Assembly language line number confusion

[bennyandthejets]

I'm running notepad.exe through Hiew, in order to make a message box display when notepad is started. I followed the directions, changing the .text section virtual size to the raw data size, then added unicode strings to the zero padding after the .text section. I pushed the parameters (in reverse order) and called MessageBoxW.

What happens is the message box is displayed but the caption and text are just gibberish. In Hiew, when I push the pointer onto the stack, it shows that the text actually points to some other place, not to my string.

My question is, is there some trick to pushing the correct pointer as a MessageBoxW parameter?

[Fordy]

I'll show you a little patching trick.

Code:

	PUSH 0
	CALL PARAM1
	DB "Whatever",0
PARAM1:
	CALL PARAM2
	DB "Hello World",0
PARAM2:
	PUSH 0
	CALL MessageBoxA

Looks like jibberish to anyone who knows a little ASM but it's actually a pretty effective way of getting strings into fuction calls without having to mess with other sections.

The first 2 CALLs look totally out of place, but if you know what a CALL effectively does (PUSH the address of the next "instruction" and then JUMP to another part of code) then it's perfect for this deal. You're not likely to find that in an ASM book

[bennyandthejets]

Thanks for that but I'm actually dealing with straight machine code, which means I have to hard-code the addresses of the strings right in. The problem is really that there are two different sets of addresses that a particular location has in Hiew. The first I guess is the offset from the start of its location, and the second is the absolute offset from the start of the file. I tried referencing my strings using both addresses, but each time I just get jibberish. I'll just quickly explain again the steps I took, and maybe someone who has used Hiew before could give me some clues.

1. I examined notepad.exe using dumpbin. It told me where the .text section ended, and the virtual size of the section, so I modified the PE header accordingly to allow me to use the space at the end of the section.

2. I then found that bit (the zero-padding after .text) and wrote in a unicode string. I had to use Unicode because the notepad.exe I have only uses the Unicode version of MessageBox. I wrote in the string as NULL character NULL character NULL NULL.

3. Then I added code to push each parameter onto the stack, and called MessageBoxW. I tried using both types of address for the strings, ie, the offset from the start of .text and the absolute offset, but the message box just displayed jibberish.

Any ideas?