flat assembler
Message board for the users of flat assembler.

Index > Windows > stdcall problem

Author
Thread Post new topic Reply to topic
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
hi everybody i'd an problem with stdcall it's in follow
if like this
Code:
include 'win32ax.inc'
.data
strText rb 20
.code
start:
  stdcall abc,100
  invoke ExitProcess,0

  proc abc argv
    mov eax,dword[argv]
    invoke wsprintf,strText,"argv=%4d",eax
    invoke MessageBox,0,strText,'Hello',0
    ret
  endp
.end start
    


it work
but if like this
Code:
include 'win64ax.inc'
.data
strText rb 20
.code
start:
  stdcall abc,100
  invoke ExitProcess,0

  proc abc argv
    mov rax,qword[argv]
    invoke wsprintf,strText,"argv=%4d",rax
    invoke MessageBox,0,strText,'Hello',0
    ret
  endp
.end start
    

it's not work fine
but if like this
Code:
include 'win64ax.inc'
.data
strText rb 20
.code
start:
  push  100
  call    abc
  invoke ExitProcess,0

  proc abc argv
    mov rax,qword[argv]
    invoke wsprintf,strText,"argv=%4d",rax
    invoke MessageBox,0,strText,'Hello',0
    ret
  endp
.end start
    

it's worked fine
stdcall not work fine with win64?
or stdcall macro had an problem?
thank!
sorry if bad english.

_________________
welcome to VietNam!
Post 17 Oct 2010, 05:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Win64 uses fastcall.
Post 17 Oct 2010, 05:28
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
it's not work [fastcall], why?????????
Post 17 Oct 2010, 05:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
See the EXAMPLES/WIN64 folder for how fastcall works. It is not as straight forward as stdcall.
Post 17 Oct 2010, 05:36
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
oh i'm sorry, i reember it's pass to register
thank for your suport.
Post 17 Oct 2010, 05:41
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
It is more than just the register passing, you also have to make room on the stack.
Post 17 Oct 2010, 05:47
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
sorry revolution i'm not match with 1 parameter, where it pass ( name of register it pass)
Post 17 Oct 2010, 05:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Post 17 Oct 2010, 06:02
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
The Microsoft x64 calling convention[6] (for long mode on x86-64) takes advantage of additional register space in the AMD64/Intel 64 platform. The registers RCX, RDX, R8, R9 are used for integer

im match it in template. But it's 4 parameter
remaining case else 1 2 3 5 ...... parameter where it pass
and in this case with 1 parameter, where it pass?
thank!
Post 17 Oct 2010, 06:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
1 parameter = RCX
2 parameters = RCX, RDX
3 parameters = RCX, RDX, R8
4 parameters = RCX, RDX, R8, R9
5+ parameters = RCX, RDX, R8, R9 + stack for others.

It is all explained in the link I posted.

Don't forget the shadow stack also.
Post 17 Oct 2010, 06:11
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
I tried, it not work, i used rcx but it not store value of parameter

in
http://en.wikipedia.org/wiki/X86_calling_conventions#Microsoft_x64_calling_convention

where you learn this tips (#Microsoft_x64_calling_convention) add follow address
it's nice.
Post 17 Oct 2010, 06:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
Show your code.
Post 17 Oct 2010, 06:57
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
include 'win64ax.inc'
.data
strText rb 20
.code
start:
fastcall abc,100,200,300,400
invoke ExitProcess,0

proc abc
;invoke wsprintf,strText,"argv=%4d",rcx ;not true
;invoke MessageBox,0,strText,'Hello',0
;invoke wsprintf,strText,"argv=%4d",rdx ;not true
;invoke MessageBox,0,strText,'Hello',0
invoke wsprintf,strText,"argv=%4d",r8 ;true
invoke MessageBox,0,strText,'Hello',0
;invoke wsprintf,strText,"argv=%4d",r9 ;true
;invoke MessageBox,0,strText,'Hello',0
ret
endp
.end start

in win64 with macros in win64ax.inc stdcall == fastcall
Post 17 Oct 2010, 07:21
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
pearlz: The registers are changed by the invoke macros. This is why you need to use the shadow stack. See the file "TEMPLATE.ASM" to see an example of where you can store the incoming parameters so that they are not corrupted.
Post 17 Oct 2010, 07:24
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
Code:
include 'win64ax.inc'
.data
strText rb 20
.code
start:
  stdcall abc,100,200,300,400
  invoke ExitProcess,0

  proc abc
   push rcx rdx r8 r9
    invoke wsprintf,strText,"argv=%4d",rcx  ;not true
    invoke MessageBox,0,strText,'Hello',0

   pop  r9 r8 rdx rcx
   push rcx rdx r8 r9

    invoke wsprintf,strText,"argv=%4d",rdx  ;not true
    invoke MessageBox,0,strText,'Hello',0

   pop  r9 r8 rdx rcx
   push rcx rdx r8 r9

    invoke wsprintf,strText,"argv=%4d",r8    ;true
    invoke MessageBox,0,strText,'Hello',0

   pop  r9 r8 rdx rcx
   push rcx rdx r8 r9

    invoke wsprintf,strText,"argv=%4d",r9   ;true
    invoke MessageBox,0,strText,'Hello',0
    ret
  endp
.end start
    
Post 17 Oct 2010, 07:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
try this:
Code:
include 'win64ax.inc'

.data
        strText rb 20

.code

start:
        fastcall abc,100,200,300,400
        invoke  ExitProcess,0

proc abc p1,p2,p3,p4
   mov     [p1],rcx
    mov     [p2],rdx
    mov     [p3],r8
     mov     [p4],r9
     invoke  wsprintf,strText,"argv=%4d",[p1]
  invoke  MessageBox,0,strText,'Hello',0
    invoke  wsprintf,strText,"argv=%4d",[p2]
  invoke  MessageBox,0,strText,'Hello',0
    invoke  wsprintf,strText,"argv=%4d",[p3]
  invoke  MessageBox,0,strText,'Hello',0
    invoke  wsprintf,strText,"argv=%4d",[p4]
  invoke  MessageBox,0,strText,'Hello',0
    ret
endp

.end start    
Post 17 Oct 2010, 07:27
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
it's true, but i'm not understand
with
Code:
 fastcall abc,100
 proc abc,p1
      invoke  wsprintf,strText,"argv=%4d",rcx
      invoke  MessageBox,0,strText,'Hello',0
 endp
    

assemly code will
Code:
  mov rcx,100
  call abc
 proc abc
   mov ecx,szText
   jmp @F
   local str
     str "argv=%4d",0
   @@:
   mov rdx,str
   mov r8,rcx
   call wsprintf
   ret
 endp
    

kind of like that
and it run
but it's not true
why????
Post 17 Oct 2010, 07:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17287
Location: In your JS exploiting you and your system
revolution
You have to be careful when using registers with fastcall (invoke). The first parameter is put into RCX so it will corrupt any existing value in RCX. You have to save the value in RCX somewhere. That is why fastcall defines the shadow stack for this purpose.
Post 17 Oct 2010, 07:43
View user's profile Send private message Visit poster's website Reply with quote
pearlz



Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam
pearlz
oh i'm understand assembly code can like above
and then rcx store address of szText
old value of ecx be overwrite in macro invoke
i think that, it's true?
Post 17 Oct 2010, 08:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.