flat assembler
Message board for the users of flat assembler.

Index > Windows > The Stack Under Win32

Author
Thread Post new topic Reply to topic
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 29 Mar 2010, 07:13
I've been looking at the stack before the call(or whatever) to my program and all I see is a bunch of this
Code:
”ûv PýÔÿ õ³Rw PýmsO~         Pý             ÿ     ÿÿÿÿM×Nw!‰       ìÿ ȳRw @  Pý                 @  Pý    Actx        0  Ü                        4   |                            Nï&˜  D   à  `      ºq2ó@  J   Œ        [IY-¬  2   à         ÍêÎ2à  B   $  6      È_P8\  ^   ¼  h      D(±$  V   |  ˜           ì         |  Ð        L  ´           Œ        Œ*           -  ˜         8.  Ì         /  ð             ô/  (         0        SsHd,               Œ      ˜  ,   ^   ^                                          $   8       C : \ W i n d o w s \ W i n S x s \&  D   d  `     ºq2óÄ  J          [IY-0  2   d        ÍêÎ2d
  B   ¨
  6     È_P8à
  ^   @  h     D(±¨  V      ˜     M i c r o s o f t . W i n d o w s . S y s t e m C o m p a t i b l e     l        Ð     ,   Ü  §ûL¡$Ê                                          ¸   
                      M i c r o s o f t . W i n d o w s . S y s t e m C o m p a t i b l e , p r o c e s s o r A r c h i t e c t u r e = " x 8 6 " , p u b l i c K e y T o k e n = " 6 5 9 5 b 6 4 1 4 4 c c f 1 d f " , t y p e = " w i n 3 2 " , v e r s i o n = " 6 . 0 . 7 6 0 0 . 1 6 3 8 5 " S y s t e m   D e f a u l t   C o n t e x t   x 8 6 _ m i c r o s o f t . w i n d o w s . s y s t e m c o m p a t i b l e _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 6 . 0 . 7 6 0 0 . 1 6 3 8 5 _ n o n e _ 4 9 a d c c b d e 8 1 6 9 a 0 3   M i c r o s o f t . W i n d o w s . I s o l a t i o n A u t o m a t i o n   l         |     ú   €  ëۏI&Ê                                          °   |                      M i c r o s o f t . W i n d o w s . I s o l a t i o n A u t o m a t i o n , p r o c e s s o r A r c h i t e c t u r e = " x 8 6 " , p u b l i c K e y T o k e n = " 6 5 9 5 b 6 4 1 4 4 c c f 1 d f " , t y p e = " w i n 3 2 " , v e r s i o n = " 1 . 0 . 0 . 0 " C : \ W i n d o w s \ W i n S x S \ m a n i f e s t s \ x 8 6 _ m i c r o s o f t . w i n d o w s . i s o l a t i o n a u t o m a t i o n _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 1 . 0 . 0 . 0 _ n o n e _ 3 5 d 3 5 7 a 6 6 c 3 8 a d e 4 . m a n i f e s t   x 8 6 _ m i c r o s o f t . w i n d o w s . i s o l a t i o n a u t o m a t i o n _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 1 . 0 . 0 . 0 _ n o n e _ 3 5 d 3 5 7 a 6 6 c 3 8 a d e 4     M i c r o s o f t . W i n d o w s . G d i P l u s   l       ú   Ð     ð   Ê  ¤ÿ7‡&Ê                                          ¦   ¼                        M i c r o s o f t . W i n d o w s . G d i P l u s , p r o c e s s o r A r c h i t e c t u r e = " x 8 6 " , p u b l i c K e y T o k e n = " 6 5 9 5 b 6 4 1 4 4 c c f 1 d f " , t y p e = " w i n 3 2 " , v e r s i o n = " 1 . 1 . 7 6 0 0 . 1 6 3 8 5 " C : \ W i n d o w s \ W i n S x S \ m a n i f e s t s \ x 8 6 _ m i c r o s o f t . w i n d o w s . g d i p l u s _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 1 . 1 . 7 6 0 0 . 1 6 3 8 5 _ n o n e _ 7 2 f c 7 c b f 8 6 1 2 2 5 c a . m a n i f e s t   x 8 6 _ m i c r o s o f t . w i n d o w s . g d i p l u s _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 1 . 1 . 7 6 0 0 . 1 6 3 8 5 _ n o n e _ 7 2 f c 7 c b f 8 6 1 2 2 5 c a   M i c r o s o f t . W i n d o w s . C o m m o n - C o n t r o l s   l                   ¡eÕº%Ê                                          ¸   $
                      M i c r o s o f t . W i n d o w s . C o m m o n - C o n t r o l s , p r o c e s s o r A r c h i t e c t u r e = " x 8 6 " , p u b l i c K e y T o k e n = " 6 5 9 5 b 6 4 1 4 4 c c f 1 d f " , t y p e = " w i n 3 2 " , v e r s i o n = " 5 . 8 2 . 7 6 0 0 . 1 6 3 8 5 " C : \ W i n d o w s \ W i n S x S \ m a n i f e s t s \ x 8 6 _ m i c r o s o f t . w i n d o w s . c o m m o n - c o n t r o l s _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 5 . 8 2 . 7 6 0 0 . 1 6 3 8 5 _ n o n e _ e b f 8 2 f c 3 6 c 7 5 8 a d 5 . m a n i f e s t   x 8 6 _ m i c r o s o f t . w i n d o w s . c o m m o n - c o n t r o l s _ 6 5 9 5 b 6 4 1 4 4 c c f 1 d f _ 5 . 8 2 . 7 6 0 0 . 1 6 3 8 5 _ n o n e _ e b f 8 2 f c 3 6 c 7 5 8 a d 5     M i c r o s o f t . W i n d o w s . I s o l a t i o n A u t o m a t i o n . P r o x y S t u b   l       &  ¬       Ò  ¼Ï/Æ%Ê             
    

What is it? For more interesting results, should I look below(I guess "above" would be more correct, but below seems more logical) esp or ebp?
Post 29 Mar 2010, 07:13
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 29 Mar 2010, 07:30
Tyler,

How do you think, where do automatic variables live?
Post 29 Mar 2010, 07:30
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 29 Mar 2010, 07:48
What are automatic variables? Do you mean environment variable or argc/argv, or something else?
Post 29 Mar 2010, 07:48
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 755
Location: Adelaide
sinsi 29 Mar 2010, 07:57
Local vars live below esp ([esp-x]), the return address of a call lives at [esp+0] and parameters live at [esp+4*n].
Anything above your parmeters is, well, anything - leftover parameters from old calls, leftover locals from old calls etc.
Post 29 Mar 2010, 07:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18962
Location: In your JS exploiting you and your system
revolution 29 Mar 2010, 08:05
Everything (including local variables) should "live" above esp. Putting stuff below esp is generally not a good idea since it will likely get clobbered next time you push or call something.
Post 29 Mar 2010, 08:05
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 29 Mar 2010, 08:10
Oooh, I see what I said wrong. When I said below, I was thinking of the stack as a literal stack, I'm actually adding to esp.

But what is all that? I get that its some functions params, but what is it for, and what would happen if I changed it?
Post 29 Mar 2010, 08:10
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 755
Location: Adelaide
sinsi 29 Mar 2010, 08:13
oops, yeah, esp != ebp.
Everything should be [esp+something].
Post 29 Mar 2010, 08:13
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 29 Mar 2010, 09:12
Tyler wrote:
But what is all that? I get that its some functions params, but what is it for, and what would happen if I changed it?

This can be the garbage, or this can be parameters of parent procedures - the procedures from which your current procedure is called.
Post 29 Mar 2010, 09:12
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 29 Mar 2010, 09:16
zhak,

Not only parameters: local (i.e. automatic) variables are allocated on stack as well.
Post 29 Mar 2010, 09:16
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 501
Location: Belarus
zhak 29 Mar 2010, 09:17
Yes, sure. and local variables as well
Post 29 Mar 2010, 09:17
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 29 Mar 2010, 10:12
Tyler,

In Pascal (oh yeah, Algol family… Dijkstra, Wirth, Backus and Naur) inner procedures can access outer procedures' parameters and variables. In most implementations this is done via stack (cf. enter).
Post 29 Mar 2010, 10:12
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 04 Apr 2010, 03:09
I guess what I thought was weird about this(~3am when I posted), is that there are strings on the stack, why? I've always assumed the only way(only EASY way) to pass strings, is with a pointer, right?
Post 04 Apr 2010, 03:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18962
Location: In your JS exploiting you and your system
revolution 04 Apr 2010, 04:21
Code:
;...
sub esp,1024 ;make space for a string
mov ebx,esp ;point to it
invoke lstcpy,ebx,"I'm a string"
invoke SomeAPIFunction,ebx ;pass a string pointer to a function
add esp,1024 ;we are finished with it
;...    
Post 04 Apr 2010, 04:21
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 04 Apr 2010, 04:33
Oh, my problem is how I tend to think of the stack as a mechanism that can ONLY be access in reversed order(FIFO), but I get it now, I see that the stack can be used for much more. Thanks for clarifying.
Post 04 Apr 2010, 04:33
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.