flat assembler
Message board for the users of flat assembler.

Index > Windows > Addition x64

Author
Thread Post new topic Reply to topic
yq8



Joined: 08 May 2015
Posts: 15
yq8 08 May 2015, 12:57
Hello guys,

After a few minutes I've come up with this code for a simple addition:


Code:
push ebp
mov ebp, esp
mov eax, [ebp+0x0C]
mov ecx, [ebp+0x8]
add eax, ecx
pop ebp
ret 0x8
    


This works fine for x86 but I also need to create a function for x64.
This was my attempt to create the x64 code

Code:
push rbp
mov rbp, rsp
xor rax, rax
xor rcx, rcx
mov eax, dword [rbp+0x0C]
mov ecx, dword [rbp+0x10]
add rax, rcx
pop rbp
ret 0x8

    


But this code is wrong somehow.
It doesnt return the value oft the addition but some other value.
Can someone help me to fix the x64 code?

Cheers
yq8
Post 08 May 2015, 12:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20401
Location: In your JS exploiting you and your system
revolution 08 May 2015, 14:24
Your offset into that stack are wrong. Each 64-bit push is 8 bytes.
Post 08 May 2015, 14:24
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8 08 May 2015, 22:32
revolution wrote:
Your offset into that stack are wrong. Each 64-bit push is 8 bytes.


Code:
push rbp
mov rbp, rsp
xor rax, rax
xor rcx, rcx
mov rax, qword[rbp+0x10]
mov rcx, qword[rbp+0x18]
add rax, rcx
pop rbp
ret 0x10
    


Thanks for the hint, I now corrected the offsets, but still its returning completly wrong results.
100 + 5 = 485219888 it says ? Very Happy
Whats wrong, I can't see the problem.
Post 08 May 2015, 22:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20401
Location: In your JS exploiting you and your system
revolution 09 May 2015, 00:11
How are you calling it?

Show more of your code.
Post 09 May 2015, 00:11
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8 09 May 2015, 00:32
I call this code as byte[] from C#.
The x86 code works fine, the x64 doesn't.
What could be the issue?
Post 09 May 2015, 00:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20401
Location: In your JS exploiting you and your system
revolution 09 May 2015, 00:37
What is the 64-bit call convention used by C#? fastcall?
Post 09 May 2015, 00:37
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8 09 May 2015, 18:34
As I said I execute by a byte[] like so:

Code:

  private delegate int DelAddNative(int a, int b);


  private static Int32 AddNative(int a, int b)
        {

            Int32 OutRes = 0;
// Allocate a Handle
                GCHandle PinnedArray = GCHandle.Alloc(x64Addition, GCHandleType.Pinned);

                // Get handle for shellcode
                // Get address of Object
                IntPtr ShellcodePointer = PinnedArray.AddrOfPinnedObject();

                // Convert function-pointer to Delegate
                DelAddNative AddDelegate = (DelAddNative)Marshal.GetDelegateForFunctionPointer(ShellcodePointer, typeof(DelAddNative));

                uint flOldProtect;

                // Make shellcode executable
                VirtualProtect(ShellcodePointer, (UIntPtr)x64Addition.Length, PAGE_EXECUTE_READWRITE, out flOldProtect);

                // Execute shellcode
                OutRes = AddDelegate(a, b);

                // Restore old flag
                VirtualProtect(ShellcodePointer, (UIntPtr)x64Addition.Length, flOldProtect, out flOldProtect);

                // Release handle
                PinnedArray.Free();

   return OutRes;
}
    


Not sure how I can use the fastcall convention here since I am not importing any dll.
The strange thing is, the x64 code looks alright, tho, I get an exception when executing it, not so with the x86 code.
Any more ideas?
Post 09 May 2015, 18:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20401
Location: In your JS exploiting you and your system
revolution 09 May 2015, 23:19
If it is using fastcall (which is not stated in your code above so I don't know what it is) then all you need for addition is this:
Code:
x64Addition:
  mov rax,rcx  ;parameter 1
  add rax,rdx  ;parameter 2
  ret    
Post 09 May 2015, 23:19
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8 10 May 2015, 06:11
@revolution : Nice man, that works Smile
Thanks a bunch ^^
Post 10 May 2015, 06:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20401
Location: In your JS exploiting you and your system
revolution 10 May 2015, 06:52
For something slightly less clear it can be reduced to a single instruction:
Code:
x64Addition:
  lea rax,[rcx+rdx]
  ret    
Post 10 May 2015, 06:52
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 10 May 2015, 07:18
With ADD you can check the carry flag though...
Post 10 May 2015, 07:18
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.