News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Understanding an address

Started by Cut3Skull, July 28, 2019, 05:13:53 PM

Previous topic - Next topic

Cut3Skull

Hello, I am trying to understand how MASM is resolving this address

jmp dword ptr (loc_40c026+1)[eax*4]

Given that the label is

loc_40c026:
and dh, cl
retn 40h
dd offset loc_...
dd offset loc_...
dd offset loc_...
...


I know that the square brackets are like * operator in c, which means de-referencing a pointer, but what are the () brackets for? And how does MASM understand the loc_40c026+1 ?

Thank you.

hutch--

It seems you are working on a dis-assembly.

jj2007

Test it, but read the forum rules before proceeding ;-)

include \masm32\include\masm32rt.inc

.code
start:
xor eax, eax
; inc eax
; int 3
jmp dword ptr (loc_40c026+1+4)[eax*4]    ; the +4 makes the code useful
loc_40c026:
and dh, cl
retn 40h

dd offset loc_a
dd offset loc_b

loc_a: inkey "this is A"
loc_b: inkey "this is B"

  exit

nops 1000

end start

Cut3Skull

Quote from: hutch-- on July 28, 2019, 06:07:33 PM
It seems you are working on a dis-assembly.

Yes, it is for a research purpose, I will need to make a program that can follow the flow control of asm files produced by IDA pro. And I know basic knowledge about branching and flow control, I just needed help with understanding what happens when i have both ()[] brackets types in an address.
Thanks.

Cut3Skull

Thanks :)
I will test it out and see what happen.

Quote from: jj2007 on July 28, 2019, 06:19:06 PM
Test it, but read the forum rules before proceeding ;-)

include \masm32\include\masm32rt.inc

.code
start:
xor eax, eax
; inc eax
; int 3
jmp dword ptr (loc_40c026+1+4)[eax*4]    ; the +4 makes the code useful
loc_40c026:
and dh, cl
retn 40h

dd offset loc_a
dd offset loc_b

loc_a: inkey "this is A"
loc_b: inkey "this is B"

  exit

nops 1000

end start


Cut3Skull

Edit nvm :sad: I did not use retn 40h instead I used retn
--------------------------------------------------------------------------------------------------------------------------------

@jj2007
your code works and the program sums up what is between the brackets with what is between the square brackets! :)
however, earlier I tried the following code
.386
.model flat, stdcall
.stack 4096
ExitProcess PROTO, dwExitCode:DWORD

.data

.code
main PROC
xor eax, eax
inc eax
jmp dword ptr (loc_offsets+5)[eax*4]

loc_offsets:
and dh, cl
retn

dd offset loc_1
dd offset loc_2
dd offset loc_3
dd offset loc_4
dd offset loc_5
dd offset loc_6

loc_1:
mov eax, 1h
loc_2:
mov eax, 2h
loc_3:
mov eax, 3h
loc_4:
mov eax, 4h
loc_5:
mov eax, 5h
loc_6:
mov eax, 6h

INVOKE ExitProcess, 0
main ENDP

END main


and I got "Frame not in window" "the current stack frame was not found in a loaded module", and the calculated address is very large compared to your code, no matter what eax register value is.
what I am doing different than your code?

also I using MASM with visual studio if it helps.

thanks again jj2007 for your help :)

Quote from: jj2007 on July 28, 2019, 06:19:06 PM
Test it, but read the forum rules before proceeding ;-)

also I replaced your inkey lines with mov instruction and just watched what happen for the eax value.
include \masm32\include\masm32rt.inc

.code
start:
xor eax, eax
; inc eax
; int 3
jmp dword ptr (loc_40c026+1+4)[eax*4]    ; the +4 makes the code useful
loc_40c026:
and dh, cl
retn 40h

dd offset loc_a
dd offset loc_b

loc_a: inkey "this is A"
loc_b: inkey "this is B"

  exit

nops 1000

end start


hutch--

Just be careful here, it is built into the rules of the forum that NO REVERSE ENGINEERING is allowed here. What happens is that anything illegal that gets posted leave ME as the target for security agencies around the world and I have made it clear to anyone who wants to post this stuff here that I will hand over any data about them to any security agency that wants it.

As an aside, from memory IDA Pro uses closer to TASM format than MASM and this may effect what you are doing. We will help you with matters of how to WRITE code which includes the mode of addressing but even the hint of reverse engineering will get you kicked out of here faster than Halleys comet.

Cut3Skull

Thanks for letting me know. As long as you don't hand the data for anyone who ask I am okay with data being known to authorities, after all I hope to advance malware detection techniques, which I guess authorities are okay with.
Don't worry though, I got the answer for what I came here for, and i don't think i will need further assistance.
Thank you both for the help.

Quote from: hutch-- on July 29, 2019, 01:12:19 AM
Just be careful here, it is built into the rules of the forum that NO REVERSE ENGINEERING is allowed here. What happens is that anything illegal that gets posted leave ME as the target for security agencies around the world and I have made it clear to anyone who wants to post this stuff here that I will hand over any data about them to any security agency that wants it.

As an aside, from memory IDA Pro uses closer to TASM format than MASM and this may effect what you are doing. We will help you with matters of how to WRITE code which includes the mode of addressing but even the hint of reverse engineering will get you kicked out of here faster than Halleys comet.

aw27

#8
While many universities in USA offer Reverse Engineering courses, in other countries these matters are a taboo immediately associated with virus manufacturing.
Although Americans are educated from childhood to believe the World is USA and elsewhere is landscape, don't take that for granted. Most things don't happen in USA.