progress

drifter · March 01, 2013, 02:14:16 PM

on: Febuary 28, 2013 at 10:30:11 AM dedndave wrote:

Quotemov ebx,[ebp+32]
bt ebx,8
.if CARRY?
print chr$('OV ')
.else
print chr$('NV ')
.endif

I knew about using the .if .else .endif, but wanted to code it myself. I should probably disassemble that and see how it plays out that way. I don't know if I did it the most efficent way or not.

On a different note: the price of a Big Mac is around 4-5 bucks....the price of a Flat Rate Domestic/International Priority mailer is $5.60....knowing that some scammer is swining by his balls right now for wasting $5 to send me a phony check PRICELESS!

dedndave · March 01, 2013, 02:38:11 PM

certainly, there are more efficient ways than what i did
i will probably use a few loops, similar to what you did, when i have time to play with it

sinsi - i was trying to keep it simple :P

jj2007 · March 02, 2013, 10:48:33 AM

Drifter inspired me to update my deb macro: it has learned to display flags (without changing them, of course):

deb 4, "End of loop:", ecx, flags, FLAGS

flags displays carry, zero, sign and overflow, FLAGS the whole set:
End of loop:
ecx 10000
flags: czso
FLAGS: cpAzstIdo

c means carry clear, C carry set, etc., i.e. lowercase=clear, uppercase=set.

drifter · March 02, 2013, 03:45:54 PM

on: Today at 10:48:33 AM jj2007 wrote:

QuoteDrifter inspired me to update my deb macro:

Placed in my que of things to check out!

drifter · March 03, 2013, 02:51:25 PM

After starting to write a test routine to check if my regflags program was working the way it should, I found a few problems - so I'm in the middle of a rewrite.

Does anyone know why this bit of code would cause McAfee to think it's a New Malwar.ep trojan? It's a pita as it quarantine's the .exe as soon as it's assembled and linked - so I've had to turn it off.

Code Select

    ;----------------------------------
    push edi                              ; edi test
    mov tempreg,edi
    print "EDI: "                                                 
    print uhex$(tempreg)
    print " = "
    pop edi   
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.edireg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls
    ;----------------------------------
    push ebp                  ; ebp test
    mov tempreg,ebp
    print "EBP: "                                                 
    print uhex$(tempreg)
    print " = "
    pop ebp  
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.ebpreg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls
    ;----------------------------------
    push esp                   ; esp test FAILED
    mov tempreg,esp
    print "ESP: "                                                 
    print uhex$(tempreg)
    print " = "
    pop esp  
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.espreg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls           
    ;----------------------------------

That's about as close as I can narrow it down as it doesn't always trigger on the same spot. I really doubt I have a virus or trojan causing this, but I suppose that's a possiblity also.

dedndave · March 03, 2013, 08:18:08 PM

it's hard to say what criteria mcafee uses
i would uninstall mcafee - lol
not only will the problem go away, but your machine will be much faster

many of us have gotten into the habit of creating disk images to back up the boot drive
it's the best protection there is against viruses

MichaelW · March 03, 2013, 11:30:05 PM

Quote from: sinsi on March 01, 2013, 02:10:28 PM
CS will be different because it is a code descriptor, DS=ES=SS usually, FS is used by Windows, GS is available to us.

I have used it in DOS code, RM and PM, but I have not been able to make it work from a Windows app.

Code Select


;==============================================================================
    include \masm32\include\masm32rt.inc
;==============================================================================
    .data
        junk dd 123456h
    .code
;==============================================================================
start:
;==============================================================================
    ;ASSUME gs:nothing
    ;ASSUME gs:@data
    ASSUME gs:FLAT

    push es
    push cs
    pop es
    mov eax, start
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, start
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push es
    push ds
    pop es
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push gs
    push ds
    pop gs
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    ;FAULT ->00401082  658b00  mov eax,gs:[eax]  gs:00403000=00123456
    mov eax, gs:[eax]
    printf("%Xh\n",eax)
    pop gs

    inkey
    exit
;==============================================================================
end start

The fault in this case is an access violation, even though the source address is apparently correct.

dedndave · March 04, 2013, 02:43:40 AM

i am surprised you get that far in the code without an exception

you call the printf macro with a dword-misaligned stack

MichaelW · March 04, 2013, 04:14:27 AM

Quoteyou call the printf macro with a dword-misaligned stack

It wouldn't work if that were so.

Even my senile old P3 is still smart enough push a segment register without making a mess

Actually, I've been through this some years ago coding a 32-bit DOS app where you couldn't avoid pushing and popping segment registers. For pushing CS, DS, ES, SS, FS, or GS there is only one opcode each, and the same for popping DS, ES, SS, FS, or GS, so it's not the assembler that is making this work.

Code Select


;==============================================================================
    include \masm32\include\masm32rt.inc
;==============================================================================
    .data
        junk dd 123456h
    .code
;==============================================================================
;----------------------------------------
; Returns the maximum alignment of _ptr.
;----------------------------------------

alignment MACRO _ptr
    push ecx
    xor eax, eax
    mov ecx, _ptr
    bsf ecx, ecx
    jz @F
    mov eax, 1
    shl eax, cl
  @@:
    pop ecx
    EXITM <eax>
ENDM
;==============================================================================
start:
;==============================================================================
    ;ASSUME gs:nothing
    ;ASSUME gs:@data
    ASSUME gs:FLAT

    mov ebx, esp
    printf("%d\n", alignment(ebx))
    push es
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    pop es
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    push gs
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    pop gs
    mov ebx, esp
    printf("%d\n\n", alignment(ebx))

    push es
    push cs
    pop es
    mov eax, start
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, start
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push es
    push ds
    pop es
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push gs
    push ds
    pop gs
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    ;FAULT ->00401082 658b00 mov eax,gs:[eax] gs:00403000=00123456
    mov eax, gs:[eax]
    printf("%Xh\n",eax)
    pop gs

    inkey
    exit
;==============================================================================
end start

Code Select

dedndave · March 04, 2013, 04:44:33 AM

good to know
i think i was playing with this - for whatever reason - some time ago
i tried to align it myself - oops

it may have been the IRET discussion you and i had a couple years back
re: using IRET to serialize code

drifter · March 04, 2013, 06:00:19 AM

After further code revisons, the problem has disappeared. I did use several programs to scan for infections, but they found nothing (except when I assembled that particular bit of code).

on: March 03, 2013, 08:18:08 PM dedndave wrote:

Quotei would uninstall mcafee - lol

Unfortunately, all I dare do is turn it off. I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.

I have fond memories of speaking with John McAfee on the phone back in the 80's, when everything was on dial-up bulliten boards. After about a 10 minute conversation concerning dissassembling viruses - he gave me complete access to his collection of live monsters (which I'm sure he gave to anybody that asked, regardless of their intentions). Reminds me of a cartoon I once saw of cute kids selling poisoned lemonaide - and then selling the antidote around the corner. That's how you get rich, retire to a beach house in the carribean, get away with murder, etc...

Anyway, I'm almost done - just want to add a routine to test toggling the flag bits.

dedndave · March 04, 2013, 06:11:58 AM

yah - if you have any of the "virut" flavours, it can be a mess to clean up
it infects EXE's and HTML's, and a few others
so - you clean up the mess with a fresh build, then get infected all over - ouch

i like AdAware for that
you can completely disable it by unchecking 2 start-ups in MsConfig.exe and disabling 2 services (reboot)
re-enable it by reversing the process
it does a nice job of identifying virut-infected files for you, using custom scan

once you are clean, i suggest a nice HOSTS file
i don't like posting HOSTS entries, because they are malicious URL's, of course
but, i can send it to you on request if you like

drifter · March 04, 2013, 06:45:56 AM

on: March 3, 2013 at 06:11:58 AM dedndave wrote:

Quotei can send it to you on request if you like

I guess that blocks access to those websites? Sure, if it'll help.

I've noticed the most common infection I seem to encounter redirects google to something called 'google.ro' in Romania. Spybot usually clears it up. ComboFix seems to be another good one, but it doesn't work with Windows 8.

sinsi · March 04, 2013, 01:06:49 PM

Quote from: MichaelW on March 03, 2013, 11:30:05 PM
The fault in this case is an access violation, even though the source address is apparently correct.

I can see the access violation in a debugger but it seems to be ignored most of the time (depending on what code comes after).
The whole point of having a flat win32 model is to be able to ignore segment registers, so let's forget this one eh?

Quote from: drifter on March 04, 2013, 06:00:19 AM
Unfortunately, all I dare do is turn it off. I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.

Better off investing in VMware workstation, costs the same as an AV. If your VM gets infected just revert to a snapshot.

The MASM Forum

News:

progress

drifter

dedndave

jj2007

drifter

drifter

dedndave

MichaelW

dedndave

MichaelW

dedndave

drifter

dedndave

drifter

sinsi