We see that 2 dwords are pushed. But what is that PUSH 5F? I can only thank _death for reminding me on this one :)
(Hey minos! ;-)
5F is our ID for SetCursorPos. I don't think you can find a list of valid IDs somewhere on the net though.
We enter the call to see what's going on :)
77E1432C B8 3A110000 MOV EAX,113A
77E14331 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
77E14335 CD 2E INT 2E
77E14337 C2 0C00 RETN 0C
That's it? In your dump window, follow ESP+4 (press ctrl+g then type ESP+4).
This is how it looks on my machine:
That means 3 dwords.
One dword for the x value, another one for the y value, and the third one for 5F000000.
An example of calling a native system call (SetCursorPos()):
x dd 0
y dd 0
z dd 5Fh
myApp db "BoR0's Native Syscaller",0
succ db "Successfully set cursor!", 0
erro db "Error while setting cursor!", 0
mystr thePos <>
mov mystr.y, 300
mov mystr.x, 300
mov eax, 113Ah
mov edx, offset mystr
.IF eax == 1
invoke MessageBox, 0, ADDR succ, ADDR myApp, MB_OK+MB_ICONINFORMATION
invoke MessageBox, 0, ADDR erro, ADDR myApp, MB_OK+MB_ICONERROR
From here we notice how SetCursorPos works.
EDX==POINTER TO 3 DWORDS (X,Y,5F000000h);
RET. VALUE: 1 IF OK, 0 IF ERROR.
The thing I've noticed about this is that you must have at LEAST one pointer
to a function that is in user32.dll for the interrupt to work. (doesn't matter which function)
Q: Why is that?
A: I don't really know, there are some connections with the interrupts and the OS perhaps.
Anyway, for our code it will work because MessageBox() is found in user32.dll.
Q: But why user32.dll?
A: Because SetCursorPos() is found there :-)
Q: What are the advantages/disadvantages of using this instead simply calling SetCursorPos()?
A: A debugger wont break if you set a breakpoint on SetCursorPos()
And as well, disadvantages. The interrupt ID might change in other incoming Windows versions.
So, this one is tested on 2K only and I've also heard rumours that the ID is not same within XP.
Good luck playing with your functions and native calls! ;)
My thanks goes to: _death, Detten, Zephyrous, cektop, CopyMasta (been a while mate!)