flat assembler
Message board for the users of flat assembler.
Index
> Windows > Very Beginner- Learning 64-bit Assembly (resources?) |
Author |
|
MazeGen 16 Aug 2006, 07:37
Here are some good links about x64 conventions:
http://msdn.microsoft.com/msdnmag/issues/06/05/x64/default.aspx http://msdn2.microsoft.com/en-us/library/7kcdt6fy.aspx http://blogs.msdn.com/oldnewthing/archive/2004/01/14/58579.aspx http://blogs.msdn.com/freik/archive/2006/01/04/509372.aspx As for debugger, Microsoft provides WinDbg for free: http://www.microsoft.com/whdc/devtools/debugging/default.mspx You can also search this board for "FDBG", open-source x64 debugger written by Feryno. |
|||
16 Aug 2006, 07:37 |
|
Feryno 16 Aug 2006, 07:47
Hello Regen and welcome here.
You have to learn from 2 areas: 1. asm instructions - look into fasm zip package for file FASM.TXT (200 kB) or FASM.PDF (400kB). Good idea is to step instructions under debugger to see what happens with registers and memory. Learn registers at first (Table 1.2, Table 2.4 from fasm.txt or pdf), then start with instructions mov lea call ret cmp jz jnz jc jnc, ... 2. win64 specific part of coding (like how to read file, write to console, create window, what is message loop, how to pass paremeters to API, which registers are nonvolatile, ...) - try to read EXAMPLES\PE64DEMO from fasmw.zip http://board.flatassembler.net/download.php?id=1988 or try to learn from izcelion tutorials (but they are for win32 and you have to convert them into win64). You will need to know how to pass parameters to API http://flatassembler.net/docs/win32hlp.zip or online MSDN library. Don't forget to look into http://flatassembler.net/docs.php You will have a lot of questions. Don't hesitate to ask at the forum. You decided to start a fight, you will have a lot of informations at begin and you will have difficuties to select what is important, what is more important and what is the most important. fdbg is too big to learn from it and now I'm rewriting it completely from the base because big mess in sources and constructing completely new face. fdbg.exe is fully functionaly, it is meant for beginners, I tried to make its imput the easiest, it shows you every register (with very small font to fit into 1 screen) |
|||
16 Aug 2006, 07:47 |
|
Regen 16 Aug 2006, 23:18
Ok, thanks for pointing me in the right direction. I'll be checking those out.
|
|||
16 Aug 2006, 23:18 |
|
Regen 18 Aug 2006, 01:20
Quick question.
How do I veiw a hex dump of a file? Using either windbg or fdbg or both. |
|||
18 Aug 2006, 01:20 |
|
Regen 18 Aug 2006, 05:08
Ok, I found how to view hex dumps, by opening the file, attaching the windbg to the process, then View->Memory or Alt+F5, but it doesn't show me the hex dump for the file that I attached it too. For example, if I create a .txt document in notepad with random words, those words won't appear in the ASCII portion of the hex dump, because it isn't showing the portion of memory that has the text.
What am I doing wrong? Also, is there a better way to navigate the hex dump? Is there a way to limit the memory addresses it will dump the info from? Thanks! Edit: Oh, also, is there a way to view the hex dump without first attaching to the process? I ask because it requires that you start running the program to attach to it. You can't view the hex info for a notepad file without first opening that file. |
|||
18 Aug 2006, 05:08 |
|
Feryno 18 Aug 2006, 09:15
exe file and image of its process in memory are very different
1. Hex dump of a file: personaly, I use total commander for text editing and text/hexa viewing files press F3 (=View) on the file, then press 3 (=Options->Hex) you can use various hexa editors (more powerfull for hexa operations than totalcmd) - biew, hex workshop,... 2. Hex dump of an image of a process It is good choice to execute file to view the image of its process and use debugger to examine process memory. Of course, there is one complicated way without executing file - manual calculations from exe header. If you are afraid that exe should be a malware, loading file under debugger is secure if you don't run it or make some steps. When you load exe under debugger, debugger stops at exe entrypoint or even before entrypoint in ntdll breakpoint. ----- When you type some words in notepad.exe and then you attach to notepad process, it is very hard work to find where the process store the buffer holding text you typed. You can easy view hex dump of the process, because debugger notifies you where process reside. But you don't know, where the process allocate buffers and memory is too big to try randomly find them. You need a lot of time and experiences to disassemble and trace notepad to find where is the buffer holding text you typed. If the buffer is in the image of process, you can use Find function of fdbg to find text strings or hexa bytes sequence. But I suppose that notepad use api for allocate memory somewhere outside of its process image. |
|||
18 Aug 2006, 09:15 |
|
Regen 18 Aug 2006, 22:48
Ok, thank you for the information. I need to try some things before I know how much it helps.
|
|||
18 Aug 2006, 22:48 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.