flat assembler
Message board for the users of flat assembler.

Index > Windows > [SOLVED] fault address 0x00230178 on x64 is only me?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
hi,

fault address 0x00230178

i have spend hours in this crap error and i can think is a x64 bug or just my machine bug

try:

Code:
     push    k
   call    [GetModuleHandle]
   mov             ebx,eax 
    
    push    k1
  push    ebx
 call    [GetProcAddress]
    
    k               db 'kernel32.dll',0
       k1              db 'ReadFile',0
    


i've tried with many other funcions: HeapCreate, HeapAlloc, CreateFileA, CloseHandle, ExitProcess, etc. But ReadFile for some reason that i am missing is screwing my day Embarassed

some hints?


Last edited by ass0 on 16 Aug 2009, 07:34; edited 1 time in total
Post 15 Aug 2009, 22:23
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Can you post full code?
Post 15 Aug 2009, 22:34
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
If it is x64 code then you can't use 'push ebx' or 'mov ebx,eax'.
Post 15 Aug 2009, 22:38
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
the code is for 32bits, but my OS is xp x64 edition

Code:
format PE GUI 4.0
include 'win32a.inc'
use32
section '.text' code readable writeable executable
entry $

    push    kernel_name
 call    [GetModuleHandle]
   mov             ebx,eax
     
    push    k_1                             ;HeapCreate
 call    loadKernel
  
    push    0
   push    0
   push    0
   call    eax
 mov             esi,eax
     
    push    k_2                             ;HeapAlloc
  call    loadKernel
  
    push    0
   push    0
   push    esi
 call    eax
 mov             edi,eax
     
    push    k_4                             ;CreateFileA
        call    loadKernel
  
    push    0
   push    FILE_ATTRIBUTE_NORMAL
       push    OPEN_EXISTING
       push    0
   push    FILE_SHARE_READ
     push    GENERIC_READ
        push    fname
       call    eax
 mov             ecx,eax
     
    push    k_5                             ;ReadFile
   ;call   loadKernel
  
    push    0
   push    edi
 push    90
  push    dword [edi+4]
       push    ecx
 call    [ReadFile]
  ;call   eax
 
    push    dll1
        call    [LoadLibrary]
       
    push    fun1
        push    eax
 call    [GetProcAddress]
    
    push    fname
       push    fname
       push    eax
 call    dword [edi+4]
       

        push    k_6                             ;CloseHandle
        call    loadKernel
  
    push    ecx
 call    eax
 
    push    k_exit
      call    loadKernel
  
    push    0
   call    eax
 
loadKernel:
 enter   0,0
 push    dword [ebp+08h]
     push    ebx
 call    [GetProcAddress]
    leave
       ret
 
    kernel_name             db 'kernel32.dll',0;
      k_1                             db 'HeapCreate',0;
        k_2                             db 'HeapAlloc',0;
 k_3                             db 'HeapFree',0;
  k_4                             db 'CreateFileA',0;
       k_5                             db 'ReadFile',0;
  k_6                             db 'CloseHandle',0;
       k_exit                  db 'ExitProcess',0;
       dll1                    db 'user32.dll',0;
        fun1                    db 'MessageBoxA',0;
       fname                   db 'messageBoxBin.bin',0;
 
data import
  library kernel32,'KERNEL32.DLL'
  include 'api\kernel32.inc'
end data
    


uncomment line 43 and replace 50 by 51. It will compile aynways but it crash in my pc.
Post 15 Aug 2009, 23:06
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
of course u need messageBoxBin.bin
Code:
use32
       
    enter   0,0
 push    0
   push    dword [ebp+10h]
     push    dword [ebp+0ch]
     push    0
   call    dword [ebp+08h]
     leave
       ret
    
Post 15 Aug 2009, 23:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
ass0 wrote:
Code:
push    dword [edi+4]    
Do you mean this:
Code:
lea edx,[edi+4]
push edx    
Post 15 Aug 2009, 23:16
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
still crashes dude
Post 15 Aug 2009, 23:22
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
btw please can u explain why is necessary the lea way?
Post 15 Aug 2009, 23:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
The buffer pointed to by edi is not initialised. If you use 'push dword[edi+4]' then you are pushing some random value onto the stack. It looked to me like you wanted the address of the location pointed to by edi+4 to pass to the kernel, therefore lea seemed appropriate (edx=edi+4, push edx - rather than - edx=[edi+4], push edx).
Post 15 Aug 2009, 23:29
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
what about:
Code:
add    edi,4
push  edi
    


anyways these changes don't solve the crash :p
Post 15 Aug 2009, 23:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution
ass0 wrote:
what about:
Code:
add    edi,4
push  edi
    
Sure but then you alter your buffer pointer and need to adjust again with sub edi,4 later.
ass0 wrote:
anyways these changes don't solve the crash :p
If no one else has solved it in the meantime then I will have a look later when I have some time available.
Post 15 Aug 2009, 23:39
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
thanks, gracias, merci, danke, dank, takk, спасибо Very Happy
Post 15 Aug 2009, 23:46
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
        ;mov             ecx,eax
        push            eax
        
        push    k_5                             ;ReadFile
        call   loadKernel

        pop    ecx
        
        push    0
        push    edi
        push    90
        push    dword [edi+4]
        push    ecx
;        call    [ReadFile]
        call   eax            


With that you get a buffer filled correctly instead of a failed read (GetProcAddress at loadKernel destroys ECX, EAX and EDX)

Also replace "ret" in loadKernel with "ret 4" (unneeded to solve the problem but yet it is still wrong and you can get into troubles later)

[edit] Actually you will need to apply the modification commented in the last paragraph because my patch won't work otherwise[/edit]
Post 15 Aug 2009, 23:50
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Well, I have no idea why my previous patch worked (although it crash when is ran in OllyDbg by an access violation at address [ABABABAB]*).

I think this is the correct patch:
Code:
        ;mov             ecx,eax
        push            eax
        
        push    k_5                             ;ReadFile
        call   loadKernel

        pop    ecx
        
        push    0
        push    edi
        push    90
        lea     edx, [edi+4]
        push    edx
        push    ecx
;        call    [ReadFile]
        call   eax

        push    dll1
        call    [LoadLibrary]
        
        push    fun1
        push    eax
        call    [GetProcAddress]
        
        push    fname
        push    fname
        push    eax
        lea     eax, [edi+4]
        call    eax
        

        push    k_6                             ;CloseHandle
        call    loadKernel
        
        push    ecx
        call    eax
        
        push    k_exit
        call    loadKernel
        
        push    0
        call    eax
        
loadKernel:
        enter   0,0
        push    dword [ebp+08h]
        push    ebx
        call    [GetProcAddress]
        leave
        ret 4     


* Perhaps because the heap block contains some data there that turns out to be a pointer to previously allocated memory at run-time?


Last edited by LocoDelAssembly on 16 Aug 2009, 00:10; edited 1 time in total
Post 16 Aug 2009, 00:05
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
naranjas, he probado combinaciones removiendo enter, leave, dejando solo ret 4 y nada...
Post 16 Aug 2009, 00:08
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
oh, oh, voy a probar el nuevo parche xD
Post 16 Aug 2009, 00:10
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
le diste en el clavo Very Happy, por que tanto rollo con esa funcion y no pasa con las anteriores y posteriores veces que llame a loadKernel?

Thank You fella!!! =D
Post 16 Aug 2009, 00:19
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
ass0 (horribly translated) wrote:
why all that mess with that function and it does not happen the same with the previous and posterior times I've called loadKernel?
Because in the other times you saved results in non-volatile registers (ESI, EBX and EDI), but all API functions destroy EAX, ECX and EDX so if you need them to survive the call to GetProcAddress you have to save them because the APIs will only care about EBP, ESP (actually it is incremented by 4*number_of_args units unless the API is cdecl like wsprintf), ESI, EDI and EBX.

That was the problem here, you saved the file handle in a volatile register and then it got destroyed by GetProcAddress (called by loadKernel). The other problem was the mysterious behavior with the heap, it should never worked for me with the first patch but it did!

BTW, CloseHandle is also bugged, it is closing garbage instead of the file handle.
Post 16 Aug 2009, 00:43
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
Gracias Maestro, cuándo sea grande quiero ser como tú =D

Thank you Master when i will become old i want to be like you =D
Post 16 Aug 2009, 05:08
View user's profile Send private message Reply with quote
Azu



Joined: 16 Dec 2008
Posts: 1160
Azu
revolution wrote:
If it is x64 code then you can't use 'push ebx' or 'mov ebx,eax'.
Really? Confused

This compiles fine for me..
Code:
use64
mov ebx,eax    



Is it a bug in FASM? It should say invalid operand?
Post 20 Aug 2009, 11:21
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.