flat assembler
Message board for the users of flat assembler.

Index > Windows > WinAPI clobbered registers, win32

Author
Thread Post new topic Reply to topic
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 19 Apr 2010, 15:49
Which registers are clobbered by system calls and other WinAPI calls? To my experience, it seems you can't count on ANY registers to be left alone.

_________________
This is a block of text that can be added to posts you make.
Post 19 Apr 2010, 15:49
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1403
Location: Piraeus, Greece
Picnic 19 Apr 2010, 15:57
Hi mindcooler,

Read here about it.
Post 19 Apr 2010, 15:57
View user's profile Send private message Visit poster's website Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 19 Apr 2010, 21:02
ebx is the only register I've never seen get clobbered. It's also very random from what I remember.
Post 19 Apr 2010, 21:02
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 19 Apr 2010, 21:14
So, there actually exist violations to stdcall convention in the Windows API? Do you remember an example?
Post 19 Apr 2010, 21:14
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 19 Apr 2010, 21:35
GetPixel (gdi32) trashes ecx
Post 19 Apr 2010, 21:35
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 19 Apr 2010, 21:36
Hmm, I must have been dreaming. I checked all the calls in my current project, and they only clobber eax, ecx and edx. Of course esp and eip change too, but I could have sworn I saw esi and edi change. Must have been tired :S
Post 19 Apr 2010, 21:36
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 19 Apr 2010, 21:45
Quote:

GetPixel (gdi32) trashes ecx

I mean, any that violates the stdcall convention, i.e., not returning you EBX, ESI, EDI and EBP untouched and ESP restored to the value previous to the first pushed argument.

[edit]Of course, I mean only those that are specified to be stdcall, so don't mention wsprintf as one not restoring ESP as per stdcall convention Wink[/edit]
Post 19 Apr 2010, 21:45
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 20 Apr 2010, 05:14
WinAPI = stdcall, here's a good explanation of stdcall.
Post 20 Apr 2010, 05:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20448
Location: In your JS exploiting you and your system
revolution 20 Apr 2010, 05:18
Tyler wrote:
WinAPI = stdcall
Well mostly, wsprintfA and wsprintfW are two exceptions.
wsprintf wrote:
Unlike other Windows functions, wsprintf uses the C calling convention (_cdecl), rather than the Pascal calling convention. As a result, it is the responsibility of the calling process to pop arguments off the stack, and arguments are pushed on the stack from right to left. In C-language modules, the C compiler performs this task.
Post 20 Apr 2010, 05:18
View user's profile Send private message Visit poster's website Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 20 Apr 2010, 06:50
A function defined as WinAPI is stdcall, otherwise it's not WinAPI because WINAPI is macro defined as _stdcall in the Windows headers. I see your point though, I meant only functions that were literally defined as WINAPI in Window's headers.
Post 20 Apr 2010, 06:50
View user's profile Send private message Reply with quote
cod3b453



Joined: 25 Aug 2004
Posts: 618
cod3b453 20 Apr 2010, 09:51
LocoDelAssembly wrote:
Quote:

GetPixel (gdi32) trashes ecx

I mean, any that violates the stdcall convention, i.e., not returning you EBX, ESI, EDI and EBP untouched and ESP restored to the value previous to the first pushed argument.

[edit]Of course, I mean only those that are specified to be stdcall, so don't mention wsprintf as one not restoring ESP as per stdcall convention Wink[/edit]
sorry I think I misread your post - I don't know of any that do.
Post 20 Apr 2010, 09:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.