Hello all! Now that I've introduced myself ill get right to asking stupid questions.
Im trying to call WSAStartup in x64, ive looked up the structs i need, verified that they get initialialissed at th right place, with 0s...
But once inside the call, there is a moment i get anc access_violation exception. As im neww to debugging x64, I have trouble my mistake. I imagine its either a stack problem or a pointer that is not initialised the intended way.
Here is my code:
extrn WSAStartup: PROC
extrn WSASocketA: PROC
extrn WSAConnect: PROC
extrn CreateProcessA: PROC
extrn ExitProcess: PROC
WSADESCRIPTION_LEN EQU 256
WSASYS_STATUS_LEN EQU 128
_WSADATA STRUCT
wVersion WORD ?
wHighVersion WORD ?
szDescription BYTE (WSADESCRIPTION_LEN + 1) dup (?)
szSystemStatus BYTE (WSASYS_STATUS_LEN + 1) dup (?)
iMaxSockets WORD ?
iMaxUdpDg WORD ?
lpVendorInfo QWORD ?
_WSADATA ENDS
_sockaddr_in STRUCT
sin_family WORD ?
sin_port WORD ?
sin_addr DWORD ?
sin_zero BYTE 8 dup (?)
_sockaddr_in ENDS
.data
WSADATA _WSADATA <>
sa _sockaddr_in <>
ip DWORD 2E01A8C0h; 192.168.1.46
port WORD 5C11h ; port 4444
.code
Start Proc
AND rsp,-16
SUB rsp,28h
MOV cx,514
LEA rdx, WSADATA
PUSH rdx
PUSH rcx
CALL WSAStartup
MOV ax,port
MOV sa.sin_port,ax ;ax is 16 bits wide (WORD)
MOV eax,ip ;eax is 32 bits wide (DWORD)
MOV sa.sin_addr,eax
MOV sa.sin_family, 2 ; AF_INET
Start ENDP
End
Before the call (at 00007FF732831015):
00007FF732831000 | 48:83E4 F0 | and rsp,FFFFFFFFFFFFFFF0 |
00007FF732831004 | 48:83EC 28 | sub rsp,28 |
00007FF732831008 | 66:B9 0202 | mov cx,202 |
00007FF73283100C | 48:8D15 ED1F0000 | lea rdx,qword ptr ds:[7FF732833000] |
00007FF732831013 | 52 | push rdx |
00007FF732831014 | 51 | push rcx |
00007FF732831015 | E8 23000000 | call <JMP.&WSAStartup> |
00007FF73283101A | 66:8B05 85210000 | mov ax,word ptr ds:[7FF7328331A6] |
00007FF732831021 | 66:8905 6C210000 | mov word ptr ds:[7FF732833194],ax |
00007FF732831028 | 8B05 74210000 | mov eax,dword ptr ds:[7FF7328331A2] |
00007FF73283102E | 8905 62210000 | mov dword ptr ds:[7FF732833196],eax |
00007FF732831034 | 66:C705 55210000 0200 | mov word ptr ds:[7FF732833192],2 |
00007FF73283103D | FF25 BD0F0000 | jmp qword ptr ds:[<Ordinal#115>] |
Here is the state of my registers :
RAX : 00007FF732831000 <revshell.OptionalHeader.AddressOfEntryPoint>
RBX : 0000000000000000
RCX : 000000A06B5D0202
RDX : 00007FF732833000 /my WSADATA struct/
RBP : 0000000000000000
RSP : 000000A06B3FFA78
RSI : 0000000000000000
RDI : 0000000000000000
R8 : 000000A06B5D5000
R9 : 0000000000000000
R10 : 00007FFB3DF2D150 kernel32.00007FFB3DF2D150
R11 : 0000000000000000
R12 : 0000000000000000
R13 : 0000000000000000
R14 : 0000000000000000
R15 : 0000000000000000
RIP : 00007FF732831015
RFLAGS : 0000000000000216
Does anyone have any ideas whe i fed up?
You have more chances to get help if you zip your *.asm, *.exe and *.rc files (hopefully full of comments) and attach it here.
Ah yes, i wasnt sure how to go about sharing my code. Here is a zip with the .asm and a batch file i use for assembling and linking the libs, you can call with ./make64.bat and then pass in the file name without extension. (I am a beginner with masm , is there a better way of building?). Also maybe check thta the pathst o the libs in the builderr exist on your machine.
Sorry if this is not the right way to ask questions, ill take any feedback
For 64 bit assembly, it uses a different calling convention. The first 4 arguments are loaded into registers, not pushed onto the stack. This may help...
https://masm32.com/board/index.php?topic=6177.0 (https://masm32.com/board/index.php?topic=6177.0)
I am not a 64 bit programmer but do know that at least. I mainly work in x86 assembly.
Perhaps peruse the forum looking at others examples in 64 bit before just jumping right in. Mikl__ has some nice tutorials for coding with masm64...
https://masm32.com/board/index.php?board=54.0 (https://masm32.com/board/index.php?board=54.0)
And this may be of interest also: The Masm64 SDK (https://masm32.com/board/index.php?topic=10052.msg109948#msg109948)
Indeed i am passing the arguments to WSAStartup into the rcx and rdx registers, I just decided to push them to the stack later when debugging, to see if it would maybe resolve my problem, but this doesnt seem to change much...
Quote from: phyisio on July 04, 2023, 10:56:46 PM
Indeed i am passing the arguments to WSAStartup into the rcx and rdx registers, I just decided to push them to the stack later when debugging, to see if it would maybe resolve my problem, but this doesnt seem to change much...
Ah okay. Lets wait and see what one of the more experienced members here (with 64 bit code) can do to help with debugging...
I made a quick test with this source:
include \Masm32\MasmBasic\Res\JBasic.inc ; builds in 32- or 64-bit mode with ML64 & AsmC ##
usedeb=1 ; 1=use the deb macro
.DATA?
align 16
wsadata WSADATA <>
sockad sockaddr_in <>
.DATA
ip DWORD 2E01A8C0h ; 192.168.1.46 little enddian
port WORD 5C11h ; port 4444 little endian also
Init ; OPT_64 1 ; put 0 for 32 bit, 1 for 64 bit assembly
Cls 8
PrintLine Chr$("This program was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format.")
jinvoke WSAStartup, 514, addr wsadata
deb 4, "WSAStartup results", eax, wsadata.wVersion, wsadata.wHighVersion, wsadata.iMaxSockets, wsadata.iMaxUdpDg, wsadata.szDescription, wsadata.lpVendorInfo
MOV ax, port
MOV sockad.sin_port, ax ;ax is 16 bits wide (WORD)
MOV eax, ip ;eax is 32 bits wide (DWORD)
MOV sockad.sin_addr, eax
MOV sockad.sin_family, 2 ; AF_INET
EndOfCode
Output:
This program was assembled with ml64 in 64-bit format.
WSAStartup results
eax 0
wsadata.wVersion 514
wsadata.wHighVersion 514
wsadata.iMaxSockets 0
wsadata.iMaxUdpDg 0
wsadata.szDescription 0
wsadata.lpVendorInfo 0
So it works in principle, somehow. Underwhelming, though.
Thank you for your reply jj. From what I understand you guys all use custom builders and macros? I have only ever use ml64.exe with default parameters, justl inking my libs so im a bit confused by your jinvoke ,deb etc. Anyways i dont think that changes much for my understanding of your reply.
What I see is that you use SBYTE ans SIZE_P in the WSDATA structure instead of my QWORD and BYTE. Is this where i made an error?
Other than that your code looks similar to mine, so i dont understand why when stepping through my program in x64dbg, at the moment WSAStartup calls a Heap Alloc i get an access violation.
Have you tried GlobalAlloc?? I have never had any issues iirc using it.
Quote from: phyisio on July 05, 2023, 12:50:17 AM
Thank you for your reply jj. From what I understand you guys all use custom builders and macros? I have only ever use ml64.exe with default parameters, justl inking my libs so im a bit confused by your jinvoke ,deb etc. Anyways i dont think that changes much for my understanding of your reply.
What I see is that you use SBYTE ans SIZE_P in the WSDATA structure instead of my QWORD and BYTE. Is this where i made an error?
Other than that your code looks similar to mine, so i dont understand why when stepping through my program in x64dbg, at the moment WSAStartup calls a Heap Alloc i get an access violation.
Using your code with minor modifications, see attachment, it works fine.
And yes, I use custom macros: "jinvoke" is my Masm64 equivalent of
Masm32 invoke. It is a pretty complex JBasic macro (counts and checks arguments...), but nobody else uses it; so when you see that, consider it pseudo code.
We have at least three competing approaches to Masm64 in this forum alone. Sooner or later, we'll have to sort it out ;-)
Thanks, i see. I think stepping through WSAStartup in a debugger for 2 hours might have been the problem from the start.
I will try to setup my env and use your deb macro to check if api call is really working.
Hi phyisio, welcome.
Start Proc
push rbp ; SAVE the stack
mov rbp, rsp
sub rsp, 28h ; FIRST shadow stack
and rsp,-10h ; THEN align
YOUR CODE HERE AND YOU WILL NEVER EVER USE PUSH - POP IN IT, EVER (as a beginner)
mov rsp, rbp ; PUT the "stack-back-Jack"
pop rbp
Start endp
Hope this helps.
Thank you cachegb , that is a much cleaner way to init my stack. Hwever im pretty sure ill need to push when im calling api functions wit hmore than 4 parameters no? Anywaysthats what i plan on doing....
When you align the stack rsp will hold an address (value in hex) that ends with a 0 (Least Significant Hex "Digit" = 0).
If you use "push" one time, the sack will be unaligned i.e. rsp's LSH = 8. So you just use "push" again, right? That will
make rsp's LSH = 0. Now the stack is alinged again. Yes, but now you have another problem. Any arguments for a call you
have place on the stack for perms 5 and above will now be moved two perm places to the right. So perm5 becomes perm7
and perm6 moves to (becomes) perm8 and so on. Just write rcx, rdx, r8 and r9 straight to the shadow (spill) space if you
want to watch them.
mov qword ptr[rsp+18h], r9
mov qword ptr[rsp+10h], r8
mov qword ptr[rsp+8h], rdx
mov qword ptr[rsp+0h], rcx
Here is an example of how to set the stack up for API calls
add rsp, -68h
and rsp, -10h
call GetDesktopWindow
mov qword ptr[rsp+40h], rax
mov qword ptr[rsp+58h], null
mov rdx, hinstance
mov qword ptr[rsp+50h], rdx
mov qword ptr[rsp+48h], null
xor rdx, rdx
mov edx, WindowRect.bottom
mov qword ptr[rsp+38h], rdx
mov edx, WindowRect.right
mov qword ptr[rsp+30h], rdx
mov edx, WindowRect.top
mov qword ptr[rsp+28h], rdx
mov edx, WindowRect.left
mov qword ptr[rsp+20h], rdx
mov r9, (WS_POPUP OR WS_SYSMENU) ; WS_OVERLAPPEDWINDOW
mov r8, offset TitleName
mov rdx, offset ClassName
mov ecx, WS_EX_APPWINDOW
mov qword ptr[rsp+18h], r9 ; only for debuggin
mov qword ptr[rsp+10h], r8 ;
mov qword ptr[rsp+8h], rdx ;
mov qword ptr[rsp+0h], rcx ;
call CreateWindowEx
Note this very well:
If a function that you make (write) has one or more parameters like this
SomeFunction proc par1:qword
OR if your function has at least one LOCAL variable like so
SomeFunction proc
local SplitHairs:dword
A stact FRAME will be automaticly created. i.e
push rbp <- STACK FRAME start
mov rbp, rsp
code here
mov rsp, rbp
pop rbp <- STACK FRAME end ( leave = mov rsp, rbp + pop rbp )
ret
Note
If a function that you make (write) has no parameters and no local, no STACK FRAME will be created.
You will have make one yourself.
Remember: if you do not save the stack pointer before aligning it (rsp), you will not know how to restore
it and you will lose the caller's address on the stack and the callee will return anywhere but home.
Have Fun.
Caché GB
Wow i see thank you. I had seen how c compilers do this constitently when creating functions. So since i was not creating a stack frame properly, the function could never return to me?
Hello sir Mikhail Tal;
Windows board game have some rules to be followed.
yes, rsp register was not pointing to return address stored in stack.
RSP : 000000A06B3FFA78
;ml64 /c ex1.asm
;link /subsystem:console /entry:stack1 ex1.obj
;in windows/linux x86_64, structures should be aligned to multiple of 8, obligatory
some_windows_structure struct 8
foo dq ?
foo1 dd ?
foo2 dw ?
some_windows_structure ends
.data
.code
;In windows/linux x86_64, if our program will call a function, stack should be aligned to a multiple of 16
stack1 proc ;Our program starts here, rsp == ???????????????8h this means that stack is not aligned
sub rsp,8 ;rsp == ???????????????0h ;now stack is aligned to a multiple of 16 (windows rules)
;stack aligned, we can do any call now
;remember that call subtract from rsp 8 bytes, so at entry of this function/procedure being called stack will not be aligned.
;remember that ret add 8 bytes to rsp
call stack2
add rsp,8 ;rsp == ???????????????8h
ret ;return to caller
stack1 endp
mystack2local struct 16 ;we can create a structure aligned to 16 to be used as local variables
one dd ? ;dword = 4 bytes
two dq ? ;qword = 8 bytes
mystack2local ends ;this means that size of structure will not be (4+8=12), instead, will be 16 (8+8) in this case
stack2 proc ;rsp == ???????????????8h
sub rsp,8 ;rsp == ???????????????0h
;remember that local variables act like a push, in better words, subtract from stack (rsp).
sub rsp,sizeof mystack2local ;rsp continues aligned to 16, because mystack2local was aligned to 16
;stack aligned, we can do any call now
mov [rsp].mystack2local.one,1
mov [rsp].mystack2local.two,2
mov ecx,[rsp].mystack2local.one ;try "mov rcx,..." and you will receive an error :)
mov rdx,[rsp].mystack2local.two
call stack3
add rsp,sizeof mystack2local
add rsp,8
ret
stack2 endp
stack3 proc ;rsp == ???????????????8h
sub rsp,8 ;rsp == ???????????????0h
;do pushes in pairs after stack was aligned, so stack continues aligned to a multiple of 16
;remember that each push qword subtract 8 from rsp
;remember that each pop qword add 8 to rsp
push rax
push rax
;stack aligned
;we can do any call from here
pop rax ;do pops in pairs
pop rax
add rsp,8
ret
stack3 endp
END
Okay I will try this tommorow, but i see why it did nt work in the first place. Does the masm64 sdk do it automatically for you?
"You must take your opponent into a deep dark forest where 2+2=5, and the path leading out is only wide enough for one." - Mikhail Tal
Quote from: phyisio on July 06, 2023, 07:52:34 AM
Does the masm64 sdk do it automatically for you?
Yes. See also my recent post on the installation of the Masm64 SDK (https://masm32.com/board/index.php?topic=10880.0).
yes, sir Hutch have coded a lot of macros to deal with that.
As you can see, there's a lot of opening books (prologue) to reach your goal (epilogue) in each game (procedure).
Choose yours. The example posted above give you one more register to play freely (rbp). Well, that code don't looks good to eyes, but works like a charm.
At learning stage it's better follow default openings done by others, until you feel confortably to create yours.
Attached a Masm64 SDK version of your code. This is what you should use if you want to share code with members.
Strangely enough, the SOCKADDR_IN (https://learn.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-sockaddr_in) and WSADATA (https://learn.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata) structures are not present in \Masm64\include64, so I had to define them.
Same but as JBasic:
include \Masm32\MasmBasic\Res\JBasic.inc ; ## builds in 32- or 64-bit mode with ML or AsmC ##
usedeb=1 ; 1=use the deb macro
.data
wsadata WSADATA <>
socka sockaddr_in <>
; --- equates/constants: ---
ip= 2E01A8C0h ; 192.168.1.46 little enddian
port= 5C11h ; port 4444 little endian also
.code
Init ; OPT_64 1 ; put 0 for 32 bit, 1 for 64 bit assembly
Cls 3
PrintLine Chr$("This program was assembled with ", @AsmUsed$(1), " in ", jbit$, "-bit format.")
jinvoke WSAStartup, 514, addr wsadata
mov socka.sin_port, port
mov socka.sin_addr, ip
mov socka.sin_family, AF_INET
deb 4, "Results", wsadata.wVersion, x:socka.sin_port, $wsadata.lpVendorInfo
EndOfCode
Output 64 bit code:
This program was assembled with AsmC in 64-bit format.
Results
wsadata.wVersion 514
x:socka.sin_port 5c11h
$wsadata.lpVendorInfo (null)
Output 32 bit code:
This program was assembled with ML in 32-bit format.
Results
wsadata.wVersion 514
x:socka.sin_port 5c11h
$wsadata.lpVendorInfo (null)
Quote from: jj2007 on July 06, 2023, 09:14:19 PM
Attached a Masm64 SDK version of your code. This is what you should use if you want to share code with members.
Strangely enough, the SOCKADDR_IN (https://learn.microsoft.com/en-us/windows/win32/api/ws2def/ns-ws2def-sockaddr_in) and WSADATA (https://learn.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata) structures are not present in \Masm64\include64, so I had to define them.
This is very frustrating. I am too making include files for use of IP networks with MASM64. When all pieces work I post the work. Unless someone is faster than me.
Hello guys, i was not able to have any assembly fun as i had too much stupid javascript work yesterday . I finally got my hands on the sdk and only using the STACKFRAME macro solved my problem! Thank you to all who pitched in and taught me about the stack.
I have to say the sdk is very impressive, much have been a lot of work. I dont plan on using extensively, but it definitely makes the development process easier once you have set it up right.