Author Topic: X64 Masm NEG  (Read 4008 times)

meneghini

  • Regular Member
  • *
  • Posts: 4
X64 Masm NEG
« on: June 25, 2015, 10:52:08 PM »
Hello guys, I have a doubt. I have the following code:

Code: [Select]
extern ExitProcess:proc
extern printf:proc
extern scanf:proc

includelib kernel32.lib
includelib user32.lib
includelib msvcrt.lib
include invoke_macros.asm

.data
scan BYTE 'scanf:',0
formatInt BYTE '%d',0
msg BYTE 'Return = %d',0
printInt BYTE 'printf: %d', 0ah, 0h
f1  BYTE 'Fake parameter #1 ( 293 - 447 ):',0
f2  BYTE 'Fake parameter #2 ( 111 - 377 ):',0

.data?
din dq ?

.code

start PROC
PUSH 327
PUSH 249
CALL main
ADD rsp, 16
invoke printf, addr msg, rax
RET
start ENDP

main proc
PUSH rbp
MOV rbp, rsp
SUB rsp, 48
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 24], rax
PUSH [rbp - 8]
MOV rax, [rbp + 16]
MOV rbx, [rbp + 20]
SUB rax, rbx
MOV [rbp - 16], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 8], rax
MOV rax, [rbp + 16]

NEG rax

MOV [rbp - 48], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
CMP rax, 462
JGE LABEL_3
LABEL_1:
MOV rax, [rbp + 20]
MOV rbx, [rbp - 16]
SUB rax, rbx
MOV [rbp - 16], rax
PUSH [rbp - 16]
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 16], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
SUB rax, rbx
MOV [rbp - 32], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp - 8]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 32], rax
MOV rax, [rbp - 8]
NOT rax
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp - 32]
ADD rsp, 64
POP rbp
RET
LABEL_3:
MOV rax, [rbp - 48]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 16], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 40]
MOV rbx, [rbp - 16]
SUB rax, rbx
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
CMP rax, 475
JGE LABEL_5
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 48]
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV [rbp - 16], rax
MOV rax, [rbp + 16]
MOV [rbp - 8], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
JMP LABEL_1
LABEL_5:
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 8]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 8]
SUB rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
ADD rax, rbx
MOV [rbp - 48], rax
MOV rax, [rbp + 20]
CMP rax, 476
JLE LABEL_3
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 40]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 16]
MOV [rbp - 48], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 8], rax
JMP LABEL_1
main endp

end


It's a obfuscated Least Common Multiple program. I don't get something: everything workds perfectly until I reach the NEG part:

Code: [Select]
invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
NEG rax

I debbuged to check the value of RAX, and it was 249 before the NEG. After it it should be -249, and I'm getting a HUGE wierd number like 129137161657, and then the program is taking the wrong jump. What is happening? (It shouldn't go to label 3 and 5 because they're fake code)

qWord

  • Member
  • *****
  • Posts: 1476
  • The base type of a type is the type itself
    • SmplMath macros
Re: X64 Masm NEG
« Reply #1 on: June 25, 2015, 11:48:03 PM »
I debbuged to check the value of RAX, and it was 249 before the NEG. After it it should be -249, and I'm getting a HUGE wierd number like 129137161657
That must be problem of your debugger or wrong usage.

and then the program is taking the wrong jump. What is happening? (It shouldn't go to label 3 and 5 because they're fake code)
[rbp+20] == ?      (8∤20)
MREAL macros - when you need floating point arithmetic while assembling!

meneghini

  • Regular Member
  • *
  • Posts: 4
Re: X64 Masm NEG
« Reply #2 on: June 26, 2015, 12:05:10 AM »
I was reading something and I might know the problem, I just don't know how to solve it.

Ok, for example, for 8 bits, we have 255 numbers, with a range of -127 to 127. But the compiler doesn't recognize negative numbers, so the positive numbers are from 0 to 127 and the negative ones are from 128 to 255 values. Therefore, comparing REAL positive number (e.g. 45) with a negative (represented like 210) gives us a wrong result. We are using it like

CMP rax, 45
JGE LABEL_3

Any ideas how to fix it?

rrr314159

  • Member
  • *****
  • Posts: 1382
Re: X64 Masm NEG
« Reply #3 on: June 26, 2015, 12:47:42 AM »
The program is definitely "obfuscated". Anyway the number in the debugger starts, no doubt, with fffff... because it's a 2's complement negative. If you add 249 to it you'll get 0, with overflow. In other words there's nothing wrong with it. Perhaps u can set your debugger to display negative numbers correctly? Why it takes wrong jump - who knows, but it's not because of neg.

I assume getting rax from [rbp+20] is part of the obfuscation, normally u would only use 8-byte boundaries ...  However it's legal, and certainly obfuscates.

This is a weird prog doesn't surprise me if it doesn't work right

[edit] just read your latest post. No, the compiler knows negative numbers it's just the debugger doesn't display right. There's some other bug. CMP should say that -249 (for instance) is less than 45
I am NaN ;)

meneghini

  • Regular Member
  • *
  • Posts: 4
Re: X64 Masm NEG
« Reply #4 on: June 26, 2015, 03:15:56 AM »
Yeah, the line [rbp+20]  is wrong. I changed it and it works pefectly now. Thanks a lot!