How to: uncertain
Results: unsecured
Code: does not give a result
Requires: HJWasm64 or jwasm only
the source:qWord: x64 code in 32 bit process (http://www.masmforum.com/board/index.php?PHPSESSID=8d46cd4ecb1688be429ab49694ec53e6&topic=18556.0)
Required: interference with experience
Errors:(r9-r15)
MOV r64, imm64
XOR r64,r64
include \masm32\include\masm32rt.inc
include HJWasmMix.Inc
.data
QW0 dq -1
QW1 dq -1
QW3 dq 0
mix64proc SetZeroQW ,addrQW1
mov eax,addrQW1
mov QWORD PTR [eax], 1
ret
mix64endp
mix64proc SetQWValue ,addrQW1 ,QW2 :qword
mov eax,addrQW1
mov r10,QW2
mov QWORD ptr [rax],r10 ;0F1F1F1F1F1F1F1Fh
ret
mix64endp
mix64proc GetEAX
mov ecx,eax
ret
mix64endp
.code
Start:
invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1
invoke64 SetZeroQW,addr QW1
invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1
invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0
invoke64 SetQWValue,addr QW1,0F1F1F1F1F1F1F1Fh
invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0
mov eax,-1
invoke64 GetEAX ;eax change during call
invoke crt_printf,cfm$ ("\necx : %X"), ecx
inkey
exit
End Start
This is the example that attach qWord:mix32_64.zip (http://www.masmforum.com/archive2012/10454_mix32_64.zip)
Quote from: qWord
I find this very intersting, so I share the following example, which requires jwasm and polink. (tested on Win7, x64 dance)
I tried using jwasm and polink, But it did not work well
Quote from: mabdelouahab on February 27, 2017, 03:24:32 AMI tried using jwasm and polink, But it did not work well
No luck here, either. Perhaps it requires special options. The exe works fine, though.
I remember a long time ago Japheth had an example with a 16-bit -> 32-bit -> 64-bit and back sequence 8)
Further reading: Closing "Heaven's Gate" (http://www.alex-ionescu.com/?p=300)
Quote from: jj2007 on February 27, 2017, 04:56:10 AM
No luck here, either. Perhaps it requires special options. The exe works fine, though.
But with me this exe not working properly:
QuoteBBBBBBBBAAAAAAAA
0000BBBBBBBBAAAA
Press any key to continue ...
The result is supposed to come out so:
BBBBBBBB
AAAAAAAAAAAAAAAABBBBBBBB
Attention, this is shr, not ror. Here is the interesting part in Olly:
00401090 ³. 8D45 D4 lea eax, [ebp-2C]
00401093 ³. 50 push eax
00401094 ³. 9A 00304000 3300 call far 0033:00403000
When eax is loaded, follow eax in dump. You can't watch the code but you can see the memory content change.
Quote from: jj2007 on February 27, 2017, 07:44:17 PM
Attention, this is shr, not ror.
Thank you jj, I'm sorry ,I did not pay attention to this
Still, I'd love to see how this can be built... where are the HJWasm experts?
No need for experts.386
.model flat
includelib msvcrt.lib
exit proto C :dword
_getch proto C
printf proto C :dword, :vararg
call_as_x64 macro lbl
db 9ah ;call 0x33:OFFSET x64-proc
dd OFFSET lbl
dw 33h
endm
.x64
x64 SEGMENT EXECUTE USE64
; let's do some 64 bit arithmetic
mov eax,DWORD ptr [rsp+8]
mov r10,QWORD ptr [rax]
shr r10,16
mov QWORD ptr [rax],r10
retf
x64 ENDS
.data
fmt1 db "%p%p",13,10,0
.code
main proc
;LOCAL sysi:SYSTEM_INFO
LOCAL myQW:QWORD
mov DWORD ptr myQW[0],0AAAAAAAAh
mov DWORD ptr myQW[4],0BBBBBBBBh
invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
lea eax,myQW
push eax
call_as_x64 x64
invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
invoke _getch
invoke exit,0
main endp
end main
Mysterious - I have no idea why the other one doesn't build. Here is a classical version:include \masm32\include\masm32rt.inc
call_as_x64 macro lbl
db 9ah ; call 0x33:OFFSET x64-proc
dd offset lbl
dw 33h
endm
.x64
x64 SEGMENT EXECUTE USE64
mov eax, [rsp+8]
mov rdx, QWORD ptr [rax]
ror rdx, 32 ; let's do some 64 bit arithmetic
mov [rax], rdx
retf
x64 ENDS
.data
fmt1 db "%p%p", 13, 10, 0
someQW QWORD ?
.code
start:
mov DWORD ptr someQW[0],0AAAAAAAAh
mov DWORD ptr someQW[4],0BBBBBBBBh
invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
lea eax, someQW
push eax
call_as_x64 x64
invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
invoke crt__getch
exit
end start
HJWasm required.
Finally, everything works well
include \masm32\include\masm32rt.inc
include HJWasmMix.Inc
mix64proc ResetQw,testAutherArg:qword ,addrQW1
LOCAL testlocal
mov eax, addrQW1
xor rdx, rdx
mov qword ptr [rax], rdx
ret
mix64endp
mix64proc QwToQw ,addrQW1 ,addrQW2
mov eax, addrQW1
mov ecx, addrQW2
mov rdx, qword ptr [rax]
mov qword ptr [rcx], rdx
ret
mix64endp
mix64proc XChgQw ,addrQW1 ,addrQW2
LOCAL JustForTestlocalQW:qword
mov eax, addrQW1
mov ecx, addrQW2
mov rdx, qword ptr [rcx]
mov JustForTestlocalQW, rdx
mov rdx, qword ptr [rax]
xchg rdx,JustForTestlocalQW
mov qword ptr [rax], rdx
mov rdx,JustForTestlocalQW
mov qword ptr [rcx], rdx
ret
mix64endp
mix64proc SetQw ,addrQW1 ,qwV1:dword,qwV2:dword
mov eax, addrQW1
mov edx,qwV1
ror rdx,32
mov ecx,qwV2
or rdx,rcx
mov qword ptr [rax], rdx
ret
mix64endp
mix64proc RoRQw ,addrQW:dword,vRor:byte
mov eax, addrQW
mov rdx,qword ptr [rax]
mov cl,vRor
ror rdx, cl;x
mov qword ptr [rax], rdx
ret
mix64endp
.data
QW1 QWORD 0BBBBBBBBh
QW2 QWORD 0AAAAAAAAh
JustForTestArgQW QWORD 0
.code
start:
invoke crt_printf, cfm$("--------------------------------------"), QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("ResetQw--------------------------------------"), QW1
invoke ResetQw,JustForTestArgQW,addr QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("SetQw--------------------------------------"), QW1
invoke SetQw,addr QW2,0AAAAAAAAh,0BBBBBBBBh
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("XChgQw--------------------------------------"), QW1
invoke XChgQw,addr QW2,addr QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("QwToQw--------------------------------------"), QW1
invoke QwToQw,addr QW1,addr QW2
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("RoRQw--------------------------------------"), QW1
invoke RoRQw,addr QW1 ,32
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt__getch
exit
end start
Output:
--------------------------------------
QW1: BBBBBBBB
QW2: AAAAAAAA
ResetQw--------------------------------------
QW1: 0
QW2: AAAAAAAA
SetQw--------------------------------------
QW1: 0
QW2: AAAAAAAABBBBBBBB
XChgQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: 0
QwToQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: AAAAAAAABBBBBBBB
RoRQw--------------------------------------
QW1: BBBBBBBBAAAAAAAA
QW2: AAAAAAAABBBBBBBB
Quote from: mabdelouahab on February 28, 2017, 08:56:19 AM
Finally, everything works well
Works fine, but a bit of explanation would be useful :P
Just tested my example above on Windows 10, and it works like a charm. So far no signs of M$ Closing "Heaven's Gate" (http://www.alex-ionescu.com/?p=300) :t
Now the question is what can be done with this discovery ::)
Quote from: jj2007 on February 28, 2017, 10:28:00 AM
Works fine, but a bit of explanation would be useful :P
Absolutely, JJ
We learned that Callfar is : push cs then call offset Proc, at first I rely on this, this is the only work in the same mode (32-32), and do not work in then diffirent mode (32-64), the correct view is that we use:
db 09ah
dd OFFSET X64&ProcName
dw 033h
Quote from: jj2007 on February 28, 2017, 10:28:00 AM
Now the question is what can be done with this discovery ::)
This method facilitates us making x64 procedures, pass argumment ,making local variable, and call it in the normal manner
Well, yes, but what for? What can be done in x64 that isn't possible with SIMD in 32-bit code?
Attached an example that calls multiple procs in the same segment. There is also an attempt to call MessageBox, but it crashes (the same code in a 64-bit program works fine). Probably the OS doesn't like such attempts :bgrin: