flat assembler
Message board for the users of flat assembler.
Index
> Windows > always pain about the stack Goto page 1, 2 Next |
Author |
|
charme 09 Jan 2010, 15:06
someone has help solve two problems about the stack! thx here!
but ,,,now i 'm always pain about the stack... i can't deal it! i just write a code to get the api address form export table by hash! but it always fail! my alg is ok!so i think it maybe stack problem i upload the code someone can help me? I am very worried ths!!
|
|||||||||||
09 Jan 2010, 15:06 |
|
charme 09 Jan 2010, 23:54
help me ,,,i
|
|||
09 Jan 2010, 23:54 |
|
Borsuc 10 Jan 2010, 00:13
I don't have x64 so I can't debug it, try to use OllyDbg and see where it fails -- btw are you sure hashes alone work on x64?
|
|||
10 Jan 2010, 00:13 |
|
LocoDelAssembly 10 Jan 2010, 00:34
OllyDbg can't work with 64-bit (not even the long awaited version 2).
I can't test here neither, sorry |
|||
10 Jan 2010, 00:34 |
|
Borsuc 10 Jan 2010, 00:48
Damn! I thought the latest alpha could. Though, there was a FASM debugger... FDBG I think, for x64.
_________________ Previously known as The_Grey_Beast |
|||
10 Jan 2010, 00:48 |
|
charme 10 Jan 2010, 01:08
Borsuc wrote: Damn! I thought the latest alpha could. Though, there was a FASM debugger... FDBG I think, for x64. yeah!!i just use the fdbg i have debug it ! this line: ;;get export table mov eax,dword [rax+136] ;;export RVA test rax,rax jz _get_next_mod here, dword [rax+136] = 00000000..... so it just goto the _get_next_mod here: _get_next_mod: ... .. 0000000000402061 488B12 mov rdx,[rdx] ; [0000000000000000]=? ERROR here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! i use this method to get the export table: Code: xor rdx,rdx mov rdx,[gs:rdx+96] ;;PEB mov rdx,[rdx+24] ;;PEB->Ldr mov rdx,[rdx+32] ;;first module(InMemoryOrder module list) _next: mov rsi,[rdx+80] ;;module name mov cx,word [rdx+74] push rdx ;; get pe header mov rdx,[rdx+32] ;;module base address mov eax,dword [rdx+60] ;;pe header add rax,rdx ;;get export table mov eax,dword [rax+136] ;;export RVA why it can't work? i'm confused! _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
10 Jan 2010, 01:08 |
|
charme 10 Jan 2010, 01:13
Borsuc wrote: I don't have x64 so I can't debug it, try to use OllyDbg and see where it fails -- btw are you sure hashes alone work on x64? no! i don't use the crc alg in my code comment! bcs that alg will depends the cpu which must support the SSE4 instruct so i use the one i ever writen for 32 bit!! i also upload it in the hash.rar but now,,,hash alg will be fine! but the alg of get export table maybe problem!! _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
10 Jan 2010, 01:13 |
|
charme 10 Jan 2010, 01:34
so i have tried to debug it use windbg!
here: 0000000000402018 65488B5260 GS mov rdx,[rdx+60] ; [000007FFFFFDE060]=000007FFFFFD3000 we known [gs:0+60] should be PEB address! but when i dt !peb in windbg,,: "peb at 000007fffffda000" maybe,,here will the first error! but i can't get [gs:0+?]will be equ 000007fffffda000 Last edited by charme on 10 Jan 2010, 01:38; edited 1 time in total |
|||
10 Jan 2010, 01:34 |
|
Borsuc 10 Jan 2010, 01:37
did my suggestion work or am I totally not understanding what you are trying to do? (because I don't )
|
|||
10 Jan 2010, 01:37 |
|
charme 10 Jan 2010, 01:41
Borsuc wrote: did my suggestion work or am I totally not understanding what you are trying to do? (because I don't ) oh!sorry ,,thk you any way !! my english is so poor! i'm a chinese!! _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
10 Jan 2010, 01:41 |
|
charme 10 Jan 2010, 01:53
Borsuc wrote: did my suggestion work or am I totally not understanding what you are trying to do? (because I don't ) oh!sorry ,,thk you any way !! my english is so poor! i'm a chinese!! _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
10 Jan 2010, 01:53 |
|
charme 10 Jan 2010, 08:17
help me ....is there anyone syudy the x64?
|
|||
10 Jan 2010, 08:17 |
|
bitRAKE 10 Jan 2010, 22:24
Code: mov rax,[gs:30h] ; RAX points to TEB (Thread Environment Block) mov rcx,[rax+60h] ; RCX points to PEB (Process Environment Block) FDBG source code has examples of accessing PEB. (Your English is better than my Chinese - well done!) How about a size optimized (6 bytes): Code: push 60h pop rsi gs lodsq ; RAX points to PEB |
|||
10 Jan 2010, 22:24 |
|
charme 11 Jan 2010, 04:31
bitRAKE wrote:
good job@! this error has solved!! thx i want make a friend with you ... my MSN:charme000@gmail.com maybe i can teach you chinese,,if any chance hoho:) so welcom to china!! _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
11 Jan 2010, 04:31 |
|
bitRAKE 13 Jan 2010, 00:10
I've optimized (141 bytes (almost as small as his 32-bit version ), and several other improvements) the api_call by Stephen Fewer for 64-bit and wrote a parallel FASM macro to calculate the hash values easily:
Code: api_call: push rdx rcx rdi rsi rax 60h pop rsi gs lodsq mov rax,[rax+24] mov rdi,[rax+32] .next_module: mov rsi,[rdi+80] movzx ecx,word [rdi+74] xor eax,eax cdq .module_name: lodsb and al,not 20h ror edx,13 add edx,eax loop .module_name push rdi mov rdi,[rdi+32] mov eax,[rdi+60] lea rax,[rdi+rax+68] mov ecx,[rax+136-68] jrcxz .skip_module add rcx,rdi push rcx mov esi,[rcx+32] mov ecx,[rcx+24] add rsi,rdi .next_function: jrcxz .get_module dec ecx push rdx rsi mov esi,[rsi+rcx*4] add rsi,rdi xor eax,eax .function_name: lodsb ror edx,13 add edx,eax cmp al,ah jne .function_name cmp edx,[rsp+8*4] pop rsi rdx jnz .next_function pop rsi mov edx,[rsi+36] add rdx,rdi mov cx,[rdx+2*rcx] mov eax,[rsi+28] add rax,rdi mov eax,[rax+4*rcx] add rax,rdi pop rdx rdx rsi rdi rcx rdx jmp rax .get_module: pop rdx .skip_module: pop rdi mov rdi,[rdi] jmp .next_module Code: macro API_HASH32 dll,export { local ..b,..d ..d = 0 virtual at $ du `dll,0 repeat $-$$ load ..b byte from $$+%-1 ..d = $FFFFFFFF and\ ((..d SHR 13)+(..d SHL 19)+\ (..b and (not 20h))) end repeat end virtual virtual at $ db `export,0 repeat $-$$ load ..b byte from $$+%-1 ..d = $FFFFFFFF and\ ((..d SHR 13)+(..d SHL 19)+\ ..b) end repeat end virtual mov eax,..d } Code: xor ecx,ecx API_HASH32 ntdll.dll,RtlExitUserThread call api_call The DLL name is unicode and case insensitive; while the Function is ASCII and case sensitive. I can imagine a number of additional optimizations depending on use. For example, some adaptor code could be placed prior to JMP RAX - allowing various internal calling conventions to be used. Also, a hash table might help compact code. Note: I haven't checked for collisions nor is there an exit condition for hash not found. Why do you wish to access APIs in this manner? Sorry, I do not use instant messenger (MSN). You can still be my friend. |
|||
13 Jan 2010, 00:10 |
|
charme 13 Jan 2010, 09:00
bitRAKE wrote: I've optimized (141 bytes (almost as small as his 32-bit version ), and several other improvements) the api_call by Stephen Fewer for 64-bit and wrote a parallel FASM macro to calculate the hash values easily: you have do the most main problem....thx always so you on't use the MSN!! i just use tasm or masm ever for virus.........just for interests! not damage!! so,,i'm a new for fasm and also fo x64 but i want study the virus technology in x64!! so something maybe not suit talk aout here!!hoho:) _________________ do it,do our best! ---------------------------------------------------------- http://chx4.net |
|||
13 Jan 2010, 09:00 |
|
revolution 13 Jan 2010, 09:12
charme wrote: i just use tasm or masm ever for virus.........just for interests! not damage!! charme wrote: so something maybe not suit talk aout here!!hoho:) |
|||
13 Jan 2010, 09:12 |
|
f0dder 13 Jan 2010, 09:50
bitRAKE wrote: The DLL name is unicode and case insensitive; Btw, when doing your own GetProcAddress, there's three special cases you have to handle: 1. Ordinal imports (high bit of name-rva set - use only low word for ordinal number). 2. Forwarded exports - dunno what the "official" way is, but checking if exported RVA lies outside the range specified by PE_DIRENT_EXPORT seems to work. 3. In case you do any redirection/trampolining, you need to detect if you're dealing with a data export. These are uncommon, but things like MSVCRT.DLL have them... the heuristic I used was to find which PE section the export RVA lies in, and check that section for PE_SCN_CNT_INITIALIZED_DATA. Items 2 and 3 obviously depend on well-formed standard PEs. |
|||
13 Jan 2010, 09:50 |
|
bitRAKE 13 Jan 2010, 10:14
f0dder wrote:
High bit of Export RVA for ordinal export, huh? Maybe: mov esi,[rsi+rcx*4] add rsi,rdi ...replaced by... lea rsi,[rsi+rcx*4] test dword [rsi],-1 js @F mov esi,[rsi] add rsi,rdi @@: (assume third byte is zero?) ...and small change to macro to support ordinal. (2) and (3) require much more. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
13 Jan 2010, 10:14 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.