Index
> Windows > Winapi will affect register? |
| Author |
|
|
Picnic 01 Jul 2009, 14:04
EAX, ECX, and EDX are not preserved.
|
|||
01 Jul 2009, 14:04 |
|
|
Borsuc 01 Jul 2009, 14:05
Look up the calling conventions. WinAPI uses stdcall.
StdCall affects the following registers: eax ecx edx. Do NOT rely on the value of these registers on return! |
|||
|
01 Jul 2009, 14:05 |
|
|
Pirata Derek 01 Jul 2009, 14:37
I found some APIs that change also the EBX and/or ESI and/or EDI
it depends if the called API procedure push EBX,ESI and EDI (or any other registers) and after pop them. Pushing registers before calling the api is better! simple example: Code: mov ecx,5 @@: push ecx invoke MessageBoxA,0,text,title,MB_OK pop ecx loopd @B more complex Example: Code: push 0 ; exit code mov ecx,5 @@: push ecx invoke MessageBoxA,0,text,title,MB_OK pop ecx cmp eax,FALSE je @F loopd @B @@: invoke ExitProcess Last edited by Pirata Derek on 01 Jul 2009, 14:43; edited 1 time in total |
|||
|
01 Jul 2009, 14:37 |
|
|
Borsuc 01 Jul 2009, 14:42
It depends on the calling convention. Stdcall always preserves EBX, ESI, EDI, and EBP.
Pirata Derek wrote: Pushing registers before calling the api is better!  _________________ Previously known as The_Grey_Beast |
|||
|
01 Jul 2009, 14:42 |
|
|
LocoDelAssembly 01 Jul 2009, 14:44
Quote:
I had this problem once on Win98SE, but after trying reproducing it years later I couldn't. What could be happening here actually is that you have a virus. In my case was some of the windows enumeration functions which probably the virus hooked to hide itself more. |
|||
|
01 Jul 2009, 14:44 |
|
|
Pirata Derek 01 Jul 2009, 15:01
Download the program below and tell me the response...
you can modify the STDCALL, but you will see that is the PROC to modify the EBX, ESI, and EDI, not the STDCALL... 
|
|||||||||||
|
01 Jul 2009, 15:01 |
|
|
LocoDelAssembly 01 Jul 2009, 15:10
But PROCEDURA is not part of the Windows API
[edit]Found the thread: http://board.flatassembler.net/topic.php?t=8006 |
|||
|
01 Jul 2009, 15:10 |
|
|
Pirata Derek 02 Jul 2009, 10:54
If you, LocoDelAssembly, put more attention on these topics (reading all the conversation) you will read that i contested the Borsuc's last topic on:
"Stdcall always preserves EBX, ESI, EDI, and EBP. " PROCEDURA is a proc that always return with EBX,ESI and EDI modified after any STDCALL or INVOKE calls. It's an example to invalidate borsuc's answer. ¿Tengo que escribirte en español? TRANQUILO, NO TENGO VIRUS! |
|||
|
02 Jul 2009, 10:54 |
|
|
Borsuc 02 Jul 2009, 15:41
I don't get your point.
PROCEDURA is not a stdcall function. It does not comply to the standards set. Stdcall is not just the call. The procedure must follow the standards for it to be stdcall, not just the caller of the function. |
|||
|
02 Jul 2009, 15:41 |
|
|
Borsuc 02 Jul 2009, 16:42
Here's what stdcall says:
If you do not qualify for all conditions, your function isn't stdcall. There's nothing wrong with not being stdcall (heck that's why asm is flexible), but the WinAPI is all stdcall, so every function qualifies for all conditions. _________________ Previously known as The_Grey_Beast |
|||
|
02 Jul 2009, 16:42 |
|
|
Pirata Derek 03 Jul 2009, 10:33
So you forgot what i've posted?
"it depends if the called API procedure push EBX,ESI and EDI (or any other registers) and after pop them. " Is it like your last post (upper) ? if yes, why do you reply with THIS? have you disasembled ALL WinAPIs? Remember that all WinAPIs aren't equals I'll post you a list of not STDCALL STANDARD WINAPI (referenced by you last post) Wait... the APIs are too much.  |
|||
|
03 Jul 2009, 10:33 |
|
|
Borsuc 03 Jul 2009, 12:50
No, you push them in the FUNCTION, not when you CALL it.
Example of proper stdcall. Code: ; code push 1 push 2 call function ... ; ; FUNCTION ; function: push ebx mov ebx, [esp+8] mov ecx, [esp+4] ... pop ebx retn 2*4 @Pirata Derek: however, you seem like a guy who is interested in Windows details (with the kernel dispatcher and all that), so if you do find a Windows API that is officially "stdcall" (check MSDN website for info), and does not follow it, then you have found a bug and it would be cool if you posted it  Last edited by Borsuc on 04 Jul 2009, 01:51; edited 1 time in total |
|||
|
03 Jul 2009, 12:50 |
|
|
Pirata Derek 03 Jul 2009, 13:54
It's a good idea
 |
|||
|
03 Jul 2009, 13:54 |
|
|
eskizo 03 Jul 2009, 14:19
thankyou for these precious descriptions.
|
|||
|
03 Jul 2009, 14:19 |
|
|
Picnic 03 Jul 2009, 16:01
Borsuc, shouldn't be ?
Code:
retn 8
|
|||
|
03 Jul 2009, 16:01 |
|
|
Borsuc 04 Jul 2009, 01:51
thimis wrote: Borsuc, shouldn't be ? 
My bad. I was in a rush when I posted that. _________________ Previously known as The_Grey_Beast |
|||
|
04 Jul 2009, 01:51 |
|
|
Picnic 04 Jul 2009, 18:33
Yes i though so.
|
|||
|
04 Jul 2009, 18:33 |
|
< Last Thread | Next Thread > |
Forum Rules:
|