flat assembler
Message board for the users of flat assembler.

Index > Windows > WinAPI clobbered registers, win32

Author
Thread Post new topic Reply to topic
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Which registers are clobbered by system calls and other WinAPI calls? To my experience, it seems you can't count on ANY registers to be left alone.

_________________
This is a block of text that can be added to posts you make.
Post 19 Apr 2010, 15:49
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1288
Location: behind the arc
Picnic
Hi mindcooler,

Read here about it.
Post 19 Apr 2010, 15:57
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 619
cod3b453
ebx is the only register I've never seen get clobbered. It's also very random from what I remember.
Post 19 Apr 2010, 21:02
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
So, there actually exist violations to stdcall convention in the Windows API? Do you remember an example?
Post 19 Apr 2010, 21:14
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 619
cod3b453
GetPixel (gdi32) trashes ecx
Post 19 Apr 2010, 21:35
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
Hmm, I must have been dreaming. I checked all the calls in my current project, and they only clobber eax, ecx and edx. Of course esp and eip change too, but I could have sworn I saw esi and edi change. Must have been tired :S
Post 19 Apr 2010, 21:36
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

GetPixel (gdi32) trashes ecx

I mean, any that violates the stdcall convention, i.e., not returning you EBX, ESI, EDI and EBP untouched and ESP restored to the value previous to the first pushed argument.

[edit]Of course, I mean only those that are specified to be stdcall, so don't mention wsprintf as one not restoring ESP as per stdcall convention Wink[/edit]
Post 19 Apr 2010, 21:45
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
WinAPI = stdcall, here's a good explanation of stdcall.
Post 20 Apr 2010, 05:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17276
Location: In your JS exploiting you and your system
revolution
Tyler wrote:
WinAPI = stdcall
Well mostly, wsprintfA and wsprintfW are two exceptions.
wsprintf wrote:
Unlike other Windows functions, wsprintf uses the C calling convention (_cdecl), rather than the Pascal calling convention. As a result, it is the responsibility of the calling process to pop arguments off the stack, and arguments are pushed on the stack from right to left. In C-language modules, the C compiler performs this task.
Post 20 Apr 2010, 05:18
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
A function defined as WinAPI is stdcall, otherwise it's not WinAPI because WINAPI is macro defined as _stdcall in the Windows headers. I see your point though, I meant only functions that were literally defined as WINAPI in Window's headers.
Post 20 Apr 2010, 06:50
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 619
cod3b453
LocoDelAssembly wrote:
Quote:

GetPixel (gdi32) trashes ecx

I mean, any that violates the stdcall convention, i.e., not returning you EBX, ESI, EDI and EBP untouched and ESP restored to the value previous to the first pushed argument.

[edit]Of course, I mean only those that are specified to be stdcall, so don't mention wsprintf as one not restoring ESP as per stdcall convention Wink[/edit]
sorry I think I misread your post - I don't know of any that do.
Post 20 Apr 2010, 09:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.