Hi ragdog,

Yes, just convert it uppercase letter to lower. In fact, we can set this whole function as library function instead of including the code of this function in the ASM code. I study it just want to learn more thing.

By your opinion, with right definition of including kernel32.lib, setting below is not must, right?

pr1 typedef PROTO : DWORD
externdef _imp__GetModuleHandleA@4:PTR pr1
GetModuleHandleA equ <_imp__GetModuleHandleA@4>

With this way, I have passed the LINK steps, but the results is not right, I'm still checking what's wrong.

I'll try to build up a small test case, hope you can help me to have a check, many thanks.

By the way, may I check with you whether you can run lib2inc22.exe succesfully?

Why use you not the apis crt__tolower or CharLower

The code dump from IDA, just want to study the methodology to modify and compile the dumped code to boj, then call by VC.

Hi ragdog,

Would you help check this small test case, Why failed when do LINK?
( I use the include based on your suggestion)

1. compile newtolower.asm to get newtolower.obj
2. run build.cmd to get newtest.exe(not succesful, can't find newtolower function)

Thanks,
bridgeic

After change as below based on other friend's help, the newtest.exe generated, but error reported when run, I attached it here. Although still have errors, the metholodgy ragdog mentioned should be ok, thanks ragdog. If anyone would like help debug the generated newtest.exe run error, I will provide original file that IDA disassembled for reference.
newtolower proc near ,argv1: DWORD

not exactly...

again a problem of calling conventions...
newtolower() must be CDECL since the stack is adjusted on return by the caller.. Please google for calling conventions...

In first newtolower.asm you will obtain a decorated name _newtolower@0: that's not ok, it is a STDCALL decoration with 0 bytes as arguments

In second newtolower.asm you will obtain a decorated name _newtolower@4:
that's not ok, it is a STDCALL decoration with 4 bytes as arguments (it gots linked because the function declaration is coherent in both files, but the stack will be corrupted).

So the correct ASM must be:
But also newtest.c is not correct, since newtolower must not declared as WINAPI (stdcall). Remove it (the default is CDECL):
Finally, the program will yet trap because __getptd is calling
which is a call to 0!

Best regards, bilbo

Dear bilbo,

Thank you so much for your warm help, seems "call dword_57E704" will be a Gordian knot��do you have any suggestion how to solve this issue?

Hi Bilbo,

Trace with ollydbg, seems the value is assigned outside the newtolower function, I'm not sure whether it is this way, still studying.

dword_57E704 dd 7C8097D0h ; kernel32.TlsGetValue

In fact, the trap in your EXE is no more related to that call...

To debug the trap: run it with your preferred debugger... It will break at
where ESI is 514808

If you look at program memory map (for example through Process Hacker), you will see that memory 514000-51D000 (presumably allocated by LMCRYPT, look at memory content in the debugger) is read-only!
Hence the trap due to Access Violation.

Best regards, bilbo

Dear bilbo,

I guess I may understand your means, test with ollydbg, if give parameters as "-i input.txt -o output.txt", then it won't run to 004699E0. Seems it will be bottleneck here. :-)