The MASM Forum
64 bit assembler => UASM Assembler Development => Topic started by: mabdelouahab on February 25, 2017, 08:41:29 PM
-
How to: uncertain
Results: unsecured
Code: does not give a result
Requires: HJWasm64 or jwasm only
the source:qWord: x64 code in 32 bit process (http://www.masmforum.com/board/index.php?PHPSESSID=8d46cd4ecb1688be429ab49694ec53e6&topic=18556.0)
Required: interference with experience
Errors:(r9-r15)
MOV r64, imm64
XOR r64,r64
include \masm32\include\masm32rt.inc
include HJWasmMix.Inc
.data
QW0 dq -1
QW1 dq -1
QW3 dq 0
mix64proc SetZeroQW ,addrQW1
mov eax,addrQW1
mov QWORD PTR [eax], 1
ret
mix64endp
mix64proc SetQWValue ,addrQW1 ,QW2 :qword
mov eax,addrQW1
mov r10,QW2
mov QWORD ptr [rax],r10 ;0F1F1F1F1F1F1F1Fh
ret
mix64endp
mix64proc GetEAX
mov ecx,eax
ret
mix64endp
.code
Start:
invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1
invoke64 SetZeroQW,addr QW1
invoke crt_printf,cfm$ ("\nQW1 : %llX"), QW1
invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0
invoke64 SetQWValue,addr QW1,0F1F1F1F1F1F1F1Fh
invoke crt_printf,cfm$ ("\nQW0 : %llX"), QW0
mov eax,-1
invoke64 GetEAX ;eax change during call
invoke crt_printf,cfm$ ("\necx : %X"), ecx
inkey
exit
End Start
-
This is the example that attach qWord:mix32_64.zip (http://www.masmforum.com/archive2012/10454_mix32_64.zip)
I find this very intersting, so I share the following example, which requires jwasm and polink. (tested on Win7, x64 dance)
I tried using jwasm and polink, But it did not work well
-
I tried using jwasm and polink, But it did not work well
No luck here, either. Perhaps it requires special options. The exe works fine, though.
I remember a long time ago Japheth had an example with a 16-bit -> 32-bit -> 64-bit and back sequence 8)
Further reading: Closing “Heaven’s Gate” (http://www.alex-ionescu.com/?p=300)
-
No luck here, either. Perhaps it requires special options. The exe works fine, though.
But with me this exe not working properly:
BBBBBBBBAAAAAAAA
0000BBBBBBBBAAAA
Press any key to continue ...
The result is supposed to come out so:
BBBBBBBBAAAAAAAA
AAAAAAAABBBBBBBB
-
Attention, this is shr, not ror. Here is the interesting part in Olly:
00401090 ³. 8D45 D4 lea eax, [ebp-2C]
00401093 ³. 50 push eax
00401094 ³. 9A 00304000 3300 call far 0033:00403000
When eax is loaded, follow eax in dump. You can't watch the code but you can see the memory content change.
-
Attention, this is shr, not ror.
Thank you jj, I'm sorry ,I did not pay attention to this
-
Still, I'd love to see how this can be built... where are the HJWasm experts?
-
No need for experts
.386
.model flat
includelib msvcrt.lib
exit proto C :dword
_getch proto C
printf proto C :dword, :vararg
call_as_x64 macro lbl
db 9ah ;call 0x33:OFFSET x64-proc
dd OFFSET lbl
dw 33h
endm
.x64
x64 SEGMENT EXECUTE USE64
; let's do some 64 bit arithmetic
mov eax,DWORD ptr [rsp+8]
mov r10,QWORD ptr [rax]
shr r10,16
mov QWORD ptr [rax],r10
retf
x64 ENDS
.data
fmt1 db "%p%p",13,10,0
.code
main proc
;LOCAL sysi:SYSTEM_INFO
LOCAL myQW:QWORD
mov DWORD ptr myQW[0],0AAAAAAAAh
mov DWORD ptr myQW[4],0BBBBBBBBh
invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
lea eax,myQW
push eax
call_as_x64 x64
invoke printf, addr fmt1, dword ptr myQW[4], dword ptr myQW[0]
invoke _getch
invoke exit,0
main endp
end main
-
Mysterious - I have no idea why the other one doesn't build. Here is a classical version:
include \masm32\include\masm32rt.inc
call_as_x64 macro lbl
db 9ah ; call 0x33:OFFSET x64-proc
dd offset lbl
dw 33h
endm
.x64
x64 SEGMENT EXECUTE USE64
mov eax, [rsp+8]
mov rdx, QWORD ptr [rax]
ror rdx, 32 ; let's do some 64 bit arithmetic
mov [rax], rdx
retf
x64 ENDS
.data
fmt1 db "%p%p", 13, 10, 0
someQW QWORD ?
.code
start:
mov DWORD ptr someQW[0],0AAAAAAAAh
mov DWORD ptr someQW[4],0BBBBBBBBh
invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
lea eax, someQW
push eax
call_as_x64 x64
invoke crt_printf, addr fmt1, dword ptr someQW[4], dword ptr someQW[0]
invoke crt__getch
exit
end start
HJWasm required.
-
Finally, everything works well
include \masm32\include\masm32rt.inc
include HJWasmMix.Inc
mix64proc ResetQw,testAutherArg:qword ,addrQW1
LOCAL testlocal
mov eax, addrQW1
xor rdx, rdx
mov qword ptr [rax], rdx
ret
mix64endp
mix64proc QwToQw ,addrQW1 ,addrQW2
mov eax, addrQW1
mov ecx, addrQW2
mov rdx, qword ptr [rax]
mov qword ptr [rcx], rdx
ret
mix64endp
mix64proc XChgQw ,addrQW1 ,addrQW2
LOCAL JustForTestlocalQW:qword
mov eax, addrQW1
mov ecx, addrQW2
mov rdx, qword ptr [rcx]
mov JustForTestlocalQW, rdx
mov rdx, qword ptr [rax]
xchg rdx,JustForTestlocalQW
mov qword ptr [rax], rdx
mov rdx,JustForTestlocalQW
mov qword ptr [rcx], rdx
ret
mix64endp
mix64proc SetQw ,addrQW1 ,qwV1:dword,qwV2:dword
mov eax, addrQW1
mov edx,qwV1
ror rdx,32
mov ecx,qwV2
or rdx,rcx
mov qword ptr [rax], rdx
ret
mix64endp
mix64proc RoRQw ,addrQW:dword,vRor:byte
mov eax, addrQW
mov rdx,qword ptr [rax]
mov cl,vRor
ror rdx, cl;x
mov qword ptr [rax], rdx
ret
mix64endp
.data
QW1 QWORD 0BBBBBBBBh
QW2 QWORD 0AAAAAAAAh
JustForTestArgQW QWORD 0
.code
start:
invoke crt_printf, cfm$("--------------------------------------"), QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("ResetQw--------------------------------------"), QW1
invoke ResetQw,JustForTestArgQW,addr QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("SetQw--------------------------------------"), QW1
invoke SetQw,addr QW2,0AAAAAAAAh,0BBBBBBBBh
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("XChgQw--------------------------------------"), QW1
invoke XChgQw,addr QW2,addr QW1
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("QwToQw--------------------------------------"), QW1
invoke QwToQw,addr QW1,addr QW2
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt_printf, cfm$("RoRQw--------------------------------------"), QW1
invoke RoRQw,addr QW1 ,32
invoke crt_printf, cfm$("\n QW1: %llX "), QW1
invoke crt_printf, cfm$("\n QW2: %llX \n"), QW2
invoke crt__getch
exit
end start
Output:
--------------------------------------
QW1: BBBBBBBB
QW2: AAAAAAAA
ResetQw--------------------------------------
QW1: 0
QW2: AAAAAAAA
SetQw--------------------------------------
QW1: 0
QW2: AAAAAAAABBBBBBBB
XChgQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: 0
QwToQw--------------------------------------
QW1: AAAAAAAABBBBBBBB
QW2: AAAAAAAABBBBBBBB
RoRQw--------------------------------------
QW1: BBBBBBBBAAAAAAAA
QW2: AAAAAAAABBBBBBBB
-
Finally, everything works well
Works fine, but a bit of explanation would be useful :P
Just tested my example above on Windows 10, and it works like a charm. So far no signs of M$ Closing "Heaven’s Gate" (http://www.alex-ionescu.com/?p=300) :t
Now the question is what can be done with this discovery ::)
-
Works fine, but a bit of explanation would be useful :P
Absolutely, JJ
We learned that Callfar is : push cs then call offset Proc, at first I rely on this, this is the only work in the same mode (32-32), and do not work in then diffirent mode (32-64), the correct view is that we use:
db 09ah
dd OFFSET X64&ProcName
dw 033h
Now the question is what can be done with this discovery ::)
This method facilitates us making x64 procedures, pass argumment ,making local variable, and call it in the normal manner
-
Well, yes, but what for? What can be done in x64 that isn't possible with SIMD in 32-bit code?
Attached an example that calls multiple procs in the same segment. There is also an attempt to call MessageBox, but it crashes (the same code in a 64-bit program works fine). Probably the OS doesn't like such attempts :bgrin: