flat assembler
Message board for the users of flat assembler.
Index
> Windows > [SOLVED] fault address 0x00230178 on x64 is only me? Goto page 1, 2 Next |
Author |
|
vid 15 Aug 2009, 22:34
Can you post full code?
|
|||
15 Aug 2009, 22:34 |
|
revolution 15 Aug 2009, 22:38
If it is x64 code then you can't use 'push ebx' or 'mov ebx,eax'.
|
|||
15 Aug 2009, 22:38 |
|
ass0 15 Aug 2009, 23:06
the code is for 32bits, but my OS is xp x64 edition
Code: format PE GUI 4.0 include 'win32a.inc' use32 section '.text' code readable writeable executable entry $ push kernel_name call [GetModuleHandle] mov ebx,eax push k_1 ;HeapCreate call loadKernel push 0 push 0 push 0 call eax mov esi,eax push k_2 ;HeapAlloc call loadKernel push 0 push 0 push esi call eax mov edi,eax push k_4 ;CreateFileA call loadKernel push 0 push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push 0 push FILE_SHARE_READ push GENERIC_READ push fname call eax mov ecx,eax push k_5 ;ReadFile ;call loadKernel push 0 push edi push 90 push dword [edi+4] push ecx call [ReadFile] ;call eax push dll1 call [LoadLibrary] push fun1 push eax call [GetProcAddress] push fname push fname push eax call dword [edi+4] push k_6 ;CloseHandle call loadKernel push ecx call eax push k_exit call loadKernel push 0 call eax loadKernel: enter 0,0 push dword [ebp+08h] push ebx call [GetProcAddress] leave ret kernel_name db 'kernel32.dll',0; k_1 db 'HeapCreate',0; k_2 db 'HeapAlloc',0; k_3 db 'HeapFree',0; k_4 db 'CreateFileA',0; k_5 db 'ReadFile',0; k_6 db 'CloseHandle',0; k_exit db 'ExitProcess',0; dll1 db 'user32.dll',0; fun1 db 'MessageBoxA',0; fname db 'messageBoxBin.bin',0; data import library kernel32,'KERNEL32.DLL' include 'api\kernel32.inc' end data uncomment line 43 and replace 50 by 51. It will compile aynways but it crash in my pc. |
|||
15 Aug 2009, 23:06 |
|
ass0 15 Aug 2009, 23:10
of course u need messageBoxBin.bin
Code: use32 enter 0,0 push 0 push dword [ebp+10h] push dword [ebp+0ch] push 0 call dword [ebp+08h] leave ret |
|||
15 Aug 2009, 23:10 |
|
revolution 15 Aug 2009, 23:16
ass0 wrote:
Code: lea edx,[edi+4] push edx |
|||
15 Aug 2009, 23:16 |
|
ass0 15 Aug 2009, 23:22
still crashes dude
|
|||
15 Aug 2009, 23:22 |
|
ass0 15 Aug 2009, 23:23
btw please can u explain why is necessary the lea way?
|
|||
15 Aug 2009, 23:23 |
|
revolution 15 Aug 2009, 23:29
The buffer pointed to by edi is not initialised. If you use 'push dword[edi+4]' then you are pushing some random value onto the stack. It looked to me like you wanted the address of the location pointed to by edi+4 to pass to the kernel, therefore lea seemed appropriate (edx=edi+4, push edx - rather than - edx=[edi+4], push edx).
|
|||
15 Aug 2009, 23:29 |
|
ass0 15 Aug 2009, 23:34
what about:
Code: add edi,4 push edi anyways these changes don't solve the crash :p |
|||
15 Aug 2009, 23:34 |
|
revolution 15 Aug 2009, 23:39
ass0 wrote: what about: ass0 wrote: anyways these changes don't solve the crash :p |
|||
15 Aug 2009, 23:39 |
|
ass0 15 Aug 2009, 23:46
thanks, gracias, merci, danke, dank, takk, спасибо
|
|||
15 Aug 2009, 23:46 |
|
LocoDelAssembly 15 Aug 2009, 23:50
Code: ;mov ecx,eax push eax push k_5 ;ReadFile call loadKernel pop ecx push 0 push edi push 90 push dword [edi+4] push ecx ; call [ReadFile] call eax With that you get a buffer filled correctly instead of a failed read (GetProcAddress at loadKernel destroys ECX, EAX and EDX) Also replace "ret" in loadKernel with "ret 4" (unneeded to solve the problem but yet it is still wrong and you can get into troubles later) [edit] Actually you will need to apply the modification commented in the last paragraph because my patch won't work otherwise[/edit] |
|||
15 Aug 2009, 23:50 |
|
LocoDelAssembly 16 Aug 2009, 00:05
Well, I have no idea why my previous patch worked (although it crash when is ran in OllyDbg by an access violation at address [ABABABAB]*).
I think this is the correct patch: Code: ;mov ecx,eax push eax push k_5 ;ReadFile call loadKernel pop ecx push 0 push edi push 90 lea edx, [edi+4] push edx push ecx ; call [ReadFile] call eax push dll1 call [LoadLibrary] push fun1 push eax call [GetProcAddress] push fname push fname push eax lea eax, [edi+4] call eax push k_6 ;CloseHandle call loadKernel push ecx call eax push k_exit call loadKernel push 0 call eax loadKernel: enter 0,0 push dword [ebp+08h] push ebx call [GetProcAddress] leave ret 4 * Perhaps because the heap block contains some data there that turns out to be a pointer to previously allocated memory at run-time? Last edited by LocoDelAssembly on 16 Aug 2009, 00:10; edited 1 time in total |
|||
16 Aug 2009, 00:05 |
|
ass0 16 Aug 2009, 00:08
naranjas, he probado combinaciones removiendo enter, leave, dejando solo ret 4 y nada...
|
|||
16 Aug 2009, 00:08 |
|
ass0 16 Aug 2009, 00:10
oh, oh, voy a probar el nuevo parche xD
|
|||
16 Aug 2009, 00:10 |
|
ass0 16 Aug 2009, 00:19
le diste en el clavo , por que tanto rollo con esa funcion y no pasa con las anteriores y posteriores veces que llame a loadKernel?
Thank You fella!!! =D |
|||
16 Aug 2009, 00:19 |
|
LocoDelAssembly 16 Aug 2009, 00:43
ass0 (horribly translated) wrote: why all that mess with that function and it does not happen the same with the previous and posterior times I've called loadKernel? That was the problem here, you saved the file handle in a volatile register and then it got destroyed by GetProcAddress (called by loadKernel). The other problem was the mysterious behavior with the heap, it should never worked for me with the first patch but it did! BTW, CloseHandle is also bugged, it is closing garbage instead of the file handle. |
|||
16 Aug 2009, 00:43 |
|
ass0 16 Aug 2009, 05:08
Gracias Maestro, cuándo sea grande quiero ser como tú =D
Thank you Master when i will become old i want to be like you =D |
|||
16 Aug 2009, 05:08 |
|
Azu 20 Aug 2009, 11:21
revolution wrote: If it is x64 code then you can't use 'push ebx' or 'mov ebx,eax'. This compiles fine for me.. Code: use64
mov ebx,eax Is it a bug in FASM? It should say invalid operand? |
|||
20 Aug 2009, 11:21 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.