Author Topic: Unusual call  (Read 132 times)

alikim

  • Regular Member
  • *
  • Posts: 12
Unusual call
« on: September 11, 2017, 03:58:55 AM »
I have a
Code: [Select]
call that leads to a
Code: [Select]
jmp that leads to a procedure beginning with
 
Code: [Select]
push ebp
push ebp,esp
...

Normally I'd expect esp right before
Code: [Select]
push ebp to hold the return address and also see values pushed onto the stack before the call.

In this case there is nothing in common between values of esp and [esp], [esp+4], ... etc before the call and at the procedure.

What might be the reason for that?

jj2007

  • Member
  • *****
  • Posts: 7558
  • Assembler is fun ;-)
    • MasmBasic
Re: Unusual call
« Reply #1 on: September 11, 2017, 06:40:44 AM »
> push ebp,esp

Really? Copy a hundred relevant lines from the disassembly and post it here, then we can discuss.

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4813
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Unusual call
« Reply #2 on: September 11, 2017, 11:09:48 AM »
You need to get to know the actual instructions (usually called mnemonics) and how they operate. The instruction "call" is almost exclusively paired with a "ret" instruction and its a way to transfer from one location in a program to another (usually called a procedure) and when that procedure has completed it returns back to the next instruction where it was called from.

The two instructions,

push ebp
push ebp,esp

is one of the ways of setting up a stack frame which is a technique to use what are called LOCAL variables within a procedure. You don't normally have to do this manually but at a more advanced level you sometimes write a procedure that has no stack frame as it can be faster if its only a very short procedure.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

jj2007

  • Member
  • *****
  • Posts: 7558
  • Assembler is fun ;-)
    • MasmBasic
Re: Unusual call
« Reply #3 on: September 11, 2017, 06:06:43 PM »
The issue is fairly simple:
Code: [Select]
  invoke MessageBox, 0, chr$("text"), chr$("Title"), MB_OK
translates to
Code: [Select]
00401052             ³.  6A 00                push 0                            ; ÚType = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401054             ³.  68 58204000          push offset 00402058              ; ³Caption = "Title"
00401059             ³.  68 50204000          push offset 00402050              ; ³Text = "text"
0040105E             ³.  6A 00                push 0                            ; ³hOwner = NULL
00401060             ³.  E8 07010000          call <jmp.&user32.MessageBoxA>    ; ÀUSER32.MessageBoxA
...
0040116C              $ FF25 E8204000        jmp near [<&user32.MessageBoxA>]
...
MessageBoxA          Ú$  8BFF                 mov edi, edi                      ; ID_X user32.MessageBoxA(hOwner,Text,Caption,Type)
76C3FDB0             ³.  55                   push ebp
76C3FDB1             ³.  8BEC                 mov ebp, esp

alikim

  • Regular Member
  • *
  • Posts: 12
Re: Unusual call
« Reply #4 on: September 11, 2017, 06:53:42 PM »
Thank you, I need to find some proper disassembler for win 8.1 to post codes, but yes, I think it's a call to another module.
My problem is that I know the stack at 76C3FDB0 and I want to go back to 00401060 to see where those values come from (f.e. pushes above) but at 00401060 the stack is completely different.