some unknow assembly codes inserted into my tiny proceduce after compliled

[zero]

Good day
I'm learning to write a proceduce, however the programe got crash on position 0x0040100d.
I'm using masm32sdk in winxp and IDE is winasm.

I loaded it into ollydbg and found some unknow codes run before mysub.
The position is exactly on 0x40100D.
can anyone shed some light on this?    thanks

please see below decompiled code and source code.

Code Select Expand

0040100D    $  6D            INS DWORD PTR ES:[EDI],DX                ;  I/O command
0040100E    .  79 73        JNS SHORT Lesson1.00401083
00401010    .  75 62        JNZ SHORT Lesson1.00401074
00401012    .  0020          ADD BYTE PTR DS:[EAX],AH
00401014    .  54            PUSH ESP
00401015    .  68 69732773  PUSH 73277369
0040101A    .  2069 6E      AND BYTE PTR DS:[ECX+6E],CH
0040101D    .  207468 65    AND BYTE PTR DS:[EAX+EBP*2+65],DH
00401021    .  206D 79      AND BYTE PTR SS:[EBP+79],CH
00401024    .  73 75        JNB SHORT Lesson1.0040109B
00401026    .  6200          BOUND EAX,QWORD PTR DS:[EAX]
00401028    .  6A 00        PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
0040102A    .  68 0D104000  PUSH Lesson1.0040100D                    ; |Title = "mysub"
0040102F    .  68 13104000  PUSH Lesson1.00401013                    ; |Text = " This's in the mysub"
00401034    .  6A 00        PUSH 0                                  ; |hOwner = NULL
00401036    .  E8 07000000  CALL <JMP.&user32.MessageBoxA>          ; \MessageBoxA
0040103B    .  C3            RETN

here's source code.

Code Select Expand

.386
.model flat, stdcall
option casemap: none

include windows.inc
include kernel32.inc
include user32.inc

includelib kernel32.lib
includelib user32.lib

MySub proto

.code

start:

invoke MySub

invoke ExitProcess,0
ret


MySub PROC near
    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0
    invoke MessageBox, 0, addr local_msg_sub_c, addr local_msg_sub_t, 0
       
    RET
MySub endp

end start

[zedd151]

Your strings are in the .code section, and either need to be jumped over or put the strings in .data section (or .const section). Else they will be assembled as code.
Example:

Code Select Expand

.386
.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

MySub proto

.code

start:

invoke MySub
invoke ExitProcess, 0

MySub PROC
    jmp @f ; jump over strings or put into .data
    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0
  @@:
    invoke MessageBox, 0, addr local_msg_sub_c, addr local_msg_sub_t, 0
     
    RET
MySub endp

end start
Here, I jumped over the strings... where "jmp @f" causes execution to jump until the next "@@:" label is reached - bypassing treating the strings as code.
example:

Code Select Expand

    jmp @f ; jump over strings or put into .data
    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0
  @@:
disassembly:
You cannot view this attachment.
jumps now from 40100Dh to 40102Ah jumping over the strings
Also I fixed the 'include' and 'lib' paths... to what most of us are used to seeing...
I simplified your code here - removed the 'MySub' proc and put the strings in .data section. (Could have been in the .const section instead as well).

.data section used here in the following example.

Code Select Expand

.386
.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

.data

    local_msg_sub_t db "mysub", 0
    local_msg_sub_c db " This's in the mysub", 0
   
.code

start:

    invoke MessageBox, 0, addr local_msg_sub_c, addr local_msg_sub_t, 0
    invoke ExitProcess, 0

end start

[zedd151]

You could still leave the strings in the .code section, but you should place them outside of the procedure where they will be used. I would put them just before the procedure, if I were to do it that way.

Example:

Code Select Expand

.386
.model flat, stdcall
option casemap: none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

MySub proto

.code

start:

invoke MySub
invoke ExitProcess, 0

    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0

MySub PROC
    invoke MessageBox, 0, addr local_msg_sub_c, addr local_msg_sub_t, 0
    RET
MySub endp

end start
Either way, they cannot be where they would otherwise be excecuted as code as shown in your disassembly. That is what is happening, that is why your  disassembly looks 'strange'.

I had a hunch that it would be something simple that was giving you so much  grief, happens to all of us at one time or another. If you need any clarification, you can ask anytime... someone will be around to help.

As a side note: no need to use 'near' for the procedure, nor a 'ret' after the ExitProcess call.

[NoCforMe]

No; don't put data in your .code section. Just don't. That's ... so 16-bit. Put them in your .data section where they belong.

Also, you don't need near at all, since you're operating in the 32-bit "flat" model. That and far are holdovers from 16-bit code.

I sense some confusion on your part: when you say "tiny", do you think you're creating a tiny-mode program like we used to in 16-bit land? (Basically a .com program where CS=DS=ES=SS.) That's not even a thing in 32-bit land. It's all flat addressing as far as the eye can see.

[jj2007]

local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0

MySub PROC
    invoke MessageBox, 0, addr local_msg_sub_c, addr local_msg_sub_t, 0

That's the solution. You can put read-only data in your .code section, but make sure nobody tries to execute it ;-)

[daydreamer]

Using chr$("this text") macros is good alternative to use in messagebox ,easier for newbies too

[NoCforMe]

You can put read-only data in your .code section, but make sure nobody tries to execute it ;-)

JJ, I know you can do that (put data in .code), but why would you want to do that? No advantage that I can think of.

[jj2007]

No advantage that I can think of

- less typing
- better readable (close to the code)
- crashes if a dumbass wants to write to read-only data

Now my question: why would you not want to do that?

[NoCforMe]

Um, thanks but no thanks; I think I'll stick with the old boring, tried-and-true method (code in .code, data in .data/.data. Unlike you, I don't count keystrokes when I'm coding.

[zero]

sorry for late reply.
@zedd151, it did stick me for two days and it leads me to this lovely place. for the path, it has defined in Winasm studio's option, thanks for the reminder.
@NoCforMe, I said tiny just means a very small program not a 16 bit one. my poor english might confuse you.
@jj2007, I might be the funny guy to try to amend those read-only in next step for my purpose.
@daydreamer, thanks for new trick.

Thanks a lot for all your helpping to point out the errors and provide different solutions.
I now know that actually my variables made those unknow codes.
for my purpose, I have to move both variables after RET of the mysub.

Code Select Expand

MySub PROC near

    lea eax, local_msg_sub_t
    lea ebx, local_msg_sub_c
    invoke MessageBox, 0, ebx, eax, 0
    RET
    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0

MySub endp
here's decomplied code, it seems working.

Code Select Expand

00401000 L>/$  E8 08000000   CALL Lesson1.0040100D
00401005   |.  6A 00         PUSH 0                                   ; /ExitCode = 0
00401007   \.  E8 34000000   CALL <JMP.&kernel32.ExitProcess>         ; \ExitProcess
0040100C    .  C3            RETN
0040100D   /$  8D05 25104000 LEA EAX,DWORD PTR DS:[401025]
00401013   |.  8D1D 2B104000 LEA EBX,DWORD PTR DS:[40102B]
00401019   |.  6A 00         PUSH 0                                   ; /Style = MB_OK|MB_APPLMODAL
0040101B   |.  50            PUSH EAX                                 ; |Title = NULL
0040101C   |.  53            PUSH EBX                                 ; |Text = ""
0040101D   |.  6A 00         PUSH 0                                   ; |hOwner = NULL
0040101F   |.  E8 22000000   CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
00401024   \.  C3            RETN
00401025    .  6D 79 73 75 6>ASCII "mysub",0
0040102B    .  20 54 68 69 7>ASCII " This's in the m"
0040103B    .  79 73 75 62 0>ASCII "ysub",0
00401040    .- FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>;  kernel32.ExitProcess
00401046    $- FF25 08204000 JMP DWORD PTR DS:[<&user32.MessageBoxA>] ;  user32.MessageBoxA
0040104C       00            DB 00

Beasue I'd like to simulate a program regarding its decrypt portion of the code which just simply xor some data in data section, then jump to beginning of decrypt code.
here's the code for decrpytion.

Code Select Expand

00408887 l> $  B9 49050000   MOV ECX,549
0040888C    >  52            PUSH EDX                               
0040888D    .  51            PUSH ECX
0040888E    .  8B91 3C834000 MOV EDX,DWORD PTR DS:[ECX+40833C]
00408894    .  83F2 35       XOR EDX,35                             ;  decrypt strings
00408897    .  8991 3C834000 MOV DWORD PTR DS:[ECX+40833C],EDX     
0040889D    .  59            POP ECX                               
0040889E    .  5A            POP EDX                               
0040889F    .^ E2 EB         LOOPD SHORT lcm6.0040888C
004088A1    .^ E9 96FAFFFF   JMP lcm6.0040833C
under my knowledge , I think it could do it in another way-just trying for fun.
Mysub decrypt part is places in code section, then xor the codes, then set up a breakpoint on calling mysub.
at end, I would olly dump the code and I think it should work.

here's my lastest version which causes crash again. The error is that access voilation when reading [0xffffffff].
I use the VirtualProtect function to gain the access, it succeeds and return value 1, then crash on moving the encrypt code back to origin position.
My test system is WinXP SP3 and DEP is disabled.

Code Select Expand

.386
.model flat, stdcall
option casemap: none

include windows.inc
include kernel32.inc
include user32.inc

includelib kernel32.lib
includelib user32.lib

MySub proto

.data?
oldProtect DWORD ?
calc_size DWORD ?

.code

start:

lea esi, offset MySub          ; get the begining address of mysub
lea ecx, offset end_mysub      ; get the endding address of mysub 
sub ecx,esi
dec ecx                        ; calc the size of mysub
mov calc_size,ecx
push esi
push ecx

invoke VirtualProtect,addr MySub, calc_size, PAGE_EXECUTE_READWRITE,addr oldProtect
test eax, eax
jz vp_error

pop ecx
pop esi

@@:
mov dl,byte ptr cs:[esi+ecx]
mov dl,035h
mov byte ptr cs:[esi+ecx],dl
dec ecx
jnz @b

invoke MySub
vp_error:
invoke ExitProcess,0

MySub PROC near

    lea eax, local_msg_sub_t
    lea ebx, local_msg_sub_c
    invoke MessageBox, 0, ebx, eax, 0
    RET
    local_msg_sub_t db "mysub",0
    local_msg_sub_c db " This's in the mysub",0

MySub endp
end_mysub:

end start



[NoCforMe]

Hint: Put your code in [code]-[/code] tags to make it more readable. (You can select the code text, then use the 2nd button in the 6th group of buttons above the reply window to do this.)

[stoo23]

Hint: Put your code in [/tt]
[code]-[/code]
[tt] tags to make it more readable.

Which is what I did in your initial post 

(You can select the code text, then use the 2nd button in the 6th group of buttons above the reply window to do this.)

As below 

[zero]

Hint: Put your code in [code]-[/code] tags to make it more readable. (You can select the code text, then use the 2nd button in the 6th group of buttons above the reply window to do this.)

just did it. thanks for the hint.