Author Topic: Only in HjWasm64 and JWasm : x64 code in 32 bit process (Read 7874 times)

mabdelouahab · « **on:** February 25, 2017, 08:41:29 PM »

How to: uncertain
Results: unsecured
Code: does not give a result
Requires: HJWasm64 or jwasm only
the source:qWord: x64 code in 32 bit process

Required: interference with experience

Errors:(r9-r15)
MOV r64, imm64
XOR r64,r64

include \masm32\include\masm32rt.inc include HJWasmMix.Inc .data QW0 dq -1 QW1 dq -1 QW3 dq 0 mix64proc SetZeroQW ,addrQW1 mov eax,addrQW1 mov QWORD PTR [eax], 1 ret mix64endp mix64proc SetQWValue ,addrQW1 ,QW2 :qword mov eax,addrQW1 mov r10,QW2 mov QWORD ptr [rax],r10 ;0F1F1F1F1F1F1F1Fh ret mix64endp mix64proc GetEAX mov ecx,eax ret mix64endp .code Start: invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1 invoke64 SetZeroQW,addr QW1 invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1 invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0 invoke64 SetQWValue,addr QW1,0F1F1F1F1F1F1F1Fh invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0 mov eax,-1 invoke64 GetEAX ;eax change during call invoke crt_printf,cfm$ ("\necx : %X"), ecx inkey exit End Start

mabdelouahab · « **Reply #1 on:** February 27, 2017, 03:24:32 AM »

This is the example that attach qWord:mix32_64.zip

Quote from: qWord

I find this very intersting, so I share the following example, which requires jwasm and polink. (tested on Win7, x64 dance)

I tried using jwasm and polink, But it did not work well

jj2007 · « **Reply #2 on:** February 27, 2017, 04:56:10 AM »

Quote from: mabdelouahab on February 27, 2017, 03:24:32 AM

I tried using jwasm and polink, But it did not work well

No luck here, either. Perhaps it requires special options. The exe works fine, though.

I remember a long time ago Japheth had an example with a 16-bit -> 32-bit -> 64-bit and back sequence 8)

Further reading: Closing “Heaven’s Gate”

mabdelouahab · « **Reply #3 on:** February 27, 2017, 05:10:48 PM »

Quote from: jj2007 on February 27, 2017, 04:56:10 AM

No luck here, either. Perhaps it requires special options. The exe works fine, though.

But with me this exe not working properly:

Quote

BBBBBBBBAAAAAAAA
0000BBBBBBBBAAAA
Press any key to continue ...

The result is supposed to come out so:
BBBBBBBBAAAAAAAA
AAAAAAAABBBBBBBB

jj2007 · « **Reply #4 on:** February 27, 2017, 07:44:17 PM »

Attention, this is shr, not ror. Here is the interesting part in Olly:

Code: [Select]

00401090        ³.  8D45 D4                 lea eax, [ebp-2C]
00401093        ³.  50                      push eax
00401094        ³.  9A 00304000 3300        call far 0033:00403000

When eax is loaded, follow eax in dump. You can't watch the code but you can see the memory content change.

mabdelouahab · « **Reply #5 on:** February 27, 2017, 10:35:15 PM »

Quote from: jj2007 on February 27, 2017, 07:44:17 PM

Attention, this is shr, not ror.

Thank you jj, I'm sorry ,I did not pay attention to this

jj2007 · « **Reply #6 on:** February 27, 2017, 11:04:22 PM »

Still, I'd love to see how this can be built... where are the HJWasm experts?

TWell · « **Reply #7 on:** February 27, 2017, 11:36:45 PM »

No need for experts

Code: [Select]

.386
.model flat

includelib msvcrt.lib
exit proto C :dword
_getch proto C
printf proto C :dword, :vararg

call_as_x64 macro lbl
    db 9ah         ;call 0x33:OFFSET x64-proc
    dd OFFSET lbl
    dw 33h
endm

	.x64
x64 SEGMENT EXECUTE USE64
	
	; let's do some 64 bit arithmetic
	mov eax,DWORD ptr [rsp+8]
	mov r10,QWORD ptr [rax]
	shr r10,16
	mov QWORD ptr [rax],r10
	
	retf

x64 ENDS

.data
fmt1 db "%p%p",13,10,0

.code
main proc
;LOCAL sysi:SYSTEM_INFO
LOCAL myQW:QWORD
	mov DWORD ptr myQW[0],0AAAAAAAAh
	mov DWORD ptr myQW[4],0BBBBBBBBh
	invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
	lea eax,myQW
	push eax
	call_as_x64 x64
	invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
	invoke _getch
	invoke exit,0
main endp
end main

jj2007 · « **Reply #8 on:** February 28, 2017, 01:08:20 AM »

Mysterious - I have no idea why the other one doesn't build. Here is a classical version:

Code: [Select]

include \masm32\include\masm32rt.inc

call_as_x64 macro lbl
  db 9ah			; call 0x33:OFFSET x64-proc
  dd offset lbl
  dw 33h
endm

.x64
x64 SEGMENT EXECUTE USE64
  mov eax, [rsp+8]
  mov rdx, QWORD ptr [rax]
  ror rdx, 32		; let's do some 64 bit arithmetic
  mov [rax], rdx
  retf
x64 ENDS

.data
fmt1	db "%p%p", 13, 10, 0
someQW	QWORD ?

.code
start:
  mov DWORD ptr someQW[0],0AAAAAAAAh
  mov DWORD ptr someQW[4],0BBBBBBBBh
  invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
  lea eax, someQW
  push eax
  call_as_x64 x64
  invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
  invoke crt__getch
  exit

end start

HJWasm required.

mabdelouahab · « **Reply #9 on:** February 28, 2017, 08:56:19 AM »

Finally, everything works well

include \masm32\include\masm32rt.inc include HJWasmMix.Inc mix64proc ResetQw,testAutherArg:qword ,addrQW1 LOCAL testlocal mov eax, addrQW1 xor rdx, rdx mov qword ptr [rax], rdx ret mix64endp mix64proc QwToQw ,addrQW1 ,addrQW2 mov eax, addrQW1 mov ecx, addrQW2 mov rdx, qword ptr [rax] mov qword ptr [rcx], rdx ret mix64endp mix64proc XChgQw ,addrQW1 ,addrQW2 LOCAL JustForTestlocalQW:qword mov eax, addrQW1 mov ecx, addrQW2 mov rdx, qword ptr [rcx] mov JustForTestlocalQW, rdx mov rdx, qword ptr [rax] xchg rdx,JustForTestlocalQW mov qword ptr [rax], rdx mov rdx,JustForTestlocalQW mov qword ptr [rcx], rdx ret mix64endp mix64proc SetQw ,addrQW1 ,qwV1:dword,qwV2:dword mov eax, addrQW1 mov edx,qwV1 ror rdx,32 mov ecx,qwV2 or rdx,rcx mov qword ptr [rax], rdx ret mix64endp mix64proc RoRQw ,addrQW:dword,vRor:byte mov eax, addrQW mov rdx,qword ptr [rax] mov cl,vRor ror rdx, cl;x mov qword ptr [rax], rdx ret mix64endp .data QW1 QWORD 0BBBBBBBBh QW2 QWORD 0AAAAAAAAh JustForTestArgQW QWORD 0 .code start: invoke crt_printf, cfm$("--------------------------------------"), QW1 invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt_printf, cfm$("ResetQw--------------------------------------"), QW1 invoke ResetQw,JustForTestArgQW,addr QW1 invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt_printf, cfm$("SetQw--------------------------------------"), QW1 invoke SetQw,addr QW2,0AAAAAAAAh,0BBBBBBBBh invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt_printf, cfm$("XChgQw--------------------------------------"), QW1 invoke XChgQw,addr QW2,addr QW1 invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt_printf, cfm$("QwToQw--------------------------------------"), QW1 invoke QwToQw,addr QW1,addr QW2 invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt_printf, cfm$("RoRQw--------------------------------------"), QW1 invoke RoRQw,addr QW1 ,32 invoke crt_printf, cfm$("\n QW1: %llX "), QW1 invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2 invoke crt__getch exit end start Output: -------------------------------------- QW1: BBBBBBBB QW2: AAAAAAAA ResetQw-------------------------------------- QW1: 0 QW2: AAAAAAAA SetQw-------------------------------------- QW1: 0 QW2: AAAAAAAABBBBBBBB XChgQw-------------------------------------- QW1: AAAAAAAABBBBBBBB QW2: 0 QwToQw-------------------------------------- QW1: AAAAAAAABBBBBBBB QW2: AAAAAAAABBBBBBBB RoRQw-------------------------------------- QW1: BBBBBBBBAAAAAAAA QW2: AAAAAAAABBBBBBBB

jj2007 · « **Reply #10 on:** February 28, 2017, 10:28:00 AM »

Quote from: mabdelouahab on February 28, 2017, 08:56:19 AM

Finally, everything works well

Works fine, but a bit of explanation would be useful :P

Just tested my example above on Windows 10, and it works like a charm. So far no signs of M$ Closing "Heaven’s Gate" :t

Now the question is what can be done with this discovery ::)

mabdelouahab · « **Reply #11 on:** February 28, 2017, 05:19:13 PM »

Quote from: jj2007 on February 28, 2017, 10:28:00 AM

Works fine, but a bit of explanation would be useful :P

Absolutely, JJ
We learned that Callfar is : push cs then call offset Proc, at first I rely on this, this is the only work in the same mode (32-32), and do not work in then diffirent mode (32-64), the correct view is that we use:
db 09ah
dd OFFSET X64&ProcName
dw 033h

Quote from: jj2007 on February 28, 2017, 10:28:00 AM

Now the question is what can be done with this discovery ::)

This method facilitates us making x64 procedures, pass argumment ,making local variable, and call it in the normal manner

jj2007 · « **Reply #12 on:** February 28, 2017, 07:22:34 PM »

Well, yes, but what for? What can be done in x64 that isn't possible with SIMD in 32-bit code?

Attached an example that calls multiple procs in the same segment. There is also an attempt to call MessageBox, but it crashes (the same code in a 64-bit program works fine). Probably the OS doesn't like such attempts

The MASM Forum

News:

Author Topic: Only in HjWasm64 and JWasm : x64 code in 32 bit process (Read 7874 times)

mabdelouahab

Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

TWell

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process

jj2007

Re: Only in HjWasm64 and JWasm : x64 code in 32 bit process