flat assembler
Message board for the users of flat assembler.

Index > Windows > String length and value printing

Author
Thread Post new topic Reply to topic
learnasm



Joined: 09 Sep 2009
Posts: 3
learnasm
Hello,

I'm trying to print ECX which represents a string's length :

Code:
format PE GUI 4.0
include 'win32a.inc'
entry start


section ".data" data readable writeable

          text    db 'len :',0
          szEnv   db '%d',13,10,0
          String  db 'azerty',0

section ".code" code readable executable

        start:

             cld
             mov edi, String
             xor ecx, ecx
             dec ecx
             xor eax, eax
             repne scasb
             not ecx
             dec ecx

             invoke printf,szEnv,text, ecx
             invoke ExitProcess,0


 section '.idata' import data readable writeable

                library  msvcrt,'msvcrt.dll'

                library kernel,'KERNEL32.DLL',\
                        user,'USER32.DLL'

                import kernel,\
                       ExitProcess,'ExitProcess'

                import msvcrt,\
                       printf,'printf' 
    


However, it doesn't works.
I checked with OllyDbg and the value of ECX is correct (7). But concerning the printf there is a problem.

Thanks,

lsm-
Post 09 Sep 2009, 17:44
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
Try using wsprintf, and don't forget to use cinvoke for the printf functions.
Win32 manual wrote:
The wsprintf function formats and stores a series of characters and values in a buffer. Any arguments are converted and copied to the output buffer according to the corresponding format specification in the format string. The function appends a terminating null character to the characters it writes, but the return value does not include the terminating null character in its character count.

int wsprintf(

LPTSTR lpOut, // pointer to buffer for output
LPCTSTR lpFmt, // pointer to format-control string
... // optional arguments
);
Post 09 Sep 2009, 17:49
View user's profile Send private message Visit poster's website Reply with quote
learnasm



Joined: 09 Sep 2009
Posts: 3
learnasm
Thanks for the tips revolution Wink
With wsprintf I get an access violation (checked with ollydbg) :

Code:
format PE GUI 4.0
include 'win32a.inc'
entry start


section ".data" data readable writeable

          szFormat   db '%d',13,10,0
          szString   db 'azerty',0
          szOutput   db 32 dup (0)

section ".code" code readable executable

        start:

             cld
             mov edi, szString
             xor ecx, ecx
             dec ecx
             xor eax, eax
             repne scasb
             not ecx
             dec ecx
             invoke  wsprintf,szOutput,szFormat,ecx
             invoke ExitProcess,0


 section '.idata' import data readable writeable

                library  msvcrt,'msvcrt.dll'

                library kernel,'KERNEL32.DLL',\
                        user,'USER32.DLL'

                import kernel,\
                       ExitProcess,'ExitProcess'

                import msvcrt,\
                       printf,'printf'

                import user,\
                       wsprintf,'wsprintf'
                                                
    
Post 09 Sep 2009, 18:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
You import section is malformed. Try this instead.
Code:
...
 section '.idata' import data readable writeable

                library  msvcrt,'msvcrt.dll',\
                         kernel,'KERNEL32.DLL',\
                         user,'USER32.DLL'

                import kernel,\
                       ExitProcess,'ExitProcess'

                import msvcrt,\
                       printf,'printf'

                import user,\
                       wsprintf,'wsprintfA'    
Post 09 Sep 2009, 18:16
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
Yep you can only have one LIBRARY statement.

Also for cinvoke printf you need a console to display your output.
For this you use PE CONSOLE instead of PE GUI.

Here's the full working example
Code:
          format PE console
include 'win32a.inc'
entry start


section ".data" data readable writeable

          szFormat   db '%d',13,10,0
          szString   db 'azerty',0
          iValue     dd 0
          szOutput   db 32 dup (0)

section ".code" code readable executable

        start:

             cld
             mov edi, szString
             xor ecx, ecx
             dec ecx
             xor eax, eax
             repne scasb
             not ecx
             dec ecx
             MOV dword[iValue],ecx
             cinvoke  printf,szFormat,[iValue]

             cinvoke  wsprintf,szOutput,szFormat,[iValue]
             invoke MessageBox,0,szOutput,szOutput,0
             invoke ExitProcess,0


 section '.idata' import data readable writeable

                library kernel,'KERNEL32.DLL',\
                        msvcrt,'msvcrt.dll',\
                        user,'USER32.DLL'

                import kernel,\
                       ExitProcess,'ExitProcess'

                import msvcrt,\
                       printf,'printf'

                import user,\
                       wsprintf,'wsprintfA',\
                       MessageBox,'MessageBoxA'
    

*edit*Cinvoke wsprintf


Last edited by r22 on 09 Sep 2009, 19:38; edited 1 time in total
Post 09 Sep 2009, 18:20
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17669
Location: In your JS exploiting you and your system
revolution
r22: Use cinvoke for wsprintf also.
Post 09 Sep 2009, 18:21
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Code:
format PE console 4.0
include 'win32a.inc'
entry start


section ".data" data readable writeable

          fmt     db 'len : %d',13,10,0
          String  db 'azerty',0

section ".code" code readable executable

        start:

             cld
             mov edi, String
             xor ecx, ecx
             dec ecx
             xor eax, eax
             repne scasb
             not ecx
             dec ecx

             cinvoke printf, fmt, ecx
             invoke ExitProcess,0


 section '.idata' import data readable writeable

                library kernel,'KERNEL32.DLL',\
                        msvcrt,'msvcrt.dll',\
                        user,'USER32.DLL'

                import kernel,\
                       ExitProcess,'ExitProcess'

                import msvcrt,\
                       printf,'printf'      

There were multiple erros. You should use format pe console to make printf work. Also, you used "library" macro twice which made ExitProcess uncallable. printf arguments were wrong, you instructed printf that the string format was "%d" but then you followed with a pointer to string and then an integer (ecx).

With the code above this is what I get:
Code:
C:\Documents and Settings\Hernan\Escritorio>test.exe
len : 6    


[edit]Crap! r22 won me. Anyway, this is code is different so I won't remove it[/edit]
Post 09 Sep 2009, 18:26
View user's profile Send private message Reply with quote
learnasm



Joined: 09 Sep 2009
Posts: 3
learnasm
Thanks a lot for you help ! Very Happy
Post 09 Sep 2009, 18:30
View user's profile Send private message Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode
You could also use
format PE gui 4.0
and send printf output to a file
Quote:

C:\Documents and Settings\Hernan\Escritorio>test.exe > output.txt

output.txt:
Quote:

Len : 6
Post 15 Sep 2009, 11:44
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Right!
Code:
C:\Documents and Settings\Hernan\Escritorio>test.exe

C:\Documents and Settings\Hernan\Escritorio>test.exe > output.txt

C:\Documents and Settings\Hernan\Escritorio>type output.txt
len : 6    

Odd it is required to redirect stdout though, I think that test.exe alone should output something anyway (without opening a console if none is present).
Post 15 Sep 2009, 22:56
View user's profile Send private message Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
hopcode
I use this technik to print output always without allocating a new output console, even with GUI and "printf". When cmd reads ">", it sets up
a pipe/redirection of handles before starting the process "test.exe". This process will be built up with bInheritHandles=TRUE, STARTF_USESTDHANDLES,
and then launched with those handles in the STARTUPINFO struct.

To confirm this, using format PE gui 4.0
Code:
C:\Documents and Settings\Hernan\Escritorio>test.exe | more
len : 6
    
Post 16 Sep 2009, 00:23
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.