flat assembler
Message board for the users of flat assembler.

Index > Windows > simple register question..

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Oct 2010, 13:13
hello all. I'm trying to do following but I don't understand how to do it. I'm trying to move some values into 1 register like this..
mov dword[ebp],0x12345678
mov dword[ebp+4],0x87654321
but how I can split those things to make in msgbox ebp = 0x12345678 and ebp+4 0x87654321.. Here's code what I'm talking about..
Code:
format PE GUI 4.0
include 'WIN32AX.INC'

entry main

section '.data' data readable writeable

        buffer rb 30

section '.text' code readable executable

proc main

     mov dword[esp],0x12345678
     mov dword[esp+4],0x87654321
     mov eax,[esp+4]
     cinvoke wsprintf,buffer,'%u',eax
     invoke MessageBox,0,buffer,buffer,MB_OK
     invoke ExitProcess,0

endp

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'

section '.reloc' fixups data discardable    
Post 18 Oct 2010, 13:13
View user's profile Send private message Reply with quote
b1528932



Joined: 21 May 2010
Posts: 287
b1528932 18 Oct 2010, 14:16
under [esp] u have return address, you destroy it.
[esp+4] does not belong even to you...


try:

Code:
 enter 128,0

push 0x87654321
push 0x12345678
push f
lea eax,[ebp-128]
push eax
call [wsprintfW]


push 0
push 0
lea eax,[ebp-128]
push eax
push 0
call [MessageBoxW]

leave

ret    
Post 18 Oct 2010, 14:16
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Oct 2010, 15:27
Hmm.. I dont understand that.. can you see this example and tell me how it works ? I dont mean the exploit, only that edi has all of hex values there.. thanks. here's site
Code:
http://web17.webbpro.de/downloads/PDF%20Exploit%20Article/Shellcode.asm    
Post 18 Oct 2010, 15:27
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 18 Oct 2010, 17:10
Overflowz,

Examine all the code. It allocates some space on stack and sets edi to point to that area. Then [edi+offset] is used to access allocated memory, like with ebp for standard stack frame.

Wait a minute…
Overflowz wrote:
I'm trying to move some values into 1 register like this..
mov dword[ebp],0x12345678
mov dword[ebp+4],0x87654321
I've underlined the part that've catched my eye. These instructions move values to memory pointed by ebp register, not to the register itself.
Post 18 Oct 2010, 17:10
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 18 Oct 2010, 19:03
hmm.. can u write working example with comments please ? cause I'm not expert about that things.. thank you.
Post 18 Oct 2010, 19:03
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 18 Oct 2010, 19:53
Overflowz,

An example of what?
Overflowz wrote:
but how I can split those things to make in msgbox ebp = 0x12345678 and ebp+4 0x87654321
One way to read this is: ebp is equal to 0x12345678. Consequently, ebp+4 is equal to 0x12345678+4 (==0x1234567C), not 0x87654321.

Another approach to interpret it is that dwords at addresses ebp and ebp+4 must have values 0x12345678 and 0x87654321 respectively at some point in MessageBoxA() function.
Well, that function almost immediately establishes standard stack frame (famous push ebp / mov ebp, esp), in which case dword[ebp] contains caller's ebp, and dword[ebp+4] is return address. Place call [MessageBoxA] at address 0x8765431B (not an easy task Wink), put 0x12345678 in ebp, and after push / mov those dwords will contain desired values (though I don't know what it's useful for: function arguments are starting from ebp+8).

State clearly what you're trying to achieve.
Post 18 Oct 2010, 19:53
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Oct 2010, 08:15
damn its so hard Sad I understand that ebp+4 is 0x1234567C but other things I don't.. can't understand what to copy where and etc.. What I'm asking is for example
mov [ebp],0x12345678
mov [ebp+4],0x87654321
and then I have defined those:
var1 dd 10
var2 dd 10
and then I want to move 0x12345678 and 0x87654321 into those like:
mov [var1],ebp
mov [var2],ebp+4
but I fail.. any example please ? Razz
Post 19 Oct 2010, 08:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20453
Location: In your JS exploiting you and your system
revolution 19 Oct 2010, 10:05
Overflowz: What do you want to do? Do you want to display the ASCII hex string equivalent of the binary numbers 0x12345678 & 0x87654321?

Your question is confusing and unclear. Perhaps you can show an example of what you want to see as the final output.
Post 19 Oct 2010, 10:05
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Oct 2010, 11:30
Yes.. I'm trying to do that but from 1 register. so when for example:
printf,ebp should be 0x12345678
printf,ebp+4 should be 0x87654321
and sorry for my bad English.
Post 19 Oct 2010, 11:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20453
Location: In your JS exploiting you and your system
revolution 19 Oct 2010, 12:19
Do you mean like this:
Code:
format PE GUI 4.0
include 'WIN32AX.INC'

entry main

section '.data' data readable writeable

        buffer rb 30

section '.text' code readable executable

proc main
 mov     ebp,esp
     sub     esp,8
       mov     dword[ebp-4],0x12345678
     mov     dword[ebp-8],0x87654321
     mov     eax,[ebp-4]
 cinvoke wsprintf,buffer,'0x%8x',eax
       invoke  MessageBox,0,buffer,buffer,MB_OK
    mov     eax,[ebp-8]
 cinvoke wsprintf,buffer,'0x%8x',eax
       invoke  MessageBox,0,buffer,buffer,MB_OK
    invoke  ExitProcess,0
endp

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'

section '.reloc' fixups data discardable    
Post 19 Oct 2010, 12:19
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Oct 2010, 14:49
Yes, thank you! Smile btw can you explain me why sub esp,8 and then why mov ebp,esp can't we just move in esp ? why using ebp instead of esp ? ty.
Post 19 Oct 2010, 14:49
View user's profile Send private message Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 19 Oct 2010, 15:02
Addressing with ebp is shorter, and you can manipulate the stack without getting lost.
Post 19 Oct 2010, 15:02
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 19 Oct 2010, 17:50
Hmm thank you and 1 more question, why it uses esp and not other register like edi or ecx or other.. ?
Post 19 Oct 2010, 17:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20453
Location: In your JS exploiting you and your system
revolution 19 Oct 2010, 22:22
ESP is your stack. You use this for temporary storage. No other register can be used in this way.
Post 19 Oct 2010, 22:22
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 20 Oct 2010, 10:13
I tried on EBP and worked fine too. and other registers doesn't seem to be working.. only ESP and EBP. is EBP same as ESP ?
Post 20 Oct 2010, 10:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20453
Location: In your JS exploiting you and your system
revolution 20 Oct 2010, 12:24
You can't simply use EBP whenever you feel like it. You have to first set up the initial value (see my code above) else you will clobber the API/callers stack. Without any set up sometimes you can be lucky and it will work, but other times ...
Post 20 Oct 2010, 12:24
View user's profile Send private message Visit poster's website Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 20 Oct 2010, 18:28
Ahh I got it. thank you very much!
Post 20 Oct 2010, 18:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.