flat assembler
Message board for the users of flat assembler.

Index > Windows > can i assume eax = 0 ?

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 01 May 2008, 10:52
lets say im startimg my app:

push 00000004h
lea eax,[ebp+08h]
push eax
push 00000009h
push FFFFFFFEh
call [ntdll.dll!NtSetInformationThread]
call [ebp+08h]
;hers return address
push eax
call ExitThread


NtSetInformationThread returns ntstatus, 0. However thres no check what it return, but it never returned me != 0. So before calling my code, eax is 0.
Can i use it and dont use xor eax,eax? 1 byte less, thats much Smile

or 1 more exmpl:

call [addr]
test eax,eax
jnz exit


push 1000
call [Sleep]

push eax ;instead of push 0, CreateProcess /Window need tons of 0.
push eax
call [addr2]

exit:

sleep is declared as 'void', but it modify eax
Sleep:
mov edi,edi
push ebp
mov ebp,esp
push 00000000h
push [ebp+08h]
call SleepEx
pop ebp
retn 0004h

SleepEx:
cmp [ebp-20h],eax
jz L7C80240A ;false
xor eax,eax ;0
L7C80240A:
call SUB_L7C80250B ;not affect
retn 0008h

eax is still 0.
Post 01 May 2008, 10:52
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 01 May 2008, 11:02
//by lag


Last edited by asmrox on 01 May 2008, 11:05; edited 1 time in total
Post 01 May 2008, 11:02
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 01 May 2008, 11:03
I would say that you can't assume anything. Why is one byte so important to you?
Post 01 May 2008, 11:03
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 01 May 2008, 11:07
Anything declared void is still subject to the standard rule that eax/ecx/edx are all not preserved, so you can't rely on the return value being anything.
Post 01 May 2008, 11:07
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 01 May 2008, 11:07
why? if thers same implementation on every windows 2k+, its fact (undocumented, but 100% fact).

Quote:
Why is one byte so important to you?

i want to write smallest possible code and use all i can to do that Smile

and... what is mov edi,edi ?! push ebp/mov ebp,esp without substracting esp (stack frame) is also stupid

also i dont like destroing ecx,edx Sad why ms cant use pushad/popad, 2 registers are much! Many times i lacked 1 or 2 and had tu use stack to store just 1 address.
Post 01 May 2008, 11:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 01 May 2008, 11:13
Windows is mostly written in HLL so the value of eax for a void function is not guaranteed to be anything, just forget about it. Maybe other versions of Windows have different codes that will modify eax, the thing is you can't guarantee it.

I think that mov edi,edi is to accommodate function hooking for debuggers etc. Just a guess.
Post 01 May 2008, 11:13
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 01 May 2008, 11:14
ok thx, so i use that xor ebx,ebx as long as i dont need ebx =(
i hope ur 100% that in other windows (existing in this time, not future) eax can have diffrent values.
Post 01 May 2008, 11:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 01 May 2008, 11:24
asmrox wrote:
also i dont like destroing ecx,edx why ms cant use pushad/popad, 2 registers are much! Many times i lacked 1 or 2 and had tu use stack to store just 1 address.
This is false economy, you are worried about using one stack position and at the same time you suggest MS use pushad/popad which uses eight stack positions! The mind boggles.

And no I am not 100% sure about any return value of eax from a void function in any version of Windows, it is just a speculation which if true then your code will fail.
Post 01 May 2008, 11:24
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 01 May 2008, 12:08
asmrox: actually, you should check returned value, and report error if some occurs
Post 01 May 2008, 12:08
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Kevin_Zheng



Joined: 04 Jul 2003
Posts: 125
Location: China
Kevin_Zheng 06 May 2008, 12:24
I agree vid's advise for it; we should check the return status after invoked system API; windows is very complex so that we can't sure everything is always good and perfectly.

_________________
Pure Assembly Language Funs
Post 06 May 2008, 12:24
View user's profile Send private message MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.