flat assembler
Message board for the users of flat assembler.

Index > Main > Memory Reading/Writing issues

Author
Thread Post new topic Reply to topic
jmurray



Joined: 28 Sep 2019
Posts: 8
Location: Plymouth, UK
jmurray
Hello,
I'm currently experiencing an issue with the above. It involves writing a Uint32 (rcx) into a memory location, and reading it. However the value that is read is different than that of what is written in.

I believe the issue I am having is that I am referencing the memory address of the Intptr (rdx) rather than utilising the pointer at the memory location.

The two procedures are as follows:

Code:
proc ReadMemory uses rcx, rdx
     ;Read uint32 from rdx, return in rcx
     mov eax,dword [rdx]
     mov dword [rcx],eax
     mov rax,rcx
     ret
endp

proc WriteMemory uses rcx, rdx
     ;Write int32/uint32 from rcx to first 4 bytes of rdx
     mov eax,dword [rcx]
     mov dword [rdx],eax
     ret
endp
    


If that is what this does, how exactly should I go about referencing the memory address stored at edx, rather than it's value?

Thank you for your time.


Last edited by jmurray on 24 Apr 2020, 19:32; edited 1 time in total
Post 24 Apr 2020, 00:13
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17639
Location: In your JS exploiting you and your system
revolution
To read a memory value just do this:
Code:
mov ecx,[rdx]    
To write a memory value just do this:
Code:
mov [rdx],ecx    
You don't need a procedure to to it, they are native instructions.
Post 24 Apr 2020, 00:43
View user's profile Send private message Visit poster's website Reply with quote
jmurray



Joined: 28 Sep 2019
Posts: 8
Location: Plymouth, UK
jmurray
The program which uses this has already allocated a memory location. The value forwarded in rdx is an Intptr of this memory location.

I have made the following changes to the code, but it now crashes on write:
Code:
proc ReadMemory uses rcx, rdx
     ;Read uint32 from rdx, return in rcx
     mov rbx,[rdx];set rbx to memory location at rdx
     mov eax,dword [rbx];move the first 4 bytes at rbx into eax
     mov [rcx],eax;move eax into rcx
     mov rax,rcx
     ret
endp

proc WriteMemory uses rcx, rdx
     ;Write int32/uint32 from rcx to first 4 bytes of rdx
     mov rbx,[rdx];set rbx to memory location at rdx
     mov eax,dword [rcx];Write value into eax
     mov [rbx],eax;Write value from eax into rbx
     ret
endp
    

I may be overthinking this, but am very grateful for the help.
Post 24 Apr 2020, 19:22
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17639
Location: In your JS exploiting you and your system
revolution
It looks like you want to do a memory-to-memory move, and your registers are pointers to the locations.
Code:
proc MoveMemory
     ;Move uint32 from [rdx], to [rcx]
     mov eax,[rdx]
     moc [rcx],eax
     ret
endp    
You don't need the "uses" clause since you don't alter those registers.
Post 24 Apr 2020, 20:33
View user's profile Send private message Visit poster's website Reply with quote
jmurray



Joined: 28 Sep 2019
Posts: 8
Location: Plymouth, UK
jmurray
I'm not sure what you think I'm trying to do.

My external program uses these dll procedures to store and read from a memory address at pointer rdx. It does this by either passing a uint32 to write to memory in rcx for write, or passes a uint32 for the procedure to write the contents of memory into in the case of read.

The issue i'm having is that when writing in "123" for example, when it is read from the same pointer, returns a different number.

Because I am now directly feeding the procedures the rdx pointer from my program, I am now using my initial code example again. But the problem persists.

This is under the assumption that a called DLL has access to the calling programs memory space however.
Post 24 Apr 2020, 22:26
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17639
Location: In your JS exploiting you and your system
revolution
What is your external program? Does it use the Windows fastcall convention? If it does then it will expect a return value in RAX.
Code:
proc ReadMemory
     ;Read uint32 from rdx, return in rax
     mov eax,[rdx] ;read memory
     ret
endp    
If it is using a pointer to a pointer then do this:
Code:
proc ReadMemory
     ;Read uint32 from [rdx], return in rax
     mov rax,[rdx] ;read pointer
     mov eax,[rax] ;read memory
     ret
endp    
Post 24 Apr 2020, 23:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.