News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

X64 Masm NEG

Started by meneghini, June 25, 2015, 10:52:08 PM

Previous topic - Next topic

meneghini

Hello guys, I have a doubt. I have the following code:

extern ExitProcess:proc
extern printf:proc
extern scanf:proc

includelib kernel32.lib
includelib user32.lib
includelib msvcrt.lib
include invoke_macros.asm

.data
scan BYTE 'scanf:',0
formatInt BYTE '%d',0
msg BYTE 'Return = %d',0
printInt BYTE 'printf: %d', 0ah, 0h
f1  BYTE 'Fake parameter #1 ( 293 - 447 ):',0
f2  BYTE 'Fake parameter #2 ( 111 - 377 ):',0

.data?
din dq ?

.code

start PROC
PUSH 327
PUSH 249
CALL main
ADD rsp, 16
invoke printf, addr msg, rax
RET
start ENDP

main proc
PUSH rbp
MOV rbp, rsp
SUB rsp, 48
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 24], rax
PUSH [rbp - 8]
MOV rax, [rbp + 16]
MOV rbx, [rbp + 20]
SUB rax, rbx
MOV [rbp - 16], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 8], rax
MOV rax, [rbp + 16]

NEG rax

MOV [rbp - 48], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
CMP rax, 462
JGE LABEL_3
LABEL_1:
MOV rax, [rbp + 20]
MOV rbx, [rbp - 16]
SUB rax, rbx
MOV [rbp - 16], rax
PUSH [rbp - 16]
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 16], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
SUB rax, rbx
MOV [rbp - 32], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp - 8]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 32], rax
MOV rax, [rbp - 8]
NOT rax
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp - 32]
ADD rsp, 64
POP rbp
RET
LABEL_3:
MOV rax, [rbp - 48]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 16], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
ADD rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 40]
MOV rbx, [rbp - 16]
SUB rax, rbx
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 20]
CMP rax, 475
JGE LABEL_5
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
NEG rax
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp - 48]
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV [rbp - 16], rax
MOV rax, [rbp + 16]
MOV [rbp - 8], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 24]
SUB rax, rbx
MOV [rbp - 24], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
JMP LABEL_1
LABEL_5:
MOV rax, [rbp + 16]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 40], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 8]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 48]
MOV rbx, [rbp - 8]
SUB rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
ADD rax, rbx
MOV [rbp - 48], rax
MOV rax, [rbp + 20]
CMP rax, 476
JLE LABEL_3
MOV rax, [rbp + 20]
MOV rbx, [rbp - 40]
SUB rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 40]
MOV rbx, [rbp - 16]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp + 20]
MOV rbx, [rbp - 48]
ADD rax, rbx
MOV [rbp - 8], rax
MOV rax, [rbp - 16]
MOV [rbp - 48], rax
MOV rax, [rbp + 16]
MOV rbx, [rbp - 24]
ADD rax, rbx
MOV [rbp - 8], rax
JMP LABEL_1
main endp

end



It's a obfuscated Least Common Multiple program. I don't get something: everything workds perfectly until I reach the NEG part:

invoke  printf, addr scan
invoke  scanf, addr formatInt, addr din
MOV rax, din
MOV [rbp - 8], rax
MOV rax, [rbp + 16]
NEG rax


I debbuged to check the value of RAX, and it was 249 before the NEG. After it it should be -249, and I'm getting a HUGE wierd number like 129137161657, and then the program is taking the wrong jump. What is happening? (It shouldn't go to label 3 and 5 because they're fake code)

qWord

Quote from: meneghini on June 25, 2015, 10:52:08 PMI debbuged to check the value of RAX, and it was 249 before the NEG. After it it should be -249, and I'm getting a HUGE wierd number like 129137161657
That must be problem of your debugger or wrong usage.

Quote from: meneghini on June 25, 2015, 10:52:08 PMand then the program is taking the wrong jump. What is happening? (It shouldn't go to label 3 and 5 because they're fake code)
[rbp+20] == ?      (8∤20)
MREAL macros - when you need floating point arithmetic while assembling!

meneghini

I was reading something and I might know the problem, I just don't know how to solve it.

Ok, for example, for 8 bits, we have 255 numbers, with a range of -127 to 127. But the compiler doesn't recognize negative numbers, so the positive numbers are from 0 to 127 and the negative ones are from 128 to 255 values. Therefore, comparing REAL positive number (e.g. 45) with a negative (represented like 210) gives us a wrong result. We are using it like

CMP rax, 45
JGE LABEL_3

Any ideas how to fix it?

rrr314159

The program is definitely "obfuscated". Anyway the number in the debugger starts, no doubt, with fffff... because it's a 2's complement negative. If you add 249 to it you'll get 0, with overflow. In other words there's nothing wrong with it. Perhaps u can set your debugger to display negative numbers correctly? Why it takes wrong jump - who knows, but it's not because of neg.

I assume getting rax from [rbp+20] is part of the obfuscation, normally u would only use 8-byte boundaries ...  However it's legal, and certainly obfuscates.

This is a weird prog doesn't surprise me if it doesn't work right

[edit] just read your latest post. No, the compiler knows negative numbers it's just the debugger doesn't display right. There's some other bug. CMP should say that -249 (for instance) is less than 45
I am NaN ;)

meneghini

Yeah, the line [rbp+20]  is wrong. I changed it and it works pefectly now. Thanks a lot!