flat assembler
Message board for the users of flat assembler.

Index > Compiler Internals > [solved] fasm 1.73.09 coff64 + use32

Author
Thread Post new topic Reply to topic
Vic3Dexe



Joined: 16 Feb 2019
Posts: 5
Vic3Dexe
Given:
- main part of OS Wink written in gcc + ld, output is pe-64
- trampoline code from 32 (after multiboot) to 64 bit written in fasm (because fasm is great and because gas is an unusable piece of sh..)

This trampoline looks like this (all external symbols provided by ld), pay attention to MS64 COFF and use32:
Code:
                        format          MS64 COFF

                        org             0x100000

extrn                   '_IMG_START'    as IMG_START : dword
extrn                   '_IMG_LD_END'   as IMG_LD_END : dword
extrn                   '_IMG_END'      as IMG_END : dword
extrn                   'Entry64'      as Entry64 : dword

                        section         '.text32' code readable executable
                        use32
MB0696_ALL              =               7 or (1 shl 16)
MB0696_MAGIC            =               0x1BADB002
MBHeader:               dd              MB0696_MAGIC, MB0696_ALL, -(MB0696_ALL + MB0696_MAGIC)
                        dd              MBHeader
                        dd              IMG_START, IMG_LD_END, IMG_END, _entry
                        dd              1, 0, 0, 0

_entry:                 mov             esp,stck
                        cmp             eax,0x2BADB002
                        jne             $
                        mov             dword [GDT + 16],0x0000FFFF
                        mov             dword [GDT + 16 + 8],0x00AF9B00
                        mov             dword [GDT + 32],0x0000FFFF
                        mov             dword [GDT + 32 + 8],0x00CF9300
                        sub             esp,8
                        mov             word [esp],16*3-1
                        mov             dword [esp + 2],GDT
                        lgdt            [esp]
                        mov             eax,0x20
                        mov             DS,ax
                        mov             ES,ax
                        mov             FS,ax
                        mov             GS,ax
                        mov             SS,ax
                        mov             cr4,eax
                        mov             eax,PDPT
                        or              eax,3
                        mov             dword [PML4],eax
                        mov             eax,PD
                        or              eax,3
                        mov             dword [PDPT],eax
                        xor             ecx,ecx
.1:                     mov             eax,ecx
                        shl             eax,21
                        or              eax,131
                        mov             dword [PD + ecx*8],eax
                        inc             ecx
                        cmp             ecx,512
                        jb              .1
                        mov             eax,PML4
                        mov             cr3,eax
                        mov             ecx,0xC0000080
                        rdmsr
                        bts             eax,8
                        wrmsr
                        mov             eax,cr0
                        bts             eax,31
                        mov             cr0,eax
                        push            0x10
                        push            Entry64
                        retf

                        section '.bss32' data readable writeable
PML4                    rq              512
PDPT                    rq              512
PD                      rq              512
GDT                     rq              6
                        rd              16
stck:                                          
    


And the result from IDA (a little mess, sorry)
Code:
                mov     esp, 105070h
seg000:00001035                 cmp     eax, 2BADB002h
seg000:0000103A
seg000:0000103A loc_103A:                               ; CODE XREF: seg000:loc_103Aj
seg000:0000103A                 jnz     short loc_103A
seg000:0000103C                 mov     dword ptr ds:105010h, 0FFFFh  <-------- OK
seg000:00001046                 mov     dword ptr ds:105018h, 0AF9B00h
seg000:00001050                 mov     dword ptr ds:105020h, 0FFFFh
seg000:0000105A                 mov     dword ptr ds:105028h, 0CF9300h
seg000:00001064                 sub     esp, 8
seg000:00001067                 mov     word ptr [esp], 2Fh ; '/'
seg000:0000106D                 mov     dword ptr [esp+2], 105000h
seg000:00001075                 lgdt    qword ptr [esp]
seg000:00001079                 mov     eax, 20h ; ' '
seg000:0000107E                 mov     ds, ax
seg000:00001080                 assume ds:nothing
seg000:00001080                 mov     es, ax
seg000:00001082                 assume es:nothing
seg000:00001082                 mov     fs, ax
seg000:00001084                 assume fs:nothing
seg000:00001084                 mov     gs, ax
seg000:00001086                 assume gs:nothing
seg000:00001086                 mov     ss, ax
seg000:00001088                 assume ss:nothing
seg000:00001088                 mov     cr4, eax
seg000:0000108B                 mov     eax, 103000h
seg000:00001090                 or      eax, 3
seg000:00001093                 mov     ds:102000h, eax
seg000:00001093 ; ---------------------------------------------------------------------------
seg000:00001098                 db    0       
seg000:00001099                 db    0
seg000:0000109A                 db    0   WHAT IS THIS ??????????
seg000:0000109B                 db    0
seg000:0000109C ; ---------------------------------------------------------------------------
seg000:0000109C                 mov     eax, 104000h
seg000:000010A1                 or      eax, 3
seg000:000010A4                 mov     ds:103000h, eax
seg000:000010A4 ; ---------------------------------------------------------------------------
seg000:000010A9                 db    0
seg000:000010AA                 db    0
seg000:000010AB                 db    0 WHAT IS THIS ??????????
seg000:000010AC                 db    0
seg000:000010AD ; ---------------------------------------------------------------------------
seg000:000010AD                 xor     ecx, ecx
seg000:000010AF
seg000:000010AF loc_10AF:                               ; CODE XREF: seg000:000010C7j
seg000:000010AF                 mov     eax, ecx
seg000:000010B1                 shl     eax, 15h
seg000:000010B4                 or      eax, 83h
seg000:000010B9                 mov     ds:104000h[ecx*8], eax <--- oh, seems ok, strange ))
seg000:000010C0                 inc     ecx
seg000:000010C1                 cmp     ecx, 200h
seg000:000010C7                 jb      short loc_10AF
seg000:000010C9                 mov     eax, 102000h
seg000:000010CE                 mov     cr3, eax
seg000:000010D1                 mov     ecx, 0C0000080h
seg000:000010D6                 rdmsr
seg000:000010D8                 bts     eax, 8
seg000:000010DC                 wrmsr
seg000:000010DE                 mov     eax, cr0
seg000:000010E1                 bts     eax, 1Fh
seg000:000010E5                 mov     cr0, eax
seg000:000010E8                 push    10h
seg000:000010EA                 push    10101Dh <-------- OK
seg000:000010EF                 retf
    


The actual bug: when using mov [reloc],reg fasm leaves extra 4 bytes in output file (like reloc should be qword) and behaves correctly when mov [reloc],imm or push reloc or when using SIB-byte.

Workaround:
Code:
                        mov             ecx,PML4
                        mov             dword [ecx],eax 
    
Post 26 Jan 2021, 01:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18071
Location: In your JS exploiting you and your system
revolution
Minimal code might be this:
Code:
format ms64 coff
use32
a: mov [a],eax    
Post 26 Jan 2021, 04:30
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 727
Location: Adelaide
sinsi
Won't FASM assume that this is a 64-bit section?
Quote:
section '.bss32' data readable writeable

Then the 4 "db 0" would be the top 32 bits of the address.

Although the "use32" should fix it?
Post 26 Jan 2021, 04:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18071
Location: In your JS exploiting you and your system
revolution
This only affects eax.

Compare to :
Code:
format ms64 coff
use32
a: mov [a],ecx    
Post 26 Jan 2021, 05:10
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7889
Location: Kraków, Poland
Tomasz Grysztar
As a temporary* workaround I might offer using fasmg with compatibility headers. I assembled the unaltered source with:
Code:
fasmg -iInclude('format/format.inc') test.asm    
and I believe it produces the correct result then.

* I'm going to fix it as soon as possible, but perhaps having such workaround may come in handy sometimes.
Post 26 Jan 2021, 08:45
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7889
Location: Kraków, Poland
Tomasz Grysztar
It's fixed in 1.73.26 (it now produces the same file as fasmg).
Post 26 Jan 2021, 11:59
View user's profile Send private message Visit poster's website Reply with quote
Vic3Dexe



Joined: 16 Feb 2019
Posts: 5
Vic3Dexe
revolution wrote:
Minimal code might be this:
Code:
format ms64 coff
use32
a: mov [a],eax    

I tried to show all cases I have, where it worked and where not.
Tomasz Grysztar wrote:
It's fixed in 1.73.26 (it now produces the same file as fasmg).

Thank you!
Post 26 Jan 2021, 15:43
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.