flat assembler
Message board for the users of flat assembler.

Index > Windows > Addition x64

Author
Thread Post new topic Reply to topic
yq8



Joined: 08 May 2015
Posts: 15
yq8
Hello guys,

After a few minutes I've come up with this code for a simple addition:


Code:
push ebp
mov ebp, esp
mov eax, [ebp+0x0C]
mov ecx, [ebp+0x8]
add eax, ecx
pop ebp
ret 0x8
    


This works fine for x86 but I also need to create a function for x64.
This was my attempt to create the x64 code

Code:
push rbp
mov rbp, rsp
xor rax, rax
xor rcx, rcx
mov eax, dword [rbp+0x0C]
mov ecx, dword [rbp+0x10]
add rax, rcx
pop rbp
ret 0x8

    


But this code is wrong somehow.
It doesnt return the value oft the addition but some other value.
Can someone help me to fix the x64 code?

Cheers
yq8
Post 08 May 2015, 12:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17352
Location: In your JS exploiting you and your system
revolution
Your offset into that stack are wrong. Each 64-bit push is 8 bytes.
Post 08 May 2015, 14:24
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
revolution wrote:
Your offset into that stack are wrong. Each 64-bit push is 8 bytes.


Code:
push rbp
mov rbp, rsp
xor rax, rax
xor rcx, rcx
mov rax, qword[rbp+0x10]
mov rcx, qword[rbp+0x18]
add rax, rcx
pop rbp
ret 0x10
    


Thanks for the hint, I now corrected the offsets, but still its returning completly wrong results.
100 + 5 = 485219888 it says ? Very Happy
Whats wrong, I can't see the problem.
Post 08 May 2015, 22:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17352
Location: In your JS exploiting you and your system
revolution
How are you calling it?

Show more of your code.
Post 09 May 2015, 00:11
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
I call this code as byte[] from C#.
The x86 code works fine, the x64 doesn't.
What could be the issue?
Post 09 May 2015, 00:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17352
Location: In your JS exploiting you and your system
revolution
What is the 64-bit call convention used by C#? fastcall?
Post 09 May 2015, 00:37
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
As I said I execute by a byte[] like so:

Code:

  private delegate int DelAddNative(int a, int b);


  private static Int32 AddNative(int a, int b)
        {

            Int32 OutRes = 0;
// Allocate a Handle
                GCHandle PinnedArray = GCHandle.Alloc(x64Addition, GCHandleType.Pinned);

                // Get handle for shellcode
                // Get address of Object
                IntPtr ShellcodePointer = PinnedArray.AddrOfPinnedObject();

                // Convert function-pointer to Delegate
                DelAddNative AddDelegate = (DelAddNative)Marshal.GetDelegateForFunctionPointer(ShellcodePointer, typeof(DelAddNative));

                uint flOldProtect;

                // Make shellcode executable
                VirtualProtect(ShellcodePointer, (UIntPtr)x64Addition.Length, PAGE_EXECUTE_READWRITE, out flOldProtect);

                // Execute shellcode
                OutRes = AddDelegate(a, b);

                // Restore old flag
                VirtualProtect(ShellcodePointer, (UIntPtr)x64Addition.Length, flOldProtect, out flOldProtect);

                // Release handle
                PinnedArray.Free();

   return OutRes;
}
    


Not sure how I can use the fastcall convention here since I am not importing any dll.
The strange thing is, the x64 code looks alright, tho, I get an exception when executing it, not so with the x86 code.
Any more ideas?
Post 09 May 2015, 18:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17352
Location: In your JS exploiting you and your system
revolution
If it is using fastcall (which is not stated in your code above so I don't know what it is) then all you need for addition is this:
Code:
x64Addition:
  mov rax,rcx  ;parameter 1
  add rax,rdx  ;parameter 2
  ret    
Post 09 May 2015, 23:19
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
@revolution : Nice man, that works Smile
Thanks a bunch ^^
Post 10 May 2015, 06:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17352
Location: In your JS exploiting you and your system
revolution
For something slightly less clear it can be reduced to a single instruction:
Code:
x64Addition:
  lea rax,[rcx+rdx]
  ret    
Post 10 May 2015, 06:52
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 695
Location: Adelaide
sinsi
With ADD you can check the carry flag though...
Post 10 May 2015, 07:18
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.