News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

progress

Started by drifter, February 28, 2013, 06:26:01 AM

Previous topic - Next topic

drifter

on: Febuary 28, 2013 at 10:30:11 AM dedndave wrote:
Quotemov     ebx,[ebp+32]
    bt      ebx,8
    .if CARRY?
        print   chr$('OV ')
    .else
        print   chr$('NV ')
    .endif

I knew about using the .if .else .endif, but wanted to code it myself.  I should probably disassemble that and see how it plays out that way.  I don't know if I did it the most efficent way or not.

On a different note:  the price of a Big Mac is around 4-5 bucks....the price of a Flat Rate Domestic/International Priority mailer is $5.60....knowing that some scammer is swining by his balls right now for wasting $5 to send me a phony check PRICELESS!

dedndave

certainly, there are more efficient ways than what i did
i will probably use a few loops, similar to what you did, when i have time to play with it

sinsi - i was trying to keep it simple   :P

jj2007

Drifter inspired me to update my deb macro: it has learned to display flags (without changing them, of course):

        deb 4, "End of loop:", ecx, flags, FLAGS

flags displays carry, zero, sign and overflow, FLAGS the whole set:
End of loop:
ecx             10000
flags:          czso
FLAGS:          cpAzstIdo


c means carry clear, C carry set, etc., i.e. lowercase=clear, uppercase=set.

drifter

 on: Today at 10:48:33 AM jj2007 wrote:
QuoteDrifter inspired me to update my deb macro:

Placed in my que of things to check out!

drifter

After starting to write a test routine to check if my regflags program was working the way it should, I found a few problems - so I'm in the middle of a rewrite.

Does anyone know why this bit of code would cause McAfee to think it's a New Malwar.ep trojan?  It's a pita as it quarantine's the .exe as soon as it's assembled and linked - so I've had to turn it off.

    ;----------------------------------
    push edi                              ; edi test
    mov tempreg,edi
    print "EDI: "                                                 
    print uhex$(tempreg)
    print " = "
    pop edi   
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.edireg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls
    ;----------------------------------
    push ebp                  ; ebp test
    mov tempreg,ebp
    print "EBP: "                                                 
    print uhex$(tempreg)
    print " = "
    pop ebp 
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.ebpreg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls
    ;----------------------------------
    push esp                   ; esp test FAILED
    mov tempreg,esp
    print "ESP: "                                                 
    print uhex$(tempreg)
    print " = "
    pop esp 
    RegFlags DebugStruct
    mov eax,tempreg
    .if eax == DebugStruct.espreg
        print "PASSED",CRLF
    .else
        print "FAILED",CRLF
    .endif
    inkey
    cls           
    ;----------------------------------


That's about as close as I can narrow it down as it doesn't always trigger on the same spot.  I really doubt I have a virus or trojan causing this, but I suppose that's a possiblity also.

dedndave

it's hard to say what criteria mcafee uses
i would uninstall mcafee - lol
not only will the problem go away, but your machine will be much faster

many of us have gotten into the habit of creating disk images to back up the boot drive
it's the best protection there is against viruses

MichaelW

Quote from: sinsi on March 01, 2013, 02:10:28 PM
CS will be different because it is a code descriptor, DS=ES=SS usually, FS is used by Windows, GS is available to us.

I have used it in DOS code, RM and PM, but I have not been able to make it work from a Windows app.

;==============================================================================
    include \masm32\include\masm32rt.inc
;==============================================================================
    .data
        junk dd 123456h
    .code
;==============================================================================
start:
;==============================================================================
    ;ASSUME gs:nothing
    ;ASSUME gs:@data
    ASSUME gs:FLAT

    push es
    push cs
    pop es
    mov eax, start
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, start
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push es
    push ds
    pop es
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push gs
    push ds
    pop gs
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    ;FAULT ->00401082  658b00  mov eax,gs:[eax]  gs:00403000=00123456
    mov eax, gs:[eax]
    printf("%Xh\n",eax)
    pop gs

    inkey
    exit
;==============================================================================
end start


The fault in this case is an access violation, even though the source address is apparently correct.
Well Microsoft, here's another nice mess you've gotten us into.

dedndave

i am surprised you get that far in the code without an exception   :biggrin:

you call the printf macro with a dword-misaligned stack

MichaelW

Quoteyou call the printf macro with a dword-misaligned stack

It wouldn't work if that were so.

Even my senile old P3 is still smart enough push a segment register without making a mess  :biggrin:

Actually, I've been through this some years ago coding a 32-bit DOS app where you couldn't avoid pushing and popping segment registers. For pushing CS, DS, ES, SS, FS, or GS there is only one opcode each, and the same for popping DS, ES, SS, FS, or GS, so it's not the assembler that is making this work.

;==============================================================================
    include \masm32\include\masm32rt.inc
;==============================================================================
    .data
        junk dd 123456h
    .code
;==============================================================================
;----------------------------------------
; Returns the maximum alignment of _ptr.
;----------------------------------------

alignment MACRO _ptr
    push ecx
    xor eax, eax
    mov ecx, _ptr
    bsf ecx, ecx
    jz @F
    mov eax, 1
    shl eax, cl
  @@:
    pop ecx
    EXITM <eax>
ENDM
;==============================================================================
start:
;==============================================================================
    ;ASSUME gs:nothing
    ;ASSUME gs:@data
    ASSUME gs:FLAT

    mov ebx, esp
    printf("%d\n", alignment(ebx))
    push es
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    pop es
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    push gs
    mov ebx, esp
    printf("%d\n", alignment(ebx))
    pop gs
    mov ebx, esp
    printf("%d\n\n", alignment(ebx))

    push es
    push cs
    pop es
    mov eax, start
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, start
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push es
    push ds
    pop es
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    mov eax, es:[eax]
    printf("%Xh\n",eax)
    pop es

    inkey

    push gs
    push ds
    pop gs
    mov eax, OFFSET junk
    mov eax, [eax]
    printf("%Xh\n",eax)
    mov eax, OFFSET junk
    ;FAULT ->00401082 658b00 mov eax,gs:[eax] gs:00403000=00123456
    mov eax, gs:[eax]
    printf("%Xh\n",eax)
    pop gs

    inkey
    exit
;==============================================================================
end start


4
64
4
64
4


Well Microsoft, here's another nice mess you've gotten us into.

dedndave

good to know
i think i was playing with this - for whatever reason - some time ago
i tried to align it myself - oops

it may have been the IRET discussion you and i had a couple years back
re: using IRET to serialize code

drifter

After further code revisons, the problem has disappeared.  I did use several programs to scan for infections, but they found nothing (except when I assembled that particular bit of code).

on: March 03, 2013, 08:18:08 PM dedndave wrote:
Quotei would uninstall mcafee - lol

Unfortunately, all I dare do is turn it off.  I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.

I have fond memories of speaking with John McAfee on the phone back in the 80's, when everything was on dial-up bulliten boards.  After about a 10 minute conversation concerning dissassembling viruses - he gave me complete access to his collection of live monsters (which I'm sure he gave to anybody that asked, regardless of their intentions).  Reminds me of a cartoon I once saw of cute kids selling poisoned lemonaide - and then selling the antidote around the corner.  That's how you get rich, retire to a beach house in the carribean, get away with murder, etc...

Anyway, I'm almost done - just want to add a routine to test toggling the flag bits.

dedndave

yah - if you have any of the "virut" flavours, it can be a mess to clean up
it infects EXE's and HTML's, and a few others
so - you clean up the mess with a fresh build, then get infected all over - ouch

i like AdAware for that
you can completely disable it by unchecking 2 start-ups in MsConfig.exe and disabling 2 services (reboot)
re-enable it by reversing the process
it does a nice job of identifying virut-infected files for you, using custom scan

once you are clean, i suggest a nice HOSTS file
i don't like posting HOSTS entries, because they are malicious URL's, of course
but, i can send it to you on request if you like

drifter

on: March 3, 2013 at 06:11:58 AM dedndave wrote:
Quotei can send it to you on request if you like

I guess that blocks access to those websites?  Sure, if it'll help.

I've noticed the most common infection I seem to encounter redirects google to something called 'google.ro' in Romania.  Spybot usually clears it up.  ComboFix seems to be another good one, but it doesn't work with Windows 8.

sinsi

Quote from: MichaelW on March 03, 2013, 11:30:05 PM
The fault in this case is an access violation, even though the source address is apparently correct.
I can see the access violation in a debugger but it seems to be ignored most of the time (depending on what code comes after).
The whole point of having a flat win32 model is to be able to ignore segment registers, so let's forget this one eh?

Quote from: drifter on March 04, 2013, 06:00:19 AM
Unfortunately, all I dare do is turn it off.  I'm debugging and repairing the damage caused by mal-rats on a weekly basis on my wife's computer - I attribute this to the proficiency and warped ambitions of some otherwise very good Russian programmers.
Better off investing in VMware workstation, costs the same as an AV. If your VM gets infected just revert to a snapshot.