call malloc pop ebx mov ecx, dword ptr [ebp - 748h] //748h num of filenames mov dword ptr [ebp + ecx * 4 - 744h], eax //748h file ptrs //zeromem call mov eax, dword ptr [ebp + ecx * 4 - 744h] push 0 push MAX_FILENAME_LEN push eax call memset add esp, 0Ch //strcpy lea ecx, [ebx - 114h] mov edx, dword ptr [ebp - 748h] mov eax, dword ptr [ebp + edx * 4 - 744h] push ecx push eax call strcpy add esp, 8 mov ecx, dword ptr [ebp-748h] inc ecx mov dword ptr [ebp-748h], ecx xor ebx, ebx jmp _filefill _mainloop: lea eax, [ebp - 344h] //344h == base addr of temp string //zeromem push 0 push MAX_FILENAME_LEN push eax call memset add esp, 0Ch //strcpy push eax push offset path call strcpy add esp, 8 //strcat lea ecx, [ebp + ebx * 4 - 744h] push ecx push eax //set the wallpaper push 0 push eax push 0 push SPI_SETDESKWALLPAPER call dword ptr [SystemParametersInfo] inc ebx push 60000 call dword ptr [Sleep] jmp _mainloop _done: } return 0; } [/code] The problem is that it crashes with a memory violation when i call FindNextFile. All the registers' and the stack's values look perfectly suitable-- which leaves me clueless. Any ideas? :/	October 6, 2007, 4:33 PM
rabbit	Stop using ASM?	October 6, 2007, 5:48 PM
Kp	What is the register context at the time of the crash? Is it crashing trying to call FindNextFile or crashing inside FindNextFile?	October 6, 2007, 6:02 PM
devcode	FindFirstFile returns an invalid handle (ERROR_PATH_NOT_FOUND), and you're only checking 0x12 for GetLastError() kaputez.	October 6, 2007, 6:22 PM
BreW	register dump before call [code] EAX = 0012FDEC EBX = 0012FCEC ECX = 00007502 EDX = 00000000 ESI = 00000000 EDI = 0012FF30 EIP = 0040B9DE ESP = 0012FEDC EBP = 0012FF30 EFL = 00000297 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=1 ZR=0 AC=1 PE=1 CY=1 00425198 7C839019 ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000 ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000 ST4 = +0.00000000000000000e+0000 ST5 = +0.00000000000000000e+0000 ST6 = +0.00000000000000000e+0000 ST7 = +0.00000000000000000e+0000 CTRL = 027F STAT = 0000 TAGS = FFFF [/code] Register dump right after access violation notice [code] EAX = 01C8083D EBX = 00000000 ECX = 000007D4 EDX = 0012FE10 ESI = 0012FE00 EDI = 00000000 EIP = 7C918FEA ESP = 0012FB84 EBP = 0012FBF8 EFL = 00000246 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=1 AC=0 PE=1 CY=0 01C8084D ???????? ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000 ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000 ST4 = +0.00000000000000000e+0000 ST5 = +0.00000000000000000e+0000 ST6 = +0.00000000000000000e+0000 ST7 = +0.00000000000000000e+0000 CTRL = 027F STAT = 0000 TAGS = FFFF EIP = 00000000 CS = 0000 DS = 0000 EDO = 00000000 [/code] I'm not sure how to find out the register context at the time of the crash, how would I? disassembly window's view right after memory access violation messagebox [code] 7C918FEA FF 40 10 inc dword ptr [eax+10h] 7C918FED 8B 45 FC mov eax,dword ptr [ebp-4] 7C918FF0 83 E0 01 and eax,1 7C918FF3 89 45 E8 mov dword ptr [ebp-18h],eax 7C918FF6 8B 06 mov eax,dword ptr [esi] [/code] I'm not exactly sure (with my level of experience) if those instructions are something completely different, or what was fetched from location dword ptr [__imp__FindNextFileA@8 (00425198)] (apparently not, i just checked with the memory debug window) i'm somewhat confused... but I do think it's crashing within FindNextFile. What's the telltale sign of when something's crashing within the api? @devcode: eax is a valid handle, after the call to FindFirstFile. thanks EDIT** I just realized that the EIP of those two dumps are completely different, not to mention that the address i'm jumping to is way out of the range of my RAM (i have 1 gb, so the max memory i should have is 3FFFFFFFh and it refers to 7C918FEAh, perhaps it's refering to virtual memory?) which i'm not exactly sure why. Maybe that happens to be within the addressing space of NTDLL.DLL (which is where the memory access violation occured)	October 6, 2007, 6:37 PM
Kp	In the default configuration, WinDbg prints the register context automatically when an access violation occurs. It appears you supplied bad data somewhere, leading to a crash while executing code inside NTDLL. Post a stack backtrace (kb) at the time of the access violation. Be sure to set up OS symbols first, either with one of the downloadable packs or by letting WinDbg fetch them as needed from the Microsoft symbol server.	October 6, 2007, 10:57 PM
BreW	OOPS! That's not even nessisary. I just re-read my code, and I was accidently pushing what is the address of the Find File handle when i was supposed to be passing it By Val. :/ I fixed it, and the call now looks like this: [code] lea eax, [ebp - 140h] push eax push dword ptr [ebp - 144h] call dword ptr [FindNextFile] [/code] Heh. The error here was just a classic case of PICNIC. I wrote the majority of this when it was 1:30 in the morning. No wonder why :/ Thank you to everyone who helped me in this thread.	October 7, 2007, 1:05 AM

Author

Message

Time

BreW

[code]
//#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#define MAX_FILENAME_LEN 256

char path[] = "C:\\Documents and Settings\\Owner\\My Documents\\My Pictures\\";
char string01[] = "Invalid file handle.";
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR szCmdLine, int iCmdShow) {
__asm {
//initalization
push 0
call dword ptr [SetLastError]
mov dword ptr [ebp - 748h], 0 // 748h == # of filenames - 4 bytes

//strcpy path into tofind
push offset path
lea eax, [ebp - 244h] //244h == ToFind 32
push eax
call strcpy
add esp, 8

//strlen
push eax
call strlen
pop ebx

//simplified strcat (somewhat)
mov word ptr [ebp - 244h + eax], 2Ah

//calling api and storing results
lea eax, [ebp - 140h] //140h == finddata struct
push eax
lea eax, [ebp - 244h]
push eax
call dword ptr [FindFirstFile]
mov dword ptr [ebp - 144h], eax //144h == find file handle

//compare result with invalid handle
mov eax, dword ptr [ebp - 144h]
cmp eax, 0FFh //INVALID_HANDLE_VALUE
jne _filefill

//messagebox
xor eax, eax
push eax
push eax
push offset string01
push eax
call dword ptr [MessageBox]
jmp _done
_filefill:
//compare GetLastError with no moar files
call dword ptr [GetLastError]
cmp eax, ERROR_NO_MORE_FILES
je _mainloop

//calling FindNextFile
lea eax, [ebp - 140h]
push eax
lea eax, [ebp - 144h]
push eax
call dword ptr [FindNextFile] //<-----CRASHES HERE

//ima-llocing sum... memory
push MAX_FILENAME_LEN
call malloc
pop ebx
mov ecx, dword ptr [ebp - 748h] //748h num of filenames
mov dword ptr [ebp + ecx * 4 - 744h], eax //748h file ptrs

//zeromem call
mov eax, dword ptr [ebp + ecx * 4 - 744h]
push 0
push MAX_FILENAME_LEN
push eax
call memset
add esp, 0Ch

//strcpy
lea ecx, [ebx - 114h]
mov edx, dword ptr [ebp - 748h]
mov eax, dword ptr [ebp + edx * 4 - 744h]
push ecx
push eax
call strcpy
add esp, 8

mov ecx, dword ptr [ebp-748h]
inc ecx
mov dword ptr [ebp-748h], ecx
xor ebx, ebx
jmp _filefill
_mainloop:
lea eax, [ebp - 344h] //344h == base addr of temp string

//zeromem
push 0
push MAX_FILENAME_LEN
push eax
call memset
add esp, 0Ch

//strcpy
push eax
push offset path
call strcpy
add esp, 8

//strcat
lea ecx, [ebp + ebx * 4 - 744h]
push ecx
push eax

//set the wallpaper
push 0
push eax
push 0
push SPI_SETDESKWALLPAPER
call dword ptr [SystemParametersInfo]
inc ebx

push 60000
call dword ptr [Sleep]
jmp _mainloop
_done:
}
return 0;
}
[/code]
The problem is that it crashes with a memory violation when i call FindNextFile. All the registers' and the stack's values look perfectly suitable-- which leaves me clueless. Any ideas? :/

October 6, 2007, 4:33 PM

rabbit

Stop using ASM?

October 6, 2007, 5:48 PM

What is the register context at the time of the crash? Is it crashing trying to call FindNextFile or crashing inside FindNextFile?

October 6, 2007, 6:02 PM

devcode

FindFirstFile returns an invalid handle (ERROR_PATH_NOT_FOUND), and you're only checking 0x12 for GetLastError() kaputez.

October 6, 2007, 6:22 PM

BreW

register dump before call
[code]
EAX = 0012FDEC
EBX = 0012FCEC
ECX = 00007502
EDX = 00000000
ESI = 00000000
EDI = 0012FF30
EIP = 0040B9DE
ESP = 0012FEDC
EBP = 0012FF30
EFL = 00000297
CS = 001B
DS = 0023
ES = 0023
SS = 0023
FS = 003B
GS = 0000 OV=0
UP=0 EI=1 PL=1
ZR=0 AC=1 PE=1
CY=1

00425198
7C839019

ST0 = +0.00000000000000000e+0000
ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000
ST3 = +0.00000000000000000e+0000
ST4 = +0.00000000000000000e+0000
ST5 = +0.00000000000000000e+0000
ST6 = +0.00000000000000000e+0000
ST7 = +0.00000000000000000e+0000
CTRL = 027F
STAT = 0000
TAGS = FFFF
[/code]

Register dump right after access violation notice
[code]
EAX = 01C8083D
EBX = 00000000
ECX = 000007D4
EDX = 0012FE10
ESI = 0012FE00
EDI = 00000000
EIP = 7C918FEA
ESP = 0012FB84
EBP = 0012FBF8
EFL = 00000246
CS = 001B
DS = 0023
ES = 0023
SS = 0023
FS = 003B
GS = 0000 OV=0
UP=0 EI=1 PL=0
ZR=1 AC=0 PE=1
CY=0

01C8084D
????????

ST0 = +0.00000000000000000e+0000
ST1 = +0.00000000000000000e+0000
ST2 = +0.00000000000000000e+0000
ST3 = +0.00000000000000000e+0000
ST4 = +0.00000000000000000e+0000
ST5 = +0.00000000000000000e+0000
ST6 = +0.00000000000000000e+0000
ST7 = +0.00000000000000000e+0000
CTRL = 027F
STAT = 0000
TAGS = FFFF
EIP = 00000000
CS = 0000
DS = 0000
EDO = 00000000
[/code]
I'm not sure how to find out the register context at the time of the crash, how would I?

disassembly window's view right after memory access violation messagebox
[code]
7C918FEA FF 40 10 inc dword ptr [eax+10h]
7C918FED 8B 45 FC mov eax,dword ptr [ebp-4]
7C918FF0 83 E0 01 and eax,1
7C918FF3 89 45 E8 mov dword ptr [ebp-18h],eax
7C918FF6 8B 06 mov eax,dword ptr [esi]
[/code]

I'm not exactly sure (with my level of experience) if those instructions are something completely different, or what was fetched from location dword ptr [__imp__FindNextFileA@8 (00425198)] (apparently not, i just checked with the memory debug window) i'm somewhat confused... but I do think it's crashing within FindNextFile. What's the telltale sign of when something's crashing within the api?

@devcode: eax is a valid handle, after the call to FindFirstFile. thanks

EDIT**
I just realized that the EIP of those two dumps are completely different, not to mention that the address i'm jumping to is way out of the range of my RAM (i have 1 gb, so the max memory i should have is 3FFFFFFFh and it refers to 7C918FEAh, perhaps it's refering to virtual memory?) which i'm not exactly sure why. Maybe that happens to be within the addressing space of NTDLL.DLL (which is where the memory access violation occured)

October 6, 2007, 6:37 PM

In the default configuration, WinDbg prints the register context automatically when an access violation occurs.

It appears you supplied bad data somewhere, leading to a crash while executing code inside NTDLL. Post a stack backtrace (kb) at the time of the access violation. Be sure to set up OS symbols first, either with one of the downloadable packs or by letting WinDbg fetch them as needed from the Microsoft symbol server.

October 6, 2007, 10:57 PM

BreW

OOPS! That's not even nessisary. I just re-read my code, and I was accidently pushing what is the address of the Find File handle when i was supposed to be passing it By Val. :/
I fixed it, and the call now looks like this:
[code]
lea eax, [ebp - 140h]
push eax
push dword ptr [ebp - 144h]
call dword ptr [FindNextFile]
[/code]
Heh. The error here was just a classic case of PICNIC. I wrote the majority of this when it was 1:30 in the morning. No wonder why :/
Thank you to everyone who helped me in this thread.

October 7, 2007, 1:05 AM

Valhalla Legends Forums Archive | Assembly Language (any cpu) | Problem calling FindNextFile