Custom prologue

[sinsi]

eax returns the following when the moving the following args  to eax. Notice the pattern...

Code Select Expand

testprolog macro procname,flag,parmbytes,localbytes,regs,macroargs:vararg
    push    rsp
    mov    rbp,rsp
   
    mov    eax, flag            ;;; eax returns "10h"
    mov    eax, parmbytes        ;;; eax returns "8"
    mov    eax, localbytes      ;;; eax returns "0"
 ;  mov    eax, regs            ;;; chokes on assembly couldnt test it
 ;  mov    eax, macroargs        ;;; chokes on assembly couldnt test it
   
    exitm  <localbytes>
endm


The last two would return negative values if the pattern would continue. Not sure what this means, but only my observation. 

"flag" is a bitfield

Bit 0, 1, 2 For calling conventions (000=unspecified language type, 001=C, 010=SYSCALL, 011=STDCALL, 100=PASCAL, 101=FORTRAN, 110=BASIC).
Bit 3 Undefined (not necessarily zero).
Bit 4 Set if the caller restores the stack (use RET, not RETn).
Bit 5 Set if procedure is FAR.
Bit 6 Set if procedure is PRIVATE.
Bit 7 Set if procedure is EXPORT.
Bit 8 Set if the epilogue is generated as a result of an IRET
Bits 9–15 Undefined (not necessarily zero).

"parmbytes" is the problem
"localbytes" is correct (there are no locals)

Add this code to the end of yours and check the values

Code Select Expand

testproc proc private arg1:dword
    local local1:dword
        lea rax,arg1
        lea rax,local1
    ret
testproc endp


So in other words they're being invoked without any arguments, correct? So whatever values you see there are defaults. (Shouldn't they be zero then, though?)

The macros are used by ML64, testprolog is called when ML64 sees PROC and testepilog when ML64 sees RET. ML64 sets the macro parameters/arguments.

[zedd151]

Thanks sinsi, as I have no clue how that all works otherwise.
I'll run the next test in a little while, when I'm back at my computer. I'm on the porch at the moment on my iPad.

[zedd151]

Add this code to the end of yours and check the values

Code Select Expand

testproc proc private arg1:dword
    local local1:dword
        lea rax,arg1
        lea rax,local1
    ret
testproc endp


Results from x64dbg...

Code Select Expand

000000013FFE1000 | 54                      | push rsp      ; start proc
000000013FFE1001 | 48:8BEC                  | mov rbp,rsp
000000013FFE1004 | B8 10000000              | mov eax,10
000000013FFE1009 | B8 08000000              | mov eax,8
000000013FFE100E | B8 00000000              | mov eax,0
000000013FFE1013 | 5D                      | pop rbp
000000013FFE1014 | C3                      | ret

000000013FFE1015 | 54                      | push rsp      ; testproc
000000013FFE1016 | 48:8BEC                  | mov rbp,rsp
000000013FFE1019 | B8 50000000              | mov eax,50
000000013FFE101E | B8 10000000              | mov eax,10
000000013FFE1023 | B8 08000000              | mov eax,8
000000013FFE1028 | 48:8D45 10              | lea rax,qword ptr ss:[rbp+10]
000000013FFE102C | 48:8D45 FC              | lea rax,qword ptr ss:[rbp-4]
000000013FFE1030 | 5D                      | pop rbp
000000013FFE1031 | C3                      | ret


[zedd151]

Looking through hutchs macros, I found this:

Code Select Expand

    AltStackFrame MACRO procname, flag, argbytes, localbytes, reglist, userparms:VARARG
      LOCAL num, var, alt, argb, algn

      argb = argbytes
      argb = (argb / 8) - 1  ;; <------ Here
Notice the "- 1". That seems to be subtracting one for some reason (argbytes 8 bytes too long???). Maybe for the same problem that you are finding.

Anyway, this stuff is obviously way 'over my head'. But I am willing to test your code when you have perfected these macros.   

I am more used to the much simpler macros that simply echo the code (in a macro) when a macro is invoked.

[sinsi]

Maybe for the same problem that you are finding.

Hah, exactly the same problem.

Well, I'll hard code the "fix" and hope that Microsoft keep ignoring it

[sinsi]

For anyone following, I have edited some code here.
The original code had push rsp when it should have been push rbp.

Wow. No idea how that happened...

You cannot view this attachment.

[NoCforMe]

Hmm; is that (the bottle) the problem or the solution?
Or both?

[sinsi]

[NoCforMe]

Not to prolong this topic excursion too much longer, but it looks like someone took that concept a little too seriously.

[NoCforMe]

[last post on this tangent, I promise]
Goddamn, these guys actually did a controlled study on the Ballmer Peak!

[zedd151]

For anyone following, I have edited some code here.
The original code had push rsp when it should have been push rbp.

Wow. No idea how that happened...

That's ok. I never tried to run it, just opened the exe in my debugger for visual inspection of the output. 

[tenkey]

eax returns the following when the moving the following args  to eax. Notice the pattern...

Code Select Expand

testprolog macro procname,flag,parmbytes,localbytes,regs,macroargs:vararg
    push    rsp
    mov     rbp,rsp
   
    mov     eax, flag             ;;; eax returns "10h"
    mov     eax, parmbytes        ;;; eax returns "8"
    mov     eax, localbytes       ;;; eax returns "0"
 ;   mov     eax, regs             ;;; chokes on assembly couldnt test it
 ;   mov     eax, macroargs        ;;; chokes on assembly couldnt test it
   
    exitm   <localbytes>
endm


The last two would return negative values if the pattern would continue. Not sure what this means, but only my observation. 

Macro arguments are text strings, neither numbers nor addresses nor register names.

Code Select Expand

testprolog macro procname,flag,parmbytes,localbytes,regs,macroargs:vararg
    push    rsp
    mov     rbp,rsp
   
    mov     eax, flag             ;;; eax returns "10h"
    mov     eax, parmbytes        ;;; eax returns "8"
    mov     edx, localbytes       ;;; edx returns "0"
    db      '*&regs'              ;;;
    db      '*&macroargs'         ;;;
   
    exitm   <localbytes>
endm

testepilog macro procname,flag,parmbytes,localbytes,regs,macroargs:vararg
    mov     eax, flag             ;;; eax returns "10h"
    mov     eax, parmbytes        ;;; eax returns "8"
    mov     edx, localbytes       ;;; edx returns "0"
    db      '*&regs'              ;;;
    db      '*&macroargs'         ;;;

    pop     rbp
    ret
endm

Code Select Expand

test0par2loc2use proc uses rsi rdi
    local var1:qword,var2:qword
 0000057E  54      1     push    rsp
 0000057F  48/ 8B EC      1     mov     rbp,rsp
 00000582  B8 00000010      1     mov     eax, 010H             
 00000587  B8 00000008      1     mov     eax, 08H       
 0000058C  BA 00000010      1     mov     edx, 010H       
 00000591  2A 3C 72 73 69    1     db      '*<rsi,rdi>'             
   2C 72 64 69 3E
 0000059B  2A      1     db      '*'         
 0000059C  48/ 8B 45 F8
 000005A0  48/ 8B 45 F0     mov rax,var1
    mov rax,var2

 000005A4  B8 00000010      1     mov     eax, 010H             
 000005A9  B8 00000008      1     mov     eax, 08H       
 000005AE  BA 00000010      1     mov     edx, 010H       
 000005B3  2A 3C 72 64 69    1     db      '*<rdi,rsi>'             
   2C 72 73 69 3E
 000005BD  2A      1     db      '*'         
 000005BE  5D      1     pop     rbp
 000005BF  C3      1     ret
 000005C0     ret
test0par2loc2use endp
The regs argument is a text/character string which contains a list of register names separated by commas and enclosed by angle brackets, < >. This makes it easy to insert the register list into an IRP directive. The list sent to the epilog macro is a reversal of the list sent to the prolog macro, providing easy matching of PUSHes and POPs.

You cannot view this attachment.