flat assembler
Message board for the users of flat assembler.

Index > Macroinstructions > [BUG]cinvoke restores ESP incorrectly with "double"

Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 11 Oct 2009, 02:33
cinvoke printf, <"%f", 10>, double [eax] is assembled as follows:
Code:
push dword [eax+4]
push dword [eax]
call @f
db "%f", 10, 0
@@:
call [printf]
add esp, 8 ; <<< Should be 12    


Last edited by LocoDelAssembly on 11 Oct 2009, 17:13; edited 1 time in total
Post 11 Oct 2009, 02:33
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak 11 Oct 2009, 03:27
Erm, isn't that call @f going to cause a problem?
Post 11 Oct 2009, 03:27
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
bitshifter



Joined: 04 Dec 2007
Posts: 796
Location: Massachusetts, USA
bitshifter 11 Oct 2009, 03:46
Im counting 12 bytes to cleanup the stack.
Remember, printf's ret compliments its call.

Maybe Loco can explain this a bit more...


Last edited by bitshifter on 11 Oct 2009, 04:43; edited 1 time in total
Post 11 Oct 2009, 03:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 11 Oct 2009, 04:36
The code above is the same as:
Code:
text_string: db "%f", 10, 0

push dword [eax+4]
push dword [eax]
push text_string
call [printf]
add esp, 8 ; <<< Should be 12    
I hope that makes it clearer that the return value is wrong, just as LocoDelAssembly says. The "call @f" is a red-herring and isn't the problem.
Post 11 Oct 2009, 04:36
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 11 Oct 2009, 04:47
I get the call @f bit (it pushes the address of the string, which is printf's first param) but I don't get how the macro interprets <"%f", 10>
Is that in the internals of fasm? And yes, it should be 12.
Post 11 Oct 2009, 04:47
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 11 Oct 2009, 04:55
sinsi: See the WIN32{A|W}X.INC files:
Code:
...
macro pushd value
{ match first=,more, value \{ \local ..continue
   call ..continue
   db value,0
   ..continue:
   pushd equ \}
...    
Post 11 Oct 2009, 04:55
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 11 Oct 2009, 05:13
oops for some reason I thought pushd was an actual mnemonic Embarassed
Post 11 Oct 2009, 05:13
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 11 Oct 2009, 05:16
Just to be super clarify with sugar on top:
Code:
format pe console
include 'win32ax.inc'

  int3
  cinvoke printf, .fmt, dword [.double], dword [.double+4]
  cinvoke printf, .fmt, double [.double]
  cinvoke printf, .fmt, double 1.0
  ret

.fmt db "%f", 0

.double dq 1.0

align 4 ; Just to be safe
data import
   library msvcrt,'msvcrt.dll'

  import msvcrt,\
         printf, 'printf'
end data    
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
00401000  /.  CC            INT3
00401001  |.  FF35 52104000 PUSH DWORD PTR DS:[401052]
00401007  |.  FF35 4E104000 PUSH DWORD PTR DS:[40104E]
0040100D  |.  68 4B104000   PUSH test.0040104B                       ; ASCII "%f"
00401012  |.  FF15 94104000 CALL DWORD PTR DS:[<&msvcrt.printf>]
00401018  |.  83C4 0C       ADD ESP,0C                               ; OK
0040101B  |.  FF35 52104000 PUSH DWORD PTR DS:[401052]
00401021  |.  FF35 4E104000 PUSH DWORD PTR DS:[40104E]
00401027  |.  68 4B104000   PUSH test.0040104B                       ; ASCII "%f"
0040102C  |.  FF15 94104000 CALL DWORD PTR DS:[<&msvcrt.printf>]
00401032  |.  83C4 08       ADD ESP,8                                ; WRONG
00401035  |.  68 0000F03F   PUSH 3FF00000
0040103A  |.  6A 00         PUSH 0
0040103C  |.  68 4B104000   PUSH test.0040104B                       ; ASCII "%f"
00401041  |.  FF15 94104000 CALL DWORD PTR DS:[<&msvcrt.printf>]
00401047  |.  83C4 08       ADD ESP,8                                ; WRONG
0040104A  \.  C3            RETN
0040104B      25            DB 25                                    ; CHAR '%'
0040104C      66            DB 66                                    ; CHAR 'f'
0040104D      00            DB 00    
Post 11 Oct 2009, 05:16
View user's profile Send private message Reply with quote
bitshifter



Joined: 04 Dec 2007
Posts: 796
Location: Massachusetts, USA
bitshifter 11 Oct 2009, 08:18
Now that i think of it...
About two weeks ago i was using sprintf to format a string of doubles.
I tried to use double sized args and it just kept blowing up in my face.
Being so lazy i didnt check in debugger and just pushed dwords instead.
Im sure now that this is exactly what was happening to me in my code. Confused
Post 11 Oct 2009, 08:18
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8359
Location: Kraków, Poland
Tomasz Grysztar 11 Oct 2009, 08:50
sinsi wrote:
Is that in the internals of fasm?

Well, it is not. I'm moving it to "Macroinstructions".
Post 11 Oct 2009, 08:50
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8359
Location: Kraków, Poland
Tomasz Grysztar 11 Oct 2009, 09:13
Loco, thanks for the detailed report, as in this case it really was important. The problem was a typo in win32ax.inc, all the other includes (even win32axp.inc) had it correct.
Post 11 Oct 2009, 09:13
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 11 Oct 2009, 17:13
Seems to work great now. Thanks for the fix.
Post 11 Oct 2009, 17:13
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.