Recent Posts

Pages: [1] 2 3 ... 10
1
Irvine Book Questions. / Re: Use CreateThread in MASM Program
« Last post by aw27 on Today at 02:50:23 AM »
avoid using a MyThread proc with a stack frame (no arguments or local variables)
Not true. They have 1 argument and you can use local variables.

Actually my recent example builds hundreds of threads with locals.
http://masm32.com/board/index.php?topic=6694.msg71668#msg71668
2
UASM Assembler Development / Re: VARARG
« Last post by jj2007 on Today at 02:46:04 AM »
.... till where the exception happened.

Which is usually the only aspect that I am interested in :bgrin:
3
UASM Assembler Development / Re: VARARG
« Last post by aw27 on Today at 02:36:52 AM »
That is actually possible with x64dbg: Options/Preferences/Misc/Set x64dbg as Just In Time Debugger (as usual, they have ruthlessly stolen that feature from OllyDbg).

Ahaha  :lol:
But this is not Post-Mortem, the program is still alive. What these github debugger/emulators do is go through the stack trace till where the exception happened.
Windbg does not even let the program crash, it quietly breaks where the exception happened (so they are called 2nd chance exceptions, the debugger gets the second chance to see it live).
This is the difference between a professional tool and a colorful toy downloaded from github.
  :biggrin:
Post-Mortem is working through crash dumps. Here again, only Windbg can do it.
4
Irvine Book Questions. / Re: Use CreateThread in MASM Program
« Last post by dedndave on Today at 01:53:53 AM »
CreateThread is pretty simple
i quite often use it with most of the arguments = 0

Code: [Select]
    INVOKE  CreateThread,0,0,MyThread,0,0,0
the 1st, 2nd, and 5th arguments are rarely needed
the 4th and 6th arguments are of possible interest....

the 6th argument may be used to point to a variable that receives the thread ID
the 4th argument may be used to pass an argument to the thread

Code: [Select]
.DATA?

dwThreadId dd ?

.CODE

    INVOKE  CreateThread,0,0,MyThread,12345678h,0,offset dwThreadId

.
.
.

MyThread PROC

    mov     eax,[esp+4]                ;EAX = 12345678h
.
.
.
    INVOKE  ExitThread,eax

MyThread ENDP

at the bottom of this page are a few related functions of interest...

https://msdn.microsoft.com/en-us/library/windows/desktop/ms682453%28v=vs.85%29.aspx

avoid using TerminateThread
avoid using a MyThread proc with a stack frame (no arguments or local variables)
5
UASM Assembler Development / Re: VARARG
« Last post by jj2007 on Today at 01:53:21 AM »
What I really need is a post mortem debugger which tells you where an app crashes

That is actually possible with x64dbg: Options/Preferences/Misc/Set x64dbg as Just In Time Debugger (as usual, they have ruthlessly stolen that feature from OllyDbg).

When the code crashes e.g. because of an idiv 0, see screenshot below, the grey box to the right appears; click on debug and hit F8 a couple of times, and voilĂ , here it is:
Code: [Select]
0000000140001089   | 33 C9              | xor ecx,ecx                             |
000000014000108B   | F7 F9              | idiv ecx                                |
000000014000108D   | 48 8D 15 A5 1F 00  | lea rdx,qword ptr ds:[140003039]        | 140003039:"Wow, it works!!"
0000000140001094   | 49 C7 C1 00 00 01  | mov r9,10000                            |
000000014000109B   | 4C 8D 05 A7 1F 00  | lea r8,qword ptr ds:[140003049]         | 140003049:"Hi"
00000001400010A2   | 33 C9              | xor ecx,ecx                             |
00000001400010A4   | FF 15 B6 20 00 00  | call qword ptr ds:[<&MessageBoxA>]      |
6
Irvine Book Questions. / Re: Use CreateThread in MASM Program
« Last post by hutch-- on Today at 01:37:31 AM »
David,

With Irvine code I cannot help you but using CreateThread means looking up its arguments and creating a new procedure that the new thread starts in. The old Win32.hlp has the reference material but if you don't have that you can look up the API in MSDN and it will refer you to the format of the procedure which is a single argument. In 32 bit its a DWORD, in 64 bit its a QWORD. If you need to pass a lot of data (more than 1 arg) you pass the address of an array OR structure that contains the data you want to pass.
7
MASM32 / MOVED: Bundle and Play XM File As Resource
« Last post by hutch-- on Today at 01:26:33 AM »
8
UASM Assembler Development / Re: VARARG
« Last post by hutch-- on Today at 01:23:10 AM »
Ha ha, the last disassembler I really liked was 1990 CodeView and used to write code formatted the same way. Now ALA 1998 - 2000 NuMega SoftIce was the genuine boys toy but later versions of Windows were pigs to get any form of debugger working because of their protected mode architecture. What I really need is a post mortem debugger which tells you where an app crashes which is far more use to me. The old DrWatson worked really well at this task but the later Win7 and 10 versions want to dump a pile of high level chyte and send if back to Microsoft.

These days I rarely ever use one, they are easy enough to defeat in security terms and are a lot slower than console output or even message boxes. The real use I have is for a decent disassembler that outputs plain text, ArkDasm barely does the job but it was really useful when I was designing the stack layout and call automation (invoke) macros for 64 but MASM.
9
UASM Assembler Development / Re: VARARG
« Last post by aw27 on Today at 12:25:42 AM »
You shouldn't underestimate these tools. Actually, these crappy debuggers (not disassemblers) emulate a whole fake CPU: When they reach that address, and you step through the code, r9 fills magically with 8888888888888888, and memory at [rsp+20] fills with 111. Imagine what a giant programming effort is behind such an emulator 8)
I am not an aficionado of magic debugger/emulators for fake CPUs.  :dazzled:
10
UASM Assembler Development / Re: VARARG
« Last post by jj2007 on November 21, 2017, 11:24:35 PM »
I got it now, you are using one of those crappy disassemblers from github.   :lol:
mov dword ptr ss:[rsp+20], 111 is also lovely.  :badgrin:

You shouldn't underestimate these tools. Actually, these crappy debuggers (not disassemblers) emulate a whole fake CPU: When they reach that address, and you step through the code, r9 fills magically with 8888888888888888, and memory at [rsp+20] fills with 111. Imagine what a giant programming effort is behind such an emulator 8)
Pages: [1] 2 3 ... 10