This is my code:

[BITS 32]

.section text
global start

start:
    xor edx, edx         ; Avoids NULL byte
    push edx             ; MsgBox type
    push edx             ; MsgBox body
    push edx             ; MsgBox caption
    push edx             ; Owner hWnd
  mov eax, 0x7E45058A  ; Addr of MessageBox, USER32 should be loaded
    call eax

Now, that should, theoretically, pop up with a blank messagebox. Right?

I assembled it with:

C:\Documents and Settings\Compaq_Owner>nasmw -fbin -l "stuff.txt" "C:\Documents and Settings\Compaq_Owner\Desktop\k.asm"

I popped open a hex editor, grabbed the bytes, threw them into shellcode, and executed this:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char shellcode[] =
"\x31\xD2\x52\x52\x52\x52\xB8\x8A\x05\x45\x7E\xFF\xD0";

int main()
{
    int *ret;
    ret = (int *)&ret + 2;
    (*ret) = (int)shellcode;
}

Not working. Could anybody give me a hand?

Comments
Another malware script kiddie wannabe loser type

what is all that crap? If you want to display a MS-Windows message box why not just call it directly ?

>>mov eax, 0x7E45058A
how do you know that's the address of message box function? The address may change every time the program is run.

>>Not working. Could anybody give me a hand?
Yes -- don't do that. include windows.h and call message box just like every other normal programmer.

That's not what I'm trying to do. I'd love it if it was that easy.

I'm trying to write POC shellcode. Is there a way to get that done in ASM without calling it from the memory address? If so, how?

>> The address may change every time the program is run.
Not really.... It was the same on my computer every time it was run, and it's also the same address on my friend's computer.

C language does not recognize inline assembly instructions like that. The way to do inline assembly depends on the compiler you are using. For example, Microsoft compilers are like this:

#include <windows.h>
int main()
{
   _asm
   {
        // put assembly code here
    xor edx, edx         ; Avoids NULL byte
    push edx             ; MsgBox type
    push edx             ; MsgBox body
    push edx             ; MsgBox caption
    push edx             ; Owner hWnd
     lea eax, MessageBox  ; Addr of MessageBox, USER32 should be    loaded
    call eax   
    }
 
   return 0;
}

>>Not really.... It was the same on my computer every time it was run, and it's also the same address on my friend's computer.

You were just lucky. Don't count on that behavior.

This article has been dead for over six months. Start a new discussion instead.