Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab · February 25, 2017, 08:41:29 PM

How to: uncertain
Results: unsecured
Code: does not give a result
Requires: HJWasm64 or jwasm only
the source:qWord: x64 code in 32 bit process

Required: interference with experience

Errors:(r9-r15)
MOV r64, imm64
XOR r64,r64

include \masm32\include\masm32rt.inc
include HJWasmMix.Inc
.data
   QW0   dq   -1
   QW1 dq -1
   QW3   dq    0

mix64proc SetZeroQW ,addrQW1
   mov eax,addrQW1
   mov QWORD PTR [eax], 1
   ret
mix64endp
mix64proc SetQWValue ,addrQW1 ,QW2 :qword
   mov eax,addrQW1
   mov r10,QW2
   mov QWORD ptr [rax],r10   ;0F1F1F1F1F1F1F1Fh
   ret
mix64endp

mix64proc GetEAX
   mov ecx,eax
   ret
mix64endp

.code
Start:

   invoke   crt_printf,cfm$ ("\nQW1 : %llX"), QW1
   invoke64 SetZeroQW,addr QW1
   invoke   crt_printf,cfm$ ("\nQW1 : %llX"), QW1

   invoke   crt_printf,cfm$ ("\nQW0 : %llX"), QW0
   invoke64 SetQWValue,addr QW1,0F1F1F1F1F1F1F1Fh
   invoke   crt_printf,cfm$ ("\nQW0 : %llX"), QW0

   mov eax,-1
   invoke64 GetEAX    ;eax change during call
   invoke   crt_printf,cfm$ ("\necx : %X"), ecx

   inkey
   exit
End Start

mabdelouahab · February 27, 2017, 03:24:32 AM

This is the example that attach qWord:mix32_64.zip

Quote from: qWord
I find this very intersting, so I share the following example, which requires jwasm and polink. (tested on Win7, x64 dance)

I tried using jwasm and polink, But it did not work well

jj2007 · February 27, 2017, 04:56:10 AM

Quote from: mabdelouahab on February 27, 2017, 03:24:32 AMI tried using jwasm and polink, But it did not work well

No luck here, either. Perhaps it requires special options. The exe works fine, though.

I remember a long time ago Japheth had an example with a 16-bit -> 32-bit -> 64-bit and back sequence 8)

Further reading: Closing "Heaven's Gate"

mabdelouahab · February 27, 2017, 05:10:48 PM

Quote from: jj2007 on February 27, 2017, 04:56:10 AM
No luck here, either. Perhaps it requires special options. The exe works fine, though.

But with me this exe not working properly:

QuoteBBBBBBBBAAAAAAAA
0000BBBBBBBBAAAA
Press any key to continue ...

The result is supposed to come out so:
BBBBBBBBAAAAAAAA
AAAAAAAABBBBBBBB

jj2007 · February 27, 2017, 07:44:17 PM

Attention, this is shr, not ror. Here is the interesting part in Olly:

Code Select

00401090        ³.  8D45 D4                 lea eax, [ebp-2C]
00401093        ³.  50                      push eax
00401094        ³.  9A 00304000 3300        call far 0033:00403000

When eax is loaded, follow eax in dump. You can't watch the code but you can see the memory content change.

mabdelouahab · February 27, 2017, 10:35:15 PM

Quote from: jj2007 on February 27, 2017, 07:44:17 PM
Attention, this is shr, not ror.

Thank you jj, I'm sorry ,I did not pay attention to this

jj2007 · February 27, 2017, 11:04:22 PM

Still, I'd love to see how this can be built... where are the HJWasm experts?

TWell · February 27, 2017, 11:36:45 PM

No need for experts

Code Select

.386
.model flat

includelib msvcrt.lib
exit proto C :dword
_getch proto C
printf proto C :dword, :vararg

call_as_x64 macro lbl
    db 9ah         ;call 0x33:OFFSET x64-proc
    dd OFFSET lbl
    dw 33h
endm

	.x64
x64 SEGMENT EXECUTE USE64
	
	; let's do some 64 bit arithmetic
	mov eax,DWORD ptr [rsp+8]
	mov r10,QWORD ptr [rax]
	shr r10,16
	mov QWORD ptr [rax],r10
	
	retf

x64 ENDS

.data
fmt1 db "%p%p",13,10,0

.code
main proc
;LOCAL sysi:SYSTEM_INFO
LOCAL myQW:QWORD
	mov DWORD ptr myQW[0],0AAAAAAAAh
	mov DWORD ptr myQW[4],0BBBBBBBBh
	invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
	lea eax,myQW
	push eax
	call_as_x64 x64
	invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
	invoke _getch
	invoke exit,0
main endp
end main

jj2007 · February 28, 2017, 01:08:20 AM

Mysterious - I have no idea why the other one doesn't build. Here is a classical version:

Code Select

include \masm32\include\masm32rt.inc

call_as_x64 macro lbl
  db 9ah			; call 0x33:OFFSET x64-proc
  dd offset lbl
  dw 33h
endm

.x64
x64 SEGMENT EXECUTE USE64
  mov eax, [rsp+8]
  mov rdx, QWORD ptr [rax]
  ror rdx, 32		; let's do some 64 bit arithmetic
  mov [rax], rdx
  retf
x64 ENDS

.data
fmt1	db "%p%p", 13, 10, 0
someQW	QWORD ?

.code
start:
  mov DWORD ptr someQW[0],0AAAAAAAAh
  mov DWORD ptr someQW[4],0BBBBBBBBh
  invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
  lea eax, someQW
  push eax
  call_as_x64 x64
  invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
  invoke crt__getch
  exit

end start

HJWasm required.

mabdelouahab · February 28, 2017, 08:56:19 AM

Finally, everything works well

include \masm32\include\masm32rt.inc
include HJWasmMix.Inc

   mix64proc ResetQw,testAutherArg:qword ,addrQW1
      LOCAL testlocal
        mov eax, addrQW1
        xor rdx, rdx
        mov qword ptr [rax], rdx
        ret
   mix64endp

   mix64proc QwToQw ,addrQW1 ,addrQW2
      mov eax, addrQW1
      mov ecx, addrQW2
      mov rdx, qword ptr [rax]
      mov qword ptr [rcx], rdx
      ret
   mix64endp

   mix64proc XChgQw ,addrQW1 ,addrQW2
   LOCAL JustForTestlocalQW:qword
      mov eax, addrQW1
      mov ecx, addrQW2
      mov rdx, qword ptr [rcx]
      mov JustForTestlocalQW, rdx
      mov rdx, qword ptr [rax]
      xchg rdx,JustForTestlocalQW
      mov qword ptr [rax], rdx
      mov rdx,JustForTestlocalQW
      mov qword ptr [rcx], rdx
      ret
   mix64endp

   mix64proc SetQw ,addrQW1 ,qwV1:dword,qwV2:dword
      mov eax, addrQW1
      mov edx,qwV1
      ror rdx,32
      mov ecx,qwV2
      or rdx,rcx
      mov qword ptr [rax], rdx
      ret
   mix64endp

   mix64proc RoRQw ,addrQW:dword,vRor:byte
      mov eax, addrQW
      mov rdx,qword ptr [rax]
      mov cl,vRor
      ror rdx, cl;x
      mov qword ptr [rax], rdx
      ret
   mix64endp

.data
   QW1         QWORD 0BBBBBBBBh
   QW2         QWORD 0AAAAAAAAh
   JustForTestArgQW      QWORD 0

.code
start:

   invoke crt_printf, cfm$("--------------------------------------"), QW1
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2

   invoke crt_printf, cfm$("ResetQw--------------------------------------"), QW1
   invoke ResetQw,JustForTestArgQW,addr QW1
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2


   invoke crt_printf, cfm$("SetQw--------------------------------------"), QW1
   invoke SetQw,addr QW2,0AAAAAAAAh,0BBBBBBBBh
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2

   invoke crt_printf, cfm$("XChgQw--------------------------------------"), QW1
   invoke XChgQw,addr QW2,addr QW1
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2

   invoke crt_printf, cfm$("QwToQw--------------------------------------"), QW1
   invoke QwToQw,addr QW1,addr QW2
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2

   invoke crt_printf, cfm$("RoRQw--------------------------------------"), QW1
   invoke RoRQw,addr QW1 ,32
   invoke crt_printf, cfm$("\n   QW1:   %llX   "), QW1
   invoke crt_printf, cfm$("\n   QW2:   %llX   \n"), QW2

   invoke crt__getch
   exit

end start

Output:
--------------------------------------
QW1: BBBBBBBB
QW2: AAAAAAAA
ResetQw--------------------------------------
QW1: 0
QW2: AAAAAAAA
SetQw--------------------------------------
QW1: 0
QW2: AAAAAAAABBBBBBBB
XChgQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: 0
QwToQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: AAAAAAAABBBBBBBB
RoRQw--------------------------------------
QW1: BBBBBBBBAAAAAAAA
QW2: AAAAAAAABBBBBBBB

jj2007 · February 28, 2017, 10:28:00 AM

Quote from: mabdelouahab on February 28, 2017, 08:56:19 AM
Finally, everything works well

Works fine, but a bit of explanation would be useful :P

Just tested my example above on Windows 10, and it works like a charm. So far no signs of M$ Closing "Heaven's Gate" :t

Now the question is what can be done with this discovery ::)

mabdelouahab · February 28, 2017, 05:19:13 PM

Quote from: jj2007 on February 28, 2017, 10:28:00 AM
Works fine, but a bit of explanation would be useful :P

Absolutely, JJ
We learned that Callfar is : push cs then call offset Proc, at first I rely on this, this is the only work in the same mode (32-32), and do not work in then diffirent mode (32-64), the correct view is that we use:
db 09ah
dd OFFSET X64&ProcName
dw 033h

Quote from: jj2007 on February 28, 2017, 10:28:00 AM
Now the question is what can be done with this discovery ::)

This method facilitates us making x64 procedures, pass argumment ,making local variable, and call it in the normal manner

jj2007 · February 28, 2017, 07:22:34 PM

Well, yes, but what for? What can be done in x64 that isn't possible with SIMD in 32-bit code?

Attached an example that calls multiple procs in the same segment. There is also an attempt to call MessageBox, but it crashes (the same code in a 64-bit program works fine). Probably the OS doesn't like such attempts

The MASM Forum

News:

Only in HjWasm64 and JWasm : x64 code in 32 bit process

mabdelouahab

mabdelouahab

jj2007

mabdelouahab

jj2007

mabdelouahab

jj2007

TWell

jj2007

mabdelouahab

jj2007

mabdelouahab

jj2007