News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Accessing Union elements inside a Structure in MASM64

Started by bluedevil, September 27, 2022, 12:57:21 AM

Previous topic - Next topic

hutch--

Here is a tweaked version.

; «»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»

;       The design is to produce and option range of random OFFSETs that are aligned by 8 to
;       modify the 64 bit stack pointer. 16 potential random numbers multiplied by 8 to
;       maintain stack alignment.

; «»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»

    include \masm64\include64\masm64rt.inc

    .data?
      sptr dq ?
      cntr dq ?

    .code

; «»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»

entry_point proc

    mov sptr, rsp

    rcall GetTickCount                          ; get a seed
    bswap rax                                   ; invert bytes for more deviation
    rcall seed_rrand,rax                        ; use it as a random seed

    mov cntr, 1024                              ; run many iterations
  lp:
    mov rax, rvcall(rrand,1,16)                 ; call the range random algo
    sub cntr, 1
    jnz lp

    shl rax, 3                                  ; mul by 8, produces aligned multiply

    sub rsp, rax                                ; sub rax from rsp

    conout "RSP = ",str$(rsp),lf,lf             ; display rsp
    conout "How D",lf                           ; a text message

  ; ---------------------------------------------------------------
  ; This would be put somewhere in the app that is not easy to find.
  ; ---------------------------------------------------------------
    .if rsp == sptr
      conout "Phark, someone has hacked the app !!!!",lf
    .endif
  ; ---------------------------------------------------------------

    waitkey                                     ; wait for result

    .exit                                       ; bye

entry_point endp

; «»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»«»

    end

bluedevil

I hope I didn't miss something. hutch-- your technique works perfectly on my win10x64 machine.

But what I wanted to ask is; we do not need this technique because of /DYNAMICBASE parameter right?

Linker puts /DYNAMICBASE:YES by default and in every run rsp value changes already?
..Dreams make the future
But the past never lies..
BlueDeviL // SCT
My Code Site:
BlueDeviL Github

TimoVJL

May the source be with you

bluedevil

Quote from: TimoVJL on October 10, 2022, 06:23:28 PM
ASLR is just a bit in PE header, easy to change.

But if I have executable I already can reverse/disassemble/debug the binary. Even so I liked hutch--'s approach.

..Dreams make the future
But the past never lies..
BlueDeviL // SCT
My Code Site:
BlueDeviL Github

TimoVJL

Of course an application can check that bit from header or PEB and act their own way and alert user.
May the source be with you

hutch--

Here is a test UI app that uses the above technique. It must be run directly after the entry point and for a UI app, the range of OFFSETS must be aligned by 16. The test is buried in the "StatusBar" proc to make it harder to find.

While anything can be broken if the attacker is both patient enough and knows enough, small tricks like this increase the complexity of hacking an app and combined with a range of other tricks, you can help the attacker grow old trying to break an app.

NoCforMe

Continuing the discussion of just how the stack works (under Windows), check this page of Raymond Chen's. Excellent explanation of what can and can't be done with the stack (talking X86 here; he covers other architectures also).

I especially like this little illustration from his article:
Assembly language programming should be fun. That's why I do it.

jj2007

I generally like Chen's articles a lot, but this one is not very clear. Note also that the "red zone" (why "still valid"?) does not exist for the two architectures we are dealing with in this forum, x86 and x64.

To take away: mov [esp-100], eax is not a good idea, because your debugger might shamelessly use that area.