I set up VS2005 for assembler projects - but after checking out Steve's Quick Editor more thourouly, I've decided that's the IDE I prefer for now. Truely awsome - everything you need is just a click away (cmd prompt,assemble & link,procedure browser,browse masm32 lib,map app procedures,masm32 folder,disassemble exe file,format dumpPE output,create EXE makit.bat - just to mention a few. The rest I'll discover when I get to them. kudos!
I've also replaced ml with jwasm. I'm afraid to leave it behind, but jwasm seems to work perfectly as a replacement - and having such beautiful source code available for it is priceless. As for it being faster, watching these things assemble and link is better than porn - I can't wait to start building bigger projects.
So, today's will be to press 'Create New Console Application', then press 'Debug print' - and write a routine that prints the register and flag values. Hopefully it will work anywhere I place it in code and can be used for a quick check without having to use a debugger. Then it's on to improve my command line parser until it's uncrashable.
QuoteI've also replaced ml with jwasm.
What specifics did you do? I attempted to swap but hit bumps; it's something on my list.
on: Feburary 27, 2013 at 10:28:02 AM Stan wrote:
QuoteWhat specifics did you do? I attempted to swap but hit bumps; it's something on my list.
I did it the easy way - I renamed ml.exe to ml8.exe, and then jwasm.exe to ml.exe (all this in the masm32/bin directory).
progress -> completed the register routine, working on the flags.
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
; Build this console app with "MAKEIT.BAT" on the PROJECT menu
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
include \masm32\include\masm32rt.inc
True EQU 1
False EQU 0
CRLF EQU 13,10
TWOCRLF EQU 13,10,13,10
RegSizeInBytes EQU 4
FlagSizeInBytes EQU 4
Init PROTO
Fini PROTO
.data?
value dd ?
.data
eaxhex db "eax=",0
ebxhex db "ebx=",0
ecxhex db "ecx=",0
edxhex db "edx=",0
esihex db "esi=",0
edihex db "edi=",0
ebphex db "ebp=",0
esphex db "esp=",0
ecshex db "ecx=",0
eiphex db "eip=",0
eflhex db "flags=",0
.code
start:
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
invoke Init
call main
invoke Fini
exit
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
main proc
;cls
xor eax,eax ; testing
; mov eax,1 ; testing
; <-----state of the registers and flags is measured here----->
pushad
pushfd
;---------------------------------------------------------------------------
print OFFSET eiphex
print uhex$([esp + ( (RegSizeInBytes * 9) + FlagSizeInBytes )]),CRLF ; eip
print OFFSET eaxhex
print uhex$([esp + ( (RegSizeInBytes * 8) + FlagSizeInBytes )]),CRLF ; eax
print OFFSET ecxhex
print uhex$([esp + ( (RegSizeInBytes * 7) + FlagSizeInBytes )]),CRLF ; ecx
print OFFSET edxhex
print uhex$([esp + ( (RegSizeInBytes * 6) + FlagSizeInBytes )]),CRLF ; edx
print OFFSET ebxhex
print uhex$([esp + ( (RegSizeInBytes * 5) + FlagSizeInBytes )]),CRLF ; ebx
print OFFSET esphex
print uhex$([esp + ( (RegSizeInBytes * 4) + FlagSizeInBytes )]),CRLF ; esp
print OFFSET ebphex
print uhex$([esp + ( (RegSizeInBytes * 3) + FlagSizeInBytes )]),CRLF ; ebp
print OFFSET esihex
print uhex$([esp + ( (RegSizeInBytes * 2) + FlagSizeInBytes )]),CRLF ; esi
print OFFSET edihex
print uhex$([esp + ( (RegSizeInBytes * 1) + FlagSizeInBytes )]),CRLF ; edi
;---------------------------------------------------------------------------
print OFFSET eflhex
print uhex$([esp + FlagSizeInBytes ]),CRLF
;flags
;---------------------------------------------------------------------------
;---------------------------------------------------------------------------
popfd
popad
return 0
main endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Init proc
; cls
ret
Init endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Fini proc
; inkey
ret
Fini endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
end start
print uhex$([esp + ( (RegSizeInBytes * 9) + FlagSizeInBytes )]),CRLF ; eip
Very cute :t
How did you find this one? It's the Campus here, so maybe you should explain how it works ;-)
Today at 05:48:33 PM jj2007 wrote:
QuoteHow did you find this one? It's the Campus here, so maybe you should explain how it works ;-)
Well, like I mentioned, I started with the 'Debug Print' script which pushes and pops the registers and flags via pushad/pushfd and popfd/popad. So with these values on the stack - it's just a matter of reading them off in the correct order (they aren't exactly eax, ebx, ecx, etc).
I tried making the code self-explainatory, but I'll add comments before I'm finished. To calculate a registers position in the stack you mulitiply the register size by it's ordinal position in the stack. For the registers, you also have to jump over the flag register that was pushed last.
The instruction pointer points to the return address after the program is finished. That probably won't be of much use if this is a macro and used in a debugging situation.
For the flags - my first thought was to use masks, but I think the left shift is more appropriate. I'm not sure my loops are coded very efficiently, but it appears to work. I've only checked the carry flag, but if it's right, the rest should be.
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
; Build this console app with "MAKEIT.BAT" on the PROJECT menu
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
include \masm32\include\masm32rt.inc
True EQU 1
False EQU 0
CRLF EQU 13,10
TWOCRLF EQU 13,10,13,10
RegSizeInBytes EQU 4
FlagSizeInBytes EQU 4
Init PROTO
Fini PROTO
.data?
flags dd ?
.data
none db True
.code
start:
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
invoke Init
call main
invoke Fini
exit
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
main proc
;cls
xor eax,eax ; testing
; mov eax,1 ; testing
stc ; testing
; <-----state of the registers and flags is measured here----->
pushad
pushfd
;---------------------------------------------------------------------------
print "eax="
print uhex$([esp + ( (RegSizeInBytes * 8) + FlagSizeInBytes )])
print " esi="
print uhex$([esp + ( (RegSizeInBytes * 2) + FlagSizeInBytes )]),CRLF
print "ebx="
print uhex$([esp + ( (RegSizeInBytes * 5) + FlagSizeInBytes )])
print " edi="
print uhex$([esp + ( (RegSizeInBytes * 1) + FlagSizeInBytes )]),CRLF
print "ecx="
print uhex$([esp + ( (RegSizeInBytes * 7) + FlagSizeInBytes )])
print " ebp="
print uhex$([esp + ( (RegSizeInBytes * 3) + FlagSizeInBytes )]),CRLF
print "edx="
print uhex$([esp + ( (RegSizeInBytes * 6) + FlagSizeInBytes )])
print " esp="
print uhex$([esp + ( (RegSizeInBytes * 4) + FlagSizeInBytes )]),CRLF
print "eip="
print uhex$([esp + ( (RegSizeInBytes * 9) + FlagSizeInBytes )])
print " flags="
print uhex$([esp + FlagSizeInBytes ]),CRLF
pop eax
mov flags,eax
push eax
popfd
popad
;---------------------------------------------------------------------------
print " AC VM FLAG", CRLF
mov edx,10h
mov eax,flags
bitloop1:
push edx
shl eax,1
push eax
jc @F
print " 0",0
jmp there1
@@:
print " 1",0
there1:
pop eax
pop edx
dec edx
jnz bitloop1
push eax
print " ",CRLF
print " 1F 1E 1D 1C 1B 1A 19 18 17 16 15 14 13 12 11 10 HEX ",TWOCRLF
print " R -NT- PR O D I T S Z A P C FLAG",CRLF
mov edx,10h
pop eax
bitloop2:
push edx
shl eax,1
push eax
jc @F
print " 0",0
jmp there2
@@:
print " 1",0
there2:
pop eax
pop edx
dec edx
jnz bitloop2
print " ",CRLF
print " 0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00 HEX ",CRLF
return 0
main endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Init proc
; cls
ret
Init endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Fini proc
; inkey
ret
Fini endp
; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
end start
Still a work in progres...
Hi drifter,
well done. :t
Gunther
nice - that's very much what it would look like if i wrote it :P
well - except, i am an old fart - lol
i would try to follow the old debug layout
AX=0000 BX=0000 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=0B89 ES=0B89 SS=0B89 CS=0B89 IP=0100 NV UP EI PL NZ NA PO NC
(use extended registers, of course)
the flags were
NV/OV overflow
UP/DN direction
DI/EI interrupt enable (probably would omit this one for 32-bit)
PL/NG sign
NZ/ZR zero
NA/AC auxilary carry
PO/PE parity
NC/CY carry
also, for flat model win32, the segment registers DS, ES, SS, CS all point to the same section
not sure i would display any of them - kind of meaningless, really
and - we have FS and GS - the value is also somewhat meaningless
in 16-bit DOS, the segment registers were something you had to keep an eye on
jj207, Gunther, Dave - thanks!
on: February 28, 2013, 11:17:41 PM dedndave wrote:
Quotei would try to follow the old debug layout
yeah - I miss debug (and com files) - I'll probably do that. I wanted to see the shl loop paint the bits, but now it's more about screen real estate.
Where do you find the segment registers? If I recall from my DOS daze, they were in some of the registers when the program starts - but if I'm using this as a debugging macro, those may have changed by the time it's called.
Quoteexcept, i am an old fart - lol
yeah - us old farts age like cheese rather than wine I'm afraid. I used to live and breath this stuff back in the 80's, but my career took a different path. When I was making money and had no time, I tried to keep my hand in by buying some of the toys I knew I'd want later - Visual Studio, IDA Pro (getting that was a real pita), etc. Now I'm broke, almost homeless :eusa_boohoo: and have all the time in the world - but at least I have my toys - and the thrill is back!
in 16-bit DOS, the segment registers were used to control which sections of memory were "visible"
in the win32 flat model, you can directly address 4 gb of memory space
so, we no longer have to worry about segment registers
and - they don't work the same way in protected mode, anyways
they point to an entry in a table that has the real information (global descriptor table)
the tables are based in memory, which is referenced by the GS register
CS, DS, ES, SS point to what are now refered to as "sections", rather than "segments",
and are the same value in a given process
the FS register is of some interest, but the value that's in it isn't - lol
we may access information there, but the specific value is what it is, and has little signifigance
at FS:0, you will find the TIB ("thread information block" or "thread environment block")
http://en.wikipedia.org/wiki/Win32_Thread_Information_Block (http://en.wikipedia.org/wiki/Win32_Thread_Information_Block)
you can get the value at FS:[18h] and use that to access the TIB in linear memory
you'll play with it more, when you get to SEH Structured Exception Handling
many of us use Olly as a debugger...
http://www.ollydbg.de/ (http://www.ollydbg.de/)
on: Feburary 28,2013 at 06:35:49 AM dedndave wrote:
Quotemany of us use Olly as a debugger...
I've installed that and still learning how to use it. Most of the stuff I'm doing now is just practice to get back into coding again. Finding my way around and knowing how to access the command line will be useful for later projects. Command line console apps will keep me happy for awhile, but I'm sure I'll eventually crack the windows.
After I finish these I want to write a routine that will do number conversions to any arbitrary base. Decimal, hex, octal, and binary are certainly useful - but for music, duodecimal (base 12) and septenary (base 7) are handy. So, for a pattern generator I have in mind - I want to be able to generate numbers in any base. The only limit will be the number of unique symbols you can use.
Quote from: dedndave on March 01, 2013, 06:35:49 AM
CS, DS, ES, SS point to what are now refered to as "sections", rather than "segments",
and are the same value in a given process
I keep seeing statements that CS, DS, ES, and SS are all the same, but in my tests they never have been.
;==============================================================================
include \masm32\include\masm32rt.inc
;==============================================================================
.data
.code
;==============================================================================
start:
;==============================================================================
xor ebx, ebx
mov bx, cs
printf("CS: %Xh\n", ebx)
mov bx, ds
printf("DS: %Xh\n", ebx)
mov bx, es
printf("ES: %Xh\n", ebx)
mov bx, ss
printf("SS: %Xh\n", ebx)
mov bx, fs
printf("FS: %Xh\n", ebx)
mov bx, gs
printf("GS: %Xh\n\n", ebx)
inkey
exit
;==============================================================================
end start
CS: 1Bh
DS: 23h
ES: 23h
SS: 23h
FS: 3Bh
GS: 0h
that is interesting, Michael
however, it would seem that the GDT table entries point to the same place in memory
(code is accessible as read data, for example)
it may be they have seperate entries because the sections have different access attributes
as you know, the code section has a PAGE_EXECUTE_READ attribute
DS, ES, and SS point to an entry that has a PAGE_READWRITE attribute
on: Feburary 28, 2013 at 08:07:12 AM MichaelW wrote:
Quoteprintf("CS: %Xh\n", ebx)
mov bx, ds
printf("DS: %Xh\n", ebx)
mov bx, es
printf("ES: %Xh\n", ebx)
mov bx, ss
printf("SS: %Xh\n", ebx)
mov bx, fs
printf("FS: %Xh\n", ebx)
mov bx, gs
printf("GS: %Xh\n\n", ebx)
Thanks!
the code below should display something like this
EAX=12345678 EBX=12345678 ECX=12345678 EDX=12345678 EIP=12345678
ESI=12345678 EDI=12345678 EBP=12345678 ESP=12345678 NV UP PL NZ NA PO NC
untested :biggrin:
DbgRegs PROC
pushfd
pushad
mov ebp,esp
;[EBP+36] ;RETurn address
;[EBP+32] ;EFlags
;[EBP+28] ;EAX
;[EBP+24] ;ECX
;[EBP+20] ;EDX
;[EBP+16] ;EBX
;[EBP+12] ;ESP (points to EFlags)
;[EBP+8] ;EBP
;[EBP+4] ;ESI
;[EBP] ;EDI
print chr$(13,10,'EAX=')
print uhex$([ebp+28]),32,32
print chr$('EBX=')
print uhex$(ebx),32,32
print chr$('ECX=')
print uhex$([ebp+24]),32,32
print chr$('EDX=')
print uhex$([ebp+20]),32,32
print chr$('EIP=')
print uhex$([ebp+36]),13,10
print chr$('ESI=')
print uhex$(esi),32,32
print chr$('EDI=')
print uhex$(edi),32,32
print chr$('EBP=')
print uhex$([ebp+8]),32,32
print chr$('ESP=')
mov eax,[ebp+12]
add eax,8
print uhex$(eax),32,32
;8 NV/OV overflow
;7 UP/DN direction
;4 PL/NG sign
;3 NZ/ZR zero
;2 NA/AC auxilary carry
;1 PO/PE parity
;0 NC/CY carry
mov ebx,[ebp+32]
bt ebx,8
.if CARRY?
print chr$('OV ')
.else
print chr$('NV ')
.endif
bt ebx,7
.if CARRY?
print chr$('DN ')
.else
print chr$('UP ')
.endif
bt ebx,4
.if CARRY?
print chr$('NG ')
.else
print chr$('PL ')
.endif
bt ebx,3
.if CARRY?
print chr$('ZR ')
.else
print chr$('NZ ')
.endif
bt ebx,2
.if CARRY?
print chr$('AC ')
.else
print chr$('NA ')
.endif
bt ebx,1
.if CARRY?
print chr$('PE ')
.else
print chr$('PO ')
.endif
bt ebx,0
.if CARRY?
print chr$('CY '),13,10
.else
print chr$('NC '),13,10
.endif
popad
popfd
ret
DbgRegs ENDP
>the tables are based in memory, which is referenced by the GS register
No, the GDT limit and address are stored in the GDTR
>CS, DS, ES, SS point to what are now refered to as "sections", rather than "segments",
Selectors rather than sections
>and are the same value in a given process
CS will be different because it is a code descriptor, DS=ES=SS usually, FS is used by Windows, GS is available to us.
A selector is an index into the GDT, pointing to an 8-byte descriptor.
The lower 3 bits of a selector are used for protection - in user land bits 0 and 1 are always set (meaning ring3).
So if CS=1Bh the descriptor starts at offset 18h in the GDT, if DS=23h it points to offset 20h and so on.
on: Febuary 28, 2013 at 10:30:11 AM dedndave wrote:
Quotemov ebx,[ebp+32]
bt ebx,8
.if CARRY?
print chr$('OV ')
.else
print chr$('NV ')
.endif
I knew about using the .if .else .endif, but wanted to code it myself. I should probably disassemble that and see how it plays out that way. I don't know if I did it the most efficent way or not.
On a different note: the price of a Big Mac is around 4-5 bucks....the price of a Flat Rate Domestic/International Priority mailer is $5.60....knowing that some scammer is swining by his balls right now for wasting $5 to send me a phony check PRICELESS!
certainly, there are more efficient ways than what i did
i will probably use a few loops, similar to what you did, when i have time to play with it
sinsi - i was trying to keep it simple :P
Drifter inspired me to update my deb macro: it has learned to display flags (without changing them, of course):
deb 4, "End of loop:", ecx, flags, FLAGS
flags displays carry, zero, sign and overflow, FLAGS the whole set:
End of loop:
ecx 10000
flags: czso
FLAGS: cpAzstIdo
c means carry clear, C carry set, etc., i.e. lowercase=clear, uppercase=set.
on: Today at 10:48:33 AM jj2007 wrote:
QuoteDrifter inspired me to update my deb macro:
Placed in my que of things to check out!
After starting to write a test routine to check if my regflags program was working the way it should, I found a few problems - so I'm in the middle of a rewrite.
Does anyone know why this bit of code would cause McAfee to think it's a New Malwar.ep trojan? It's a pita as it quarantine's the .exe as soon as it's assembled and linked - so I've had to turn it off.
;----------------------------------
push edi ; edi test
mov tempreg,edi
print "EDI: "
print uhex$(tempreg)
print " = "
pop edi
RegFlags DebugStruct
mov eax,tempreg
.if eax == DebugStruct.edireg
print "PASSED",CRLF
.else
print "FAILED",CRLF
.endif
inkey
cls
;----------------------------------
push ebp ; ebp test
mov tempreg,ebp
print "EBP: "
print uhex$(tempreg)
print " = "
pop ebp
RegFlags DebugStruct
mov eax,tempreg
.if eax == DebugStruct.ebpreg
print "PASSED",CRLF
.else
print "FAILED",CRLF
.endif
inkey
cls
;----------------------------------
push esp ; esp test FAILED
mov tempreg,esp
print "ESP: "
print uhex$(tempreg)
print " = "
pop esp
RegFlags DebugStruct
mov eax,tempreg
.if eax == DebugStruct.espreg
print "PASSED",CRLF
.else
print "FAILED",CRLF
.endif
inkey
cls
;----------------------------------
That's about as close as I can narrow it down as it doesn't always trigger on the same spot. I really doubt I have a virus or trojan causing this, but I suppose that's a possiblity also.
it's hard to say what criteria mcafee uses
i would uninstall mcafee - lol
not only will the problem go away, but your machine will be much faster
many of us have gotten into the habit of creating disk images to back up the boot drive
it's the best protection there is against viruses
Quote from: sinsi on March 01, 2013, 02:10:28 PM
CS will be different because it is a code descriptor, DS=ES=SS usually, FS is used by Windows, GS is available to us.
I have used it in DOS code, RM and PM, but I have not been able to make it work from a Windows app.
;==============================================================================
include \masm32\include\masm32rt.inc
;==============================================================================
.data
junk dd 123456h
.code
;==============================================================================
start:
;==============================================================================
;ASSUME gs:nothing
;ASSUME gs:@data
ASSUME gs:FLAT
push es
push cs
pop es
mov eax, start
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, start
mov eax, es:[eax]
printf("%Xh\n",eax)
pop es
inkey
push es
push ds
pop es
mov eax, OFFSET junk
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, OFFSET junk
mov eax, es:[eax]
printf("%Xh\n",eax)
pop es
inkey
push gs
push ds
pop gs
mov eax, OFFSET junk
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, OFFSET junk
;FAULT ->00401082 658b00 mov eax,gs:[eax] gs:00403000=00123456
mov eax, gs:[eax]
printf("%Xh\n",eax)
pop gs
inkey
exit
;==============================================================================
end start
The fault in this case is an access violation, even though the source address is apparently correct.
i am surprised you get that far in the code without an exception :biggrin:
you call the printf macro with a dword-misaligned stack
Quoteyou call the printf macro with a dword-misaligned stack
It wouldn't work if that were so.
Even my senile old P3 is still smart enough push a segment register without making a mess :biggrin:
Actually, I've been through this some years ago coding a 32-bit DOS app where you couldn't avoid pushing and popping segment registers. For pushing CS, DS, ES, SS, FS, or GS there is only one opcode each, and the same for popping DS, ES, SS, FS, or GS, so it's not the assembler that is making this work.
;==============================================================================
include \masm32\include\masm32rt.inc
;==============================================================================
.data
junk dd 123456h
.code
;==============================================================================
;----------------------------------------
; Returns the maximum alignment of _ptr.
;----------------------------------------
alignment MACRO _ptr
push ecx
xor eax, eax
mov ecx, _ptr
bsf ecx, ecx
jz @F
mov eax, 1
shl eax, cl
@@:
pop ecx
EXITM <eax>
ENDM
;==============================================================================
start:
;==============================================================================
;ASSUME gs:nothing
;ASSUME gs:@data
ASSUME gs:FLAT
mov ebx, esp
printf("%d\n", alignment(ebx))
push es
mov ebx, esp
printf("%d\n", alignment(ebx))
pop es
mov ebx, esp
printf("%d\n", alignment(ebx))
push gs
mov ebx, esp
printf("%d\n", alignment(ebx))
pop gs
mov ebx, esp
printf("%d\n\n", alignment(ebx))
push es
push cs
pop es
mov eax, start
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, start
mov eax, es:[eax]
printf("%Xh\n",eax)
pop es
inkey
push es
push ds
pop es
mov eax, OFFSET junk
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, OFFSET junk
mov eax, es:[eax]
printf("%Xh\n",eax)
pop es
inkey
push gs
push ds
pop gs
mov eax, OFFSET junk
mov eax, [eax]
printf("%Xh\n",eax)
mov eax, OFFSET junk
;FAULT ->00401082 658b00 mov eax,gs:[eax] gs:00403000=00123456
mov eax, gs:[eax]
printf("%Xh\n",eax)
pop gs
inkey
exit
;==============================================================================
end start
4
64
4
64
4
good to know
i think i was playing with this - for whatever reason - some time ago
i tried to align it myself - oops
it may have been the IRET discussion you and i had a couple years back
re: using IRET to serialize code
After further code revisons, the problem has disappeared. I did use several programs to scan for infections, but they found nothing (except when I assembled that particular bit of code).
on: March 03, 2013, 08:18:08 PM dedndave wrote:
Quotei would uninstall mcafee - lol
Unfortunately, all I dare do is turn it off. I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.
I have fond memories of speaking with John McAfee on the phone back in the 80's, when everything was on dial-up bulliten boards. After about a 10 minute conversation concerning dissassembling viruses - he gave me complete access to his collection of live monsters (which I'm sure he gave to anybody that asked, regardless of their intentions). Reminds me of a cartoon I once saw of cute kids selling poisoned lemonaide - and then selling the antidote around the corner. That's how you get rich, retire to a beach house in the carribean, get away with murder, etc...
Anyway, I'm almost done - just want to add a routine to test toggling the flag bits.
yah - if you have any of the "virut" flavours, it can be a mess to clean up
it infects EXE's and HTML's, and a few others
so - you clean up the mess with a fresh build, then get infected all over - ouch
i like AdAware for that
you can completely disable it by unchecking 2 start-ups in MsConfig.exe and disabling 2 services (reboot)
re-enable it by reversing the process
it does a nice job of identifying virut-infected files for you, using custom scan
once you are clean, i suggest a nice HOSTS file
i don't like posting HOSTS entries, because they are malicious URL's, of course
but, i can send it to you on request if you like
on: March 3, 2013 at 06:11:58 AM dedndave wrote:
Quotei can send it to you on request if you like
I guess that blocks access to those websites? Sure, if it'll help.
I've noticed the most common infection I seem to encounter redirects google to something called 'google.ro' in Romania. Spybot usually clears it up. ComboFix seems to be another good one, but it doesn't work with Windows 8.
Quote from: MichaelW on March 03, 2013, 11:30:05 PM
The fault in this case is an access violation, even though the source address is apparently correct.
I can see the access violation in a debugger but it seems to be ignored most of the time (depending on what code comes after).
The whole point of having a flat win32 model is to be able to ignore segment registers, so let's forget this one eh?
Quote from: drifter on March 04, 2013, 06:00:19 AM
Unfortunately, all I dare do is turn it off. I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.
Better off investing in VMware workstation, costs the same as an AV. If your VM gets infected just revert to a snapshot.