flat assembler
Message board for the users of flat assembler.

Index > Windows > Show Registers (32-bit)

Author
Thread Post new topic Reply to topic
Picnic



Joined: 05 May 2007
Posts: 1389
Location: Piraeus, Greece
Picnic 18 May 2009, 21:52
Again a small piece of code to display 32 bit this time registers and flags, might be useful.

Code:
        ; Written by thimis

        format PE GUI 4.0
        entry main

        include 'win32axp.inc'

.data
        regstr    db    'EAX=%.8X',13,10,'EBX=%.8X',13,10,'ECX=%.8X',13,10
                  db    'EDX=%.8X',13,10,'ESP=%.8X',13,10,'EBP=%.8X',13,10
                  db    'ESI=%.8X',13,10,'EDI=%.8X',13,10,'EIP=%.8X',13,10,0

        flagstr   dd     2048,1024,512,128,64,16,4,1
                  dd     'OF=0','DF=0','IF=0','SF=0','ZF=0','AF=0','PF=0','CF=0'

        memstr    rb    256

.code
main:
        call Dump
        invoke ExitProcess, 0


Dump:
        pushad
        pushf
        pushf
        cinvoke wsprintf, memstr, regstr, eax, ebx, ecx, edx, esp, ebp, esi, edi, dword [esp+40]
        mov esi, flagstr
        mov edi, memstr
        add edi, eax
        mov ecx, 8
        pop ebx
        cld
    .next:
        mov eax, [esi+32]
        test ebx, [esi]
        je @F
        or eax, 1 shl 24
        @@:
        stosd
        mov ax, 0a0dh
        stosw
        add esi, 4
        loop .next
        invoke MessageBox, HWND_DESKTOP, memstr, 'Status', MB_OK
        popf
        popad
        ret


section '.idata' import data readable writeable

        library kernel32, 'KERNEL32.DLL',\
                 user32, 'USER32.DLL'

                include 'api/kernel32.inc'
                include 'api/user32.inc'
    


Image


Last edited by Picnic on 21 Mar 2020, 10:25; edited 2 times in total
Post 18 May 2009, 21:52
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 19 May 2009, 07:54
EDIT2: See post http://board.flatassembler.net/topic.php?p=94749#94749 for the most current 64-bit version!

Victory! Smile
EDIT: (suggestions from r22, code from bitRAKE)
Code:

        ; Written by thimis
        ; Converted by Madis731
        ; Corrected by bitRAKE

        format PE64 GUI
        entry main

        include 'win64a.inc'

section '.code' code executable readable
main:
        call Dump
        call Dump
        call Dump
        invoke ExitProcess, 0


Dump:   pushf
        push qword[rsp+8] r15 rdi r14 rsi r13 rbp r12 rsp r11 rdx r10 rcx r9 rbx r8 rax
        ;pushf
        ;pop r8
        mov r8,[rsp+17*8]
        sub rsp,32

; {build flag string}

        lea rcx,[memstr]
        lea rdx,[regstr]
        lea r9,[rflags]
        call [wsprintf]

        mov rcx,HWND_DESKTOP
        lea rdx,[memstr]
        lea r8,[_status]
        mov r9,MB_OK
        call [MessageBox]

; return to caller (ERROR: need to restore the flags here)
       add rsp,32
       pop rax r8 rbx r9 rcx r10 rdx r11 rsp r12 rbp r13 rsi r14 rdi r15 qword[rsp+8]
       popf
       retn

        xchg rcx,rax
        call [ExitProcess]

section '.idata' import data readable writeable

        library kernel32, 'KERNEL32.DLL',\
                 user32, 'USER32.DLL'

                include 'api/kernel32.inc'
                include 'api/user32.inc'

        _status   db    'Status',0
        regstr  db      \
                'RFLAGS: %.8X',13,10,\
                '%s',13,10,\
                13,10,\
                'RAX: %.16IX',  9,      ' R8: %.16IX',13,10,\
                'RBX: %.16IX',  9,      ' R9: %.16IX',13,10,\
                'RCX: %.16IX',  9,      'R10: %.16IX',13,10,\
                'RDX: %.16IX',  9,      'R11: %.16IX',13,10,\
                'RSP: %.16IX',  9,      'R12: %.16IX',13,10,\
                'RBP: %.16IX',  9,      'R13: %.16IX',13,10,\
                'RSI: %.16IX',  9,      'R14: %.16IX',13,10,\
                'RDI: %.16IX',  9,      'R15: %.16IX',13,10,\
                13,10,\
                'RIP: %.16IX',13,10,\
                13,10,\
                0

        memstr    rb    1024
        rflags    dd    ?
    


Last edited by Madis731 on 24 May 2009, 17:15; edited 4 times in total
Post 19 May 2009, 07:54
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 19 May 2009, 15:32
The stack alignment at MessageBox crashes Win7. Also, wsprintf memory buffer should be 1024 bytes, afaik (more than 256 is needed above). Also, the flags are modified with the SUB RSP,8 instruction. Also, "%.16X" doesn't work for 64-bit integers - need "%.16IX".
Code:
Dump:      call @F
     @@:

 push r15 rdi r14 rsi r13 rbp r12 rsp r11 rdx r10 rcx r9 rbx r8 rax
  pushf
       pop r8
      sub rsp,32

; {build flag string}

       lea rcx,[memstr]
    lea rdx,[regstr]
    lea r9,[rflags]
     call [wsprintf]

 mov rcx,HWND_DESKTOP
        lea rdx,[memstr]
    lea r8,[_status]
    mov r9,MB_OK
        call [MessageBox]

; return to caller (ERROR: need to restore the flags here)
;    add rsp,32
; pop rax r8 rbx r9 rcx r10 rdx r11 rsp r12 rbp r13 rsi r14 rdi r15
;  retn

    xchg rcx,rax
        call [ExitProcess]

...

regstr     db      \
  'RFLAGS: %.8X',13,10,\
       '%s',13,10,\
     13,10,\
    'RAX: %.16IX',    9,      ' R8: %.16IX',13,10,\
        'RBX: %.16IX',    9,      ' R9: %.16IX',13,10,\
        'RCX: %.16IX',    9,      'R10: %.16IX',13,10,\
        'RDX: %.16IX',    9,      'R11: %.16IX',13,10,\
        'RSP: %.16IX',    9,      'R12: %.16IX',13,10,\
        'RBP: %.16IX',    9,      'R13: %.16IX',13,10,\
        'RSI: %.16IX',    9,      'R14: %.16IX',13,10,\
        'RDI: %.16IX',    9,      'R15: %.16IX',13,10,\
        13,10,\
    'RIP: %.16IX',13,10,\
        13,10,\
    0    
(Made the display more compact because I was thinking about adding the XMM registers.)
Post 19 May 2009, 15:32
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 19 May 2009, 19:14
Yeah I also thought about XMMs. Thanks for the Win7-compatibility and all the fixes Wink Server 2008 was my testing platform and seems its forgiving a lot.
Post 19 May 2009, 19:14
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 20 May 2009, 20:44
I always use FORMAT PE CONSOLE and MSVCRT.printf for my debugging.

Putting your above code in a MACRO would be convenient should probably be part of the win[32/64]ax.inc.

Don't you have to take extra care with displaying the RSP value since you want it to be the stack pointer before your display code.
Post 20 May 2009, 20:44
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 21 May 2009, 00:48
r22 wrote:
Don't you have to take extra care with displaying the RSP value since you want it to be the stack pointer before your display code.
That would be the proper way. Honestly, I'm kind of spoiled by Ferno's FDBG - I just insert an INT3 and push F9, and then F7 once the debugger loads! It was the same way debugging with OlyDBG in Win32. Other than that I rely on the OS to do it's job during a program crash.

I'm shocked Server 2008 worked correctly with Madis731's code - someone at MS completely ignored the documentation it seems.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 21 May 2009, 00:48
View user's profile Send private message Visit poster's website Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 21 May 2009, 07:13
I edited my code to fit bitRAKE's and r22's suggestions. Now it shows the correct RSP, RIP and RFLAGS.
Post 21 May 2009, 07:13
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1389
Location: Piraeus, Greece
Picnic 21 May 2009, 08:50
I was going to ask for that, thanks Madis731 - bitRAKE - r22.
I don't have a 64 bit machine to run the code, but i wanted to see how it goes.
Post 21 May 2009, 08:50
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 24 May 2009, 15:38
Madis731 wrote:
Now it shows the correct RSP, RIP and RFLAGS.
Very Happy Maybe, you have pasted wrong code?

My previous posted code does not work. Embarassed
Code:
        ; Written by thimis
        ; Converted by Madis731 & bitRAKE to Win64

        format PE64 GUI
        entry TestDump

        include 'win64a.inc'

section '.code' code executable readable

TestDump:
        call Dump
   enter 32,0
  stc
 call Dump
   sbb eax,eax
 leave
       call Dump
   retn



; - stack alignment not required
; - all registers preserved
; - flags preserved
Dump:
     ; RIP on stack
      push r15 rdi r14 rsi r13 rbp r12 rsp r11 rdx r10 rcx r9 rbx r8 rax
  pushf
       lea rbp,[rflags]
    enter 32,0      ; RBP is parameter array
    and esp,-16     ; align stack

   label .RSP      qword at rbp+8*10
   label .RFLAGS   qword at rbp+8*1

        ; adjust RSP to value prior to call
 add [.RSP],8*8

  ; build RFLAGS string
       mov rsi,[rbp]
       mov rdx,[.RFLAGS]
   mov ecx,rflags.count
.A: mov al,[rflags.map0+rcx-1]
  shr rdx,1
   jnc .0
      mov al,[rflags.map1+rcx-1]
.0:   mov [rsi+rcx-1],al
  loop .A

 ; generate message
  lea rcx,[memstr]
    lea rdx,[regstr]
    mov r8,rbp
  call [wvsprintfA]

       ; display it
        mov rcx,HWND_DESKTOP
        lea rdx,[memstr]
    lea r8,[_status]
    mov r9,MB_OK
        call [MessageBoxA]

; return to caller
        leave
       popf
        ; NOTE: first RDI pop is for RSP value, second restores RDI
     pop rax r8 rbx r9 rcx r10 rdx r11 rdi r12 rbp r13 rsi r14 rdi r15
   retn




section '.idata' import data readable writeable

        library kernel32, 'KERNEL32.DLL',\
                 user32, 'USER32.DLL'

                include 'api/kernel32.inc'
                include 'api/user32.inc'

_status      db 'Status',0

rflags.map0      db '------0-0---',0
rflags.map1    db 'ODITSZ-A-P1C',0
rflags         db '            ',0
rflags.count = $ - rflags - 1

regstr    db      \
  'RFLAGS: %s (%.8X)',13,10,\
  13,10,\
    'RAX: %.16IX',    9,      ' R8: %.16IX',13,10,\
        'RBX: %.16IX',    9,      ' R9: %.16IX',13,10,\
        'RCX: %.16IX',    9,      'R10: %.16IX',13,10,\
        'RDX: %.16IX',    9,      'R11: %.16IX',13,10,\
        'RSP: %.16IX',    9,      'R12: %.16IX',13,10,\
        'RBP: %.16IX',    9,      'R13: %.16IX',13,10,\
        'RSI: %.16IX',    9,      'R14: %.16IX',13,10,\
        'RDI: %.16IX',    9,      'R15: %.16IX',13,10,\
        13,10,\
    'RIP: %.16IX',13,10,\
        13,10,\
    0

memstr rb 1024    
The above version does not require stack alignment and correctly displays RFLAGS (just an example - many styles are possible). I've tested that it seems to works as intended. Might be beneficial to have a variation offering an alternate exit condition. Either bypassing future Dump calls, and/or returning to another address.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 24 May 2009, 15:38
View user's profile Send private message Visit poster's website Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal 24 May 2009, 18:18
Nice codes.

By the way (this may sound retarded), but what does the r in the 64-bit registers stand for? I cannot find it anywhere, or is it just a 'random' (not random I know) character.
Post 24 May 2009, 18:18
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 24 May 2009, 18:43
pal, I have always imagined it was for "register" - basically, it just indicates the 64-bit width. Whereas the Exx designations are for the 32-bit width. The other parts of the names help distinguish special use - some instructions are limited as to what registers they may use. Though, it is entirely possible to only use an orthogonal subset of the instructions to mimic a RISC processor.

Almost forgot the least character being used to access smaller partitions: r8d, r8w, r8l, etc... DWORD, WORD, BYTE, ... respectively.
Post 24 May 2009, 18:43
View user's profile Send private message Visit poster's website Reply with quote
pal



Joined: 26 Aug 2008
Posts: 227
pal 24 May 2009, 19:12
Yeah. Well I know Exx is extended xx. So when coding in 64 bit you can use r8l to access the byte value in the r8 register? If I interpreted you correctly that is a good feature.
Post 24 May 2009, 19:12
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4020
Location: vpcmpistri
bitRAKE 25 May 2009, 04:31
The byte size is kind of special because there are 20 bytes size registers, but only 16 of the other sizes. Special care is needed when using AH, BH, CH, and DH - as they cannot be used with the REX prefix.
Post 25 May 2009, 04:31
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.