Text only | Text with Images

The MASM Forum

General => The Campus => Topic started by: alikim on September 11, 2017, 03:58:55 AM

Title: Unusual call
Post by: alikim on September 11, 2017, 03:58:55 AM
I have a
Code Select
call that leads to a
Code Select
jmp that leads to a procedure beginning with
Code Select
push ebp
push ebp,esp
...

Normally I'd expect esp right before
Code Select
push ebp to hold the return address and also see values pushed onto the stack before the call.

In this case there is nothing in common between values of esp and [esp], [esp+4], ... etc before the call and at the procedure.

What might be the reason for that?
Title: Re: Unusual call
Post by: jj2007 on September 11, 2017, 06:40:44 AM
> push ebp,esp

Really? Copy a hundred relevant lines from the disassembly and post it here, then we can discuss.
Title: Re: Unusual call
Post by: hutch-- on September 11, 2017, 11:09:48 AM
You need to get to know the actual instructions (usually called mnemonics) and how they operate. The instruction "call" is almost exclusively paired with a "ret" instruction and its a way to transfer from one location in a program to another (usually called a procedure) and when that procedure has completed it returns back to the next instruction where it was called from.

The two instructions,

push ebp
push ebp,esp

is one of the ways of setting up a stack frame which is a technique to use what are called LOCAL variables within a procedure. You don't normally have to do this manually but at a more advanced level you sometimes write a procedure that has no stack frame as it can be faster if its only a very short procedure.
Title: Re: Unusual call
Post by: jj2007 on September 11, 2017, 06:06:43 PM
The issue is fairly simple:
Code Select
  invoke MessageBox, 0, chr$("text"), chr$("Title"), MB_OK

translates to
Code Select

00401052             ³.  6A 00                push 0                            ; ÚType = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401054             ³.  68 58204000          push offset 00402058              ; ³Caption = "Title"
00401059             ³.  68 50204000          push offset 00402050              ; ³Text = "text"
0040105E             ³.  6A 00                push 0                            ; ³hOwner = NULL
00401060             ³.  E8 07010000          call <jmp.&user32.MessageBoxA>    ; ÀUSER32.MessageBoxA
...
0040116C              $ FF25 E8204000        jmp near [<&user32.MessageBoxA>]
...
MessageBoxA          Ú$  8BFF                 mov edi, edi                      ; ID_X user32.MessageBoxA(hOwner,Text,Caption,Type)
76C3FDB0             ³.  55                   push ebp
76C3FDB1             ³.  8BEC                 mov ebp, esp
Title: Re: Unusual call
Post by: alikim on September 11, 2017, 06:53:42 PM
Thank you, I need to find some proper disassembler for win 8.1 to post codes, but yes, I think it's a call to another module.
My problem is that I know the stack at 76C3FDB0 and I want to go back to 00401060 to see where those values come from (f.e. pushes above) but at 00401060 the stack is completely different.
Text only | Text with Images