flat assembler
Message board for the users of flat assembler.

Index > Windows > Stack shift under win64 confused

Author
Thread Post new topic Reply to topic
Wztml



Joined: 08 Mar 2012
Posts: 6
Location: China
Wztml 09 Mar 2012, 12:43
Here is the code:

Code:
format PE64 GUI
entry start

include 'win64ax.inc'

section '.text' code readable executable

        start:
                sub     rsp,8*5
                mov     r9d,0
                lea     r8,[_caption]
                lea     rdx,[_text]
                mov     rcx,0
                call    [MessageBoxA]
                add     rsp,8*5

                nop
                nop
                nop
                nop

                sub     rsp,8*5
                invoke  MessageBoxA,0,_text,_caption,0,MB_OK
                invoke  ExitProcess,0

section '.data' data readable writeable

        _caption        db  'Test',0
        _text           db  'Hello World',0

section '.idata' import data readable writeable

        library kernel32,'KERNEL32.DLL',\
                user32,'USER32.DLL'

        import kernel32,\
               ExitProcess,'ExitProcess'

        import user32,\
               MessageBoxA,'MessageBoxA'
    


What's wrong with macro 'invoke'? Why there is an additional shift?

I will show the screenshot in IDA


Description: sub rsp,28h+30h ????????????
Filesize: 20.58 KB
Viewed: 3686 Time(s)

Capture.PNG



_________________
O_O
Post 09 Mar 2012, 12:43
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 09 Mar 2012, 17:34
invoke macro takes care of allocating stack space on each call, to avoid that, use frame/endf ( http://flatassembler.net/docs.php?article=win32#1.4 )
Post 09 Mar 2012, 17:34
View user's profile Send private message Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 517
Location: Munich
shutdownall 09 Mar 2012, 18:31
I didn't know that invoke is a macro, thought it was an instruction inside fasm.
Wink
Post 09 Mar 2012, 18:31
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 09 Mar 2012, 20:40
Wztml wrote:
Code:
                invoke  MessageBoxA,0,_text,_caption,0,MB_OK    
You have one too many parameters there. MessageBox only takes four parameters.
Post 09 Mar 2012, 20:40
View user's profile Send private message Visit poster's website Reply with quote
Wztml



Joined: 08 Mar 2012
Posts: 6
Location: China
Wztml 10 Mar 2012, 04:58
@Rev
If I give 4 parameters, the code will be
sub rsp,28h
sub rsp,20h
..
..

SO WHAT'S WRONG?
Post 10 Mar 2012, 04:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20423
Location: In your JS exploiting you and your system
revolution 10 Mar 2012, 05:02
Nothing is wrong. You have manually specified the sub rsp,28h, and the invoke macro has generated the sub rsp,20h. Your rsp adjustment is aligning the stack (with an extra 20h bytes for unknown purpose). If you do not want invoke to allocate stack space then follow LocoDelAssembly's suggestion.
Post 10 Mar 2012, 05:02
View user's profile Send private message Visit poster's website Reply with quote
Wztml



Joined: 08 Mar 2012
Posts: 6
Location: China
Wztml 10 Mar 2012, 08:00
@Rev @LocoDelAssembly
Thank you guys
Post 10 Mar 2012, 08:00
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.