flat assembler
Message board for the users of flat assembler.

Index > Windows > always pain about the stack

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
charme



Joined: 08 Jan 2010
Posts: 22
charme
someone has help solve two problems about the stack! thx here!

but ,,,now i 'm always pain about the stack...

i can't deal it!

i just write a code to get the api address form export table by hash!

but it always fail!

my alg is ok!so i think it maybe stack problem

i upload the code

someone can help me?

I am very worried

ths!!


Description:
Download
Filename: HASH.rar
Filesize: 4.15 KB
Downloaded: 131 Time(s)

Post 09 Jan 2010, 15:06
View user's profile Send private message ICQ Number Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
help me ,,,i
Post 09 Jan 2010, 23:54
View user's profile Send private message ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I don't have x64 so I can't debug it, try to use OllyDbg and see where it fails -- btw are you sure hashes alone work on x64?
Post 10 Jan 2010, 00:13
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
OllyDbg can't work with 64-bit (not even the long awaited version 2).

I can't test here neither, sorry Sad
Post 10 Jan 2010, 00:34
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Damn! I thought the latest alpha could. Though, there was a FASM debugger... FDBG I think, for x64.

_________________
Previously known as The_Grey_Beast
Post 10 Jan 2010, 00:48
View user's profile Send private message Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
Borsuc wrote:
Damn! I thought the latest alpha could. Though, there was a FASM debugger... FDBG I think, for x64.



yeah!!i just use the fdbg

i have debug it !

this line:
;;get export table
mov eax,dword [rax+136] ;;export RVA
test rax,rax
jz _get_next_mod

here, dword [rax+136] = 00000000.....
so it just goto the _get_next_mod

here:
_get_next_mod:
...
..
0000000000402061 488B12 mov rdx,[rdx] ; [0000000000000000]=?
ERROR here!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

i use this method to get the export table:
Code:
       xor     rdx,rdx
        mov     rdx,[gs:rdx+96]    ;;PEB
        mov     rdx,[rdx+24]       ;;PEB->Ldr
        mov     rdx,[rdx+32]       ;;first module(InMemoryOrder module list)

_next:
        mov     rsi,[rdx+80]       ;;module name
        mov     cx,word [rdx+74]

        push    rdx

        ;; get pe header
        mov     rdx,[rdx+32]  ;;module base address
        mov     eax,dword [rdx+60] ;;pe header
        add     rax,rdx

        ;;get export table
        mov     eax,dword [rax+136] ;;export RVA     



why it can't work? i'm confused!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 10 Jan 2010, 01:08
View user's profile Send private message ICQ Number Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
Borsuc wrote:
I don't have x64 so I can't debug it, try to use OllyDbg and see where it fails -- btw are you sure hashes alone work on x64?


no! i don't use the crc alg in my code comment!

bcs that alg will depends the cpu which must support the SSE4 instruct

so i use the one i ever writen for 32 bit!!

i also upload it in the hash.rar

but now,,,hash alg will be fine! but the alg of get export table maybe problem!!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 10 Jan 2010, 01:13
View user's profile Send private message ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
The jump is jz, it jumps if it is 0, so "mov rdx, [rdx]" is "mov rdx, [0]" which is invalid operation (invalid address).

I assume you meant "jnz", to jump when it is NOT 0.

replace jz _get_next_mod with
Code:
jnz _get_next_mod    

_________________
Previously known as The_Grey_Beast
Post 10 Jan 2010, 01:33
View user's profile Send private message Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
so i have tried to debug it use windbg!

here:
0000000000402018 65488B5260 GS mov rdx,[rdx+60] ; [000007FFFFFDE060]=000007FFFFFD3000



we known [gs:0+60] should be PEB address!

but when i dt !peb in windbg,,:

"peb at 000007fffffda000"

maybe,,here will the first error!

but i can't get [gs:0+?]will be equ 000007fffffda000


Last edited by charme on 10 Jan 2010, 01:38; edited 1 time in total
Post 10 Jan 2010, 01:34
View user's profile Send private message ICQ Number Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
did my suggestion work or am I totally not understanding what you are trying to do? (because I don't Smile)
Post 10 Jan 2010, 01:37
View user's profile Send private message Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
Borsuc wrote:
did my suggestion work or am I totally not understanding what you are trying to do? (because I don't Smile)


oh!sorry ,,thk you any way !!

my english is so poor! i'm a chinese!!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 10 Jan 2010, 01:41
View user's profile Send private message ICQ Number Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
Borsuc wrote:
did my suggestion work or am I totally not understanding what you are trying to do? (because I don't Smile)


oh!sorry ,,thk you any way !!

my english is so poor! i'm a chinese!!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 10 Jan 2010, 01:53
View user's profile Send private message ICQ Number Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
help me ....is there anyone syudy the x64?
Post 10 Jan 2010, 08:17
View user's profile Send private message ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2937
Location: vpcmipstrm
bitRAKE
Code:
mov rax,[gs:30h]  ; RAX points to TEB (Thread Environment Block)
mov rcx,[rax+60h] ; RCX points to PEB (Process Environment Block)    
...and FDBG work for me.

FDBG source code has examples of accessing PEB.

(Your English is better than my Chinese - well done!)

How about a size optimized (6 bytes):
Code:
        push 60h
    pop rsi
     gs lodsq ; RAX points to PEB    
Post 10 Jan 2010, 22:24
View user's profile Send private message Visit poster's website Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
bitRAKE wrote:
Code:
mov rax,[gs:30h]  ; RAX points to TEB (Thread Environment Block)
mov rcx,[rax+60h] ; RCX points to PEB (Process Environment Block)    
...and FDBG work for me.

FDBG source code has examples of accessing PEB.

(Your English is better than my Chinese - well done!)

How about a size optimized (6 bytes):
Code:
    push 60h
    pop rsi
     gs lodsq ; RAX points to PEB    


good job@! this error has solved!! thx

i want make a friend with you ...
my MSN:charme000@gmail.com

maybe i can teach you chinese,,if any chance hoho:)


so welcom to china!!

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 11 Jan 2010, 04:31
View user's profile Send private message ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2937
Location: vpcmipstrm
bitRAKE
I've optimized (141 bytes (almost as small as his 32-bit version Very Happy), and several other improvements) the api_call by Stephen Fewer for 64-bit and wrote a parallel FASM macro to calculate the hash values easily:
Code:
api_call:
  push rdx rcx rdi rsi rax 60h
        pop rsi
     gs lodsq
    mov rax,[rax+24]
    mov rdi,[rax+32]
.next_module:
       mov rsi,[rdi+80]
    movzx ecx,word [rdi+74]
     xor eax,eax
 cdq
 .module_name:
           lodsb
               and al,not 20h
              ror edx,13
          add edx,eax
         loop .module_name
   push rdi
    mov rdi,[rdi+32]
    mov eax,[rdi+60]
    lea rax,[rdi+rax+68]
        mov ecx,[rax+136-68]
        jrcxz .skip_module
  add rcx,rdi
 push rcx
    mov esi,[rcx+32]
    mov ecx,[rcx+24]
    add rsi,rdi
.next_function:
  jrcxz .get_module
   dec ecx
     push rdx rsi
                mov esi,[rsi+rcx*4]
         add rsi,rdi
         xor eax,eax
         .function_name:
                 lodsb
                       ror edx,13
                  add edx,eax
                 cmp al,ah
                   jne .function_name
          cmp edx,[rsp+8*4]
   pop rsi rdx
 jnz .next_function
  pop rsi
     mov edx,[rsi+36]
    add rdx,rdi
 mov cx,[rdx+2*rcx]
  mov eax,[rsi+28]
    add rax,rdi
 mov eax,[rax+4*rcx]
 add rax,rdi
 pop rdx rdx rsi rdi rcx rdx
 jmp rax

.get_module:
     pop rdx
.skip_module:
        pop rdi
     mov rdi,[rdi]
       jmp .next_module    
Code:
macro API_HASH32 dll,export {
   local ..b,..d
       ..d = 0
     virtual at $
                du `dll,0
           repeat $-$$
                 load ..b byte from $$+%-1
                   ..d = $FFFFFFFF and\
                               ((..d SHR 13)+(..d SHL 19)+\
                           (..b and (not 20h)))
            end repeat
  end virtual
 virtual at $
                db `export,0
                repeat $-$$
                 load ..b byte from $$+%-1
                   ..d = $FFFFFFFF and\
                               ((..d SHR 13)+(..d SHL 19)+\
                           ..b)
            end repeat
  end virtual
 mov eax,..d
}    
...the code can be used like:
Code:
xor ecx,ecx
API_HASH32 ntdll.dll,RtlExitUserThread
call api_call    
API_HASH32 <DLL>,<Function>

The DLL name is unicode and case insensitive;
while the Function is ASCII and case sensitive.

I can imagine a number of additional optimizations depending on use. For example, some adaptor code could be placed prior to JMP RAX - allowing various internal calling conventions to be used. Also, a hash table might help compact code. Note: I haven't checked for collisions nor is there an exit condition for hash not found.

Why do you wish to access APIs in this manner?

Sorry, I do not use instant messenger (MSN).
You can still be my friend.
Post 13 Jan 2010, 00:10
View user's profile Send private message Visit poster's website Reply with quote
charme



Joined: 08 Jan 2010
Posts: 22
charme
bitRAKE wrote:
I've optimized (141 bytes (almost as small as his 32-bit version Very Happy), and several other improvements) the api_call by Stephen Fewer for 64-bit and wrote a parallel FASM macro to calculate the hash values easily:
Code:
api_call:
      push rdx rcx rdi rsi rax 60h
        pop rsi
     gs lodsq
    mov rax,[rax+24]
    mov rdi,[rax+32]
.next_module:
       mov rsi,[rdi+80]
    movzx ecx,word [rdi+74]
     xor eax,eax
 cdq
 .module_name:
           lodsb
               and al,not 20h
              ror edx,13
          add edx,eax
         loop .module_name
   push rdi
    mov rdi,[rdi+32]
    mov eax,[rdi+60]
    lea rax,[rdi+rax+68]
        mov ecx,[rax+136-68]
        jrcxz .skip_module
  add rcx,rdi
 push rcx
    mov esi,[rcx+32]
    mov ecx,[rcx+24]
    add rsi,rdi
.next_function:
  jrcxz .get_module
   dec ecx
     push rdx rsi
                mov esi,[rsi+rcx*4]
         add rsi,rdi
         xor eax,eax
         .function_name:
                 lodsb
                       ror edx,13
                  add edx,eax
                 cmp al,ah
                   jne .function_name
          cmp edx,[rsp+8*4]
   pop rsi rdx
 jnz .next_function
  pop rsi
     mov edx,[rsi+36]
    add rdx,rdi
 mov cx,[rdx+2*rcx]
  mov eax,[rsi+28]
    add rax,rdi
 mov eax,[rax+4*rcx]
 add rax,rdi
 pop rdx rdx rsi rdi rcx rdx
 jmp rax

.get_module:
     pop rdx
.skip_module:
        pop rdi
     mov rdi,[rdi]
       jmp .next_module    
Code:
macro API_HASH32 dll,export {
   local ..b,..d
       ..d = 0
     virtual at $
                du `dll,0
           repeat $-$$
                 load ..b byte from $$+%-1
                   ..d = $FFFFFFFF and\
                               ((..d SHR 13)+(..d SHL 19)+\
                           (..b and (not 20h)))
            end repeat
  end virtual
 virtual at $
                db `export,0
                repeat $-$$
                 load ..b byte from $$+%-1
                   ..d = $FFFFFFFF and\
                               ((..d SHR 13)+(..d SHL 19)+\
                           ..b)
            end repeat
  end virtual
 mov eax,..d
}    
...the code can be used like:
Code:
xor ecx,ecx
API_HASH32 ntdll.dll,RtlExitUserThread
call api_call    
API_HASH32 <DLL>,<Function>

The DLL name is unicode and case insensitive;
while the Function is ASCII and case sensitive.

I can imagine a number of additional optimizations depending on use. For example, some adaptor code could be placed prior to JMP RAX - allowing various internal calling conventions to be used. Also, a hash table might help compact code. Note: I haven't checked for collisions nor is there an exit condition for hash not found.

Why do you wish to access APIs in this manner?

Sorry, I do not use instant messenger (MSN).
You can still be my friend.



you have do the most main problem....thx always

so you on't use the MSN!!

i just use tasm or masm ever for virus.........just for interests! not damage!!

so,,i'm a new for fasm and also fo x64

but i want study the virus technology in x64!!

so something maybe not suit talk aout here!!hoho:)

_________________
do it,do our best!
----------------------------------------------------------
http://chx4.net
Post 13 Jan 2010, 09:00
View user's profile Send private message ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17464
Location: In your JS exploiting you and your system
revolution
charme wrote:
i just use tasm or masm ever for virus.........just for interests! not damage!!

...

but i want study the virus technology in x64!!
Sure, they all say that! "No damage", "no problems" etc.
charme wrote:
so something maybe not suit talk aout here!!hoho:)
Yes indeed. I would imagine that now you have stated your intentions that you will get a lot less help from people here.
Post 13 Jan 2010, 09:12
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
bitRAKE wrote:
The DLL name is unicode and case insensitive;
No reason to have it unicode imho, since PE import tables only support ascii DLL names Smile

Btw, when doing your own GetProcAddress, there's three special cases you have to handle:
1. Ordinal imports (high bit of name-rva set - use only low word for ordinal number).
2. Forwarded exports - dunno what the "official" way is, but checking if exported RVA lies outside the range specified by PE_DIRENT_EXPORT seems to work.
3. In case you do any redirection/trampolining, you need to detect if you're dealing with a data export. These are uncommon, but things like MSVCRT.DLL have them... the heuristic I used was to find which PE section the export RVA lies in, and check that section for PE_SCN_CNT_INITIALIZED_DATA.

Items 2 and 3 obviously depend on well-formed standard PEs.
Post 13 Jan 2010, 09:50
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2937
Location: vpcmipstrm
bitRAKE
f0dder wrote:
bitRAKE wrote:
The DLL name is unicode and case insensitive;
No reason to have it unicode imho, since PE import tables only support ascii DLL names Smile
This is for size optimization - high byte of word is always zero. There does appear to be room for improvement.

High bit of Export RVA for ordinal export, huh? Maybe:

mov esi,[rsi+rcx*4]
add rsi,rdi

...replaced by...

lea rsi,[rsi+rcx*4]
test dword [rsi],-1
js @F
mov esi,[rsi]
add rsi,rdi
@@:

(assume third byte is zero?)
...and small change to macro to support ordinal. Very Happy

(2) and (3) require much more.

_________________
¯\(°_o)/¯ unlicense.org
Post 13 Jan 2010, 10:14
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.