News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Unusual call

Started by alikim, September 11, 2017, 03:58:55 AM

Previous topic - Next topic

alikim

I have a call that leads to a jmp that leads to a procedure beginning with
push ebp
push ebp,esp
...


Normally I'd expect esp right before push ebp to hold the return address and also see values pushed onto the stack before the call.

In this case there is nothing in common between values of esp and [esp], [esp+4], ... etc before the call and at the procedure.

What might be the reason for that?

jj2007

> push ebp,esp

Really? Copy a hundred relevant lines from the disassembly and post it here, then we can discuss.

hutch--

You need to get to know the actual instructions (usually called mnemonics) and how they operate. The instruction "call" is almost exclusively paired with a "ret" instruction and its a way to transfer from one location in a program to another (usually called a procedure) and when that procedure has completed it returns back to the next instruction where it was called from.

The two instructions,

push ebp
push ebp,esp

is one of the ways of setting up a stack frame which is a technique to use what are called LOCAL variables within a procedure. You don't normally have to do this manually but at a more advanced level you sometimes write a procedure that has no stack frame as it can be faster if its only a very short procedure.

jj2007

The issue is fairly simple:  invoke MessageBox, 0, chr$("text"), chr$("Title"), MB_OK

translates to
00401052             ³.  6A 00                push 0                            ; ÚType = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401054             ³.  68 58204000          push offset 00402058              ; ³Caption = "Title"
00401059             ³.  68 50204000          push offset 00402050              ; ³Text = "text"
0040105E             ³.  6A 00                push 0                            ; ³hOwner = NULL
00401060             ³.  E8 07010000          call <jmp.&user32.MessageBoxA>    ; ÀUSER32.MessageBoxA
...
0040116C              $ FF25 E8204000        jmp near [<&user32.MessageBoxA>]
...
MessageBoxA          Ú$  8BFF                 mov edi, edi                      ; ID_X user32.MessageBoxA(hOwner,Text,Caption,Type)
76C3FDB0             ³.  55                   push ebp
76C3FDB1             ³.  8BEC                 mov ebp, esp

alikim

Thank you, I need to find some proper disassembler for win 8.1 to post codes, but yes, I think it's a call to another module.
My problem is that I know the stack at 76C3FDB0 and I want to go back to 00401060 to see where those values come from (f.e. pushes above) but at 00401060 the stack is completely different.