flat assembler
Message board for the users of flat assembler.

Index > Main > Executing Opcodes

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 24 Oct 2006, 20:26
Hi, and sorry if it's not the right section to post, btw, I'm french so sorry for the bad english (oh god the bad intro :p).

I started ASM since a little time, and I face this problem, wich I dont understand at all.

I have a variable wich I declare as byte:

Code:
api_opcode  db 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0000h
    


Wich is opcode for

Code:
mov edi, edi
push ebp
mov ebp, esp
jmp    


What I need to do is to add an address to this so I will finally have a full set of instructions to execute (and an adress to fill to the jmp) like that:

Code:
lea eax, dword[api_opcode]
mov [eax + 24], edi ;edi handle the address I need to add
call eax  ;Execution     


Once I've compiled the executable, I go in olly to debug and check what is wrong in the opcode and I got this:

Code:
004010C9     8BFF           MOV EDI,EDI
004010CB     55             DB 55                                    ;  CHAR 'U'
004010CC     8B             DB 8B
004010CD     EC             DB EC
004010CE     E9             DB E9
    


as you see the first instruction is OK (8B FF), but the others are not good, as I should see push ebp and mov ebp, esp in the instructions window right ?

What I did wrong ? thx for time you pass on this problem and see ya Smile (and hello to okasvi)
Post 24 Oct 2006, 20:26
View user's profile Send private message Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 24 Oct 2006, 21:31
TheLord wrote:
Hi


Any 32 bit value have bounds. For a variable, a bound is like a floor and a roof... But the idea is easyer to follow if you live under a flat roof, because signed 32 bit values have 2 flat bounds : [-2^31] and [2^31 - 1]

mov [eax + 24], edi ;edi handle the address I need to add

Sure you are just loading a value above the bound [2^31 - 1], so you store a negative 32bit number instead of storing a positive number between bounds [0..2^32] Sure
Post 24 Oct 2006, 21:31
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 24 Oct 2006, 21:45
maybe you don't have 4 bytes for immediate of jump reserved?

Code:
api_opcode  db 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0000h    

to
Code:
api_opcode  db 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0,0,0,0    
Post 24 Oct 2006, 21:45
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 24 Oct 2006, 21:49
wait.. why +24? shouldn't it be +6 ?
Post 24 Oct 2006, 21:49
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 977
Location: Czechoslovakia
MazeGen 25 Oct 2006, 07:09
TheLord, it is probably because of your OllyDbg's settings. Try to switch off options -> debugging options -> analysis 1 -> autostart analysis of main module or right-click in code window -> analysis -> remove analysis.
Post 25 Oct 2006, 07:09
View user's profile Send private message Visit poster's website Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 25 Oct 2006, 16:21
It's funny, this code is like a DELPHI16 code I have done: - Catching the FormCreate(f,c) - forbidden AutoCreate - Storing the 2 parameters - Then opening the form when USER dbl-click on the listbox... But it was done in DELPHI16, because I remember that writing a hook inside a Code Segment was possible, with something like CSToDSAlias() function.

I tried to do the same program with DELPHI32 but it was to much thinking and thinking... Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed Embarassed

_________________
Groups lower your IQ
Post 25 Oct 2006, 16:21
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Oct 2006, 16:26
sure, on 16bits there's no memory locking. On 32bits, your code segment may be read-only, you need to call VirtualProtect
Post 25 Oct 2006, 16:26
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 25 Oct 2006, 16:35
Hope this topic is going to be solved Smile Confused Arrow Rolling Eyes

_________________
Groups lower your IQ
Post 25 Oct 2006, 16:35
View user's profile Send private message Visit poster's website Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 25 Oct 2006, 17:18
thx for replying Smile

and thx to MazeGen, because yeah, it was my setting, btw, it's also better with eax + 6 lol . so from now I know my opcode is OK then this how I do the thing:

Code:
opcode : 8Bh,0FFh,55h,8Bh,0ECh,0E9h,0000h,0000h,0000h,0000h    


wich is :

Code:
mov edi, edi
push ebp
mov ebp, esp    


+ enough place to stick my address. Then this is my little piece of code:

Code:
Proc:
        lea eax, dword[opcode]
        mov [eax + 6], edi ;edi handle the address I need to jmp to
        call eax     


all seems fine to me, I debugged the compiled file, all is written normally, but .. I still get this

Error executing 7CC0351A when the address I jmp to is 7C802447 wich point to: push 0
Surprised
Post 25 Oct 2006, 17:18
View user's profile Send private message Reply with quote
Goplat



Joined: 15 Sep 2006
Posts: 181
Goplat 25 Oct 2006, 17:55
The immediate call instruction's address is relative to the end of the instruction, so you need to subtract (opcode + 11) from the address before you store it.
Post 25 Oct 2006, 17:55
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 25 Oct 2006, 18:25
hmmm I dont understand this.

when I look in olly I have this info when the call is executed:

EAX=004010C9 (test.004010C9)

wich point to the beggining of the opcodes, I would have guessed it should execute this code from the beggining to the jmp and then continue its way normally !
Post 25 Oct 2006, 18:25
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Oct 2006, 18:40
no, the problem is E9 instruction. the 4byte immediate behind it is not ADDRESS where to continue, it's address relative to beginning of next isntruction behind jmp. so for example this instruction db 0E9h, 0, 0, 0, 0 does nothing. you can write it like this:
Code:
jmp _label
_label:    


then db 0E9h, 2, 0, 0, 0 is jmp _label+2 etc.

so you need:
Code:
        lea eax, dword[opcode] 
        mov [eax + 6], edi ;edi handle the address I need to jmp to 
        sub [eax+6], opcode+11 ;convert absolute to relative address
        call eax     

understand?

PS: happy rootkittin' Wink
Post 25 Oct 2006, 18:40
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 25 Oct 2006, 19:04
thx for replying. btw someone else told me to sub EIP ... I did a little something, a little calcul to check something:

My EIP when I call is: 004010C4
the address where my jmp point to is: 7C802447

If I add I get 7CC0350B

And if I add 11 I got the address the error is tellin me:
Error executing 7CC0351A

is that stuff rely on what you're tellin me ? (I guess yes)

not rootkittin' but yeah it's API hooking, I already have Reverend LDE wich is really good and does the job whitout needing me to hardcode anything, just learning and far away to be able to code a rk ! :p
Post 25 Oct 2006, 19:04
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Oct 2006, 19:28
i just explained to you how "jmp near" instruction works. And you computation proves it (if i understood you right)
Post 25 Oct 2006, 19:28
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 25 Oct 2006, 19:47
@TheLord: I have a code like you need, neerly working, except the "MOV [EDI] , AL", with EDI pointing to a code segment... I don't know what to do!!
@vid: do you know someone who know how to write inside the CODE SEGEMENT



Code:
FORMAT PE GUI 4.0
ENTRY Start

INCLUDE "C:\Prog\Fasm164\FasmW\INCLUDE\win32a.inc"

SECTION '.data' DATA READABLE WRITEABLE

   C_Track01        DB   'Music track 01',0
   C_Track02        DB   'Music track 02',0
   C_Track03        DB   'Music track 03',0
   C_Track04        DB   'Music track 04',0


   C_Title          DB   'OLLLLLD TITLE',0
   C_NewTitle       DB   '----- NNEEEEEEEEEEWW TIIIIIIITLE -----',0

   G_KEEP_MyMuBePl  DB   0,0,0,0, 0,0,0,0

SECTION '.code' CODE READABLE EXECUTABLE
Start:
         ;--------------- Usual CALL ---------------

         PUSH     C_Track01
         CALL     MyMusicBeeingPlayed

         ;--------------- Installing an """indirect call""" ---------------

         ;----- 1. Keep current code
         MOV      ESI , MyMusicBeeingPlayed
         MOV      EDI , G_KEEP_MyMuBePl
         MOV      EAX , [ESI]
         MOV      [EDI] , EAX
         ADD      ESI , 4
         ADD      EDI , 4
         MOV      EAX , [ESI]
         MOV      [EDI] , EAX

         ;----- 2. Install JMP to NEW_TITLEPROC
         MOV      EDI , MyMusicBeeingPlayed
         MOV      AL , 0xE9
         ;--PROBLEM!!!!!!!!!!!!       MOV      [EDI] , AL
         INC      EDI
         MOV      EAX , NEW_TITLEPROC
         ;--MOV      [EDI] , EAX

         ;--------------- INDIRECT call ---------------

         ;--YES, WORKING IF CALLED DIRECTLY--
         ;--PUSH     C_Track01             --
         ;--CALL     NEW_TITLEPROC         --

         PUSH     C_Track01
         CALL     MyMusicBeeingPlayed

         ;--------------- Deleting the """indirect call""" ---------------

         ;--------------- Usual call AGAIN ---------------

         PUSH     C_Track01
         CALL     MyMusicBeeingPlayed

         ;--------------- / ---------------

         PUSH     0
         CALL     [ExitProcess]

MyMusicBeeingPlayed:
         PUSH     EBP
         MOV      EBP , ESP

         MOV      EBX , +8
         MOV      EDX , [EBP+EBX]

         PUSH     MB_OK + MB_ICONEXCLAMATION
         PUSH     C_Title
         PUSH     EDX
         PUSH     0
         CALL     [MessageBox]

         POP      EBP
         RET

NEW_TITLEPROC:
         PUSH     EBP
         MOV      EBP , ESP

         MOV      EBX , +8
         MOV      EDX , [EBP+EBX]

         PUSH     MB_OK + MB_ICONEXCLAMATION
         PUSH     C_NewTitle
         PUSH     EDX
         PUSH     0
         CALL     [MessageBox]

         POP      EBP
         RET

SECTION '.idata' IMPORT DATA READABLE WRITEABLE

   library          kernel , "KERNEL32.DLL" ,\
                    user   , "USER32.DLL"

   import   kernel ,\
      ExitProcess , "ExitProcess"

   import   user ,\
      MessageBox , "MessageBoxA"

SECTION '.reloc' FIXUPS DATA READABLE DISCARDABLE
    
Post 25 Oct 2006, 19:47
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Oct 2006, 20:07
Remy: study VirtualAlloc from Win32API
Post 25 Oct 2006, 20:07
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 25 Oct 2006, 20:51
yeah Vid, in fact I was calculating this and when I came here I saw your answer, wich is just great thx to you all, my prob is solved I can continue ^^
Post 25 Oct 2006, 20:51
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Oct 2006, 21:37
glad to help
Post 25 Oct 2006, 21:37
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 26 Oct 2006, 20:50
Adding this code, it's INCREDIBLE, writing to the CODE SEGMENT is working

I was planning to use the constant: PAGE_EXECUTE_READWRITE
but in fact, this constant is enough: PAGE_READWRITE
Conclusion: First constant is too much, just readwrite is enough for a code segment. Also It's funny, the usual FASM code segment HEADER seems to be ignored, because the VirtualQuery() function says that the segment is ReadOnly "only"...
==> SECTION '.code' CODE READABLE EXECUTABLE

Code:
         ;----- 2. Enable access to memory block
         MOV      EDX , G_OLD_Protect
         PUSH     EDX
         MOV      EDX , PAGE_READWRITE
         PUSH     EDX
         MOV      EDX , 20
         PUSH     EDX
         MOV      EDX , MyMusicBeeingPlayed
         PUSH     EDX
         CALL     [VirtualProtect]
         MOV      [G_ReadWritePtr] , MyMusicBeeingPlayed
    


Code:
         ;----- 4. Disable access to memory block
         PUSH     G_OLD_Protect
         PUSH     [G_OLD_Protect] 
         PUSH     20
         PUSH     MyMusicBeeingPlayed
         CALL     [VirtualProtect]
    



I swear that the PAGE_READWRITE is enough, there is no need to use the "stronger" PAGE_EXECUTE_READWRITE constant!!!
Post 26 Oct 2006, 20:50
View user's profile Send private message Visit poster's website Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent 26 Oct 2006, 20:56
Tomorow I will try to restore the call to previous procedure... Because the DEMO program is frustrating because the first procedure is not called anymore, so the DEMO PROGRAM seems "not finished"...

==> "Old title"
THEN
==> "NEW TITLE", thanks to the writing to the CODE SEGMENT
THEN
==> "NEW TITLE" again, instead of displaying "Old title" again... my DEMO looks "no way to do another step"... it's not funnny
Post 26 Oct 2006, 20:56
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.