Overflowz 18 Oct 2010, 13:13
hello all. I'm trying to do following but I don't understand how to do it. I'm trying to move some values into 1 register like this..
mov dword[ebp],0x12345678
mov dword[ebp+4],0x87654321
but how I can split those things to make in msgbox ebp = 0x12345678 and ebp+4 0x87654321.. Here's code what I'm talking about..
format PE GUI 4.0
include 'WIN32AX.INC'

entry main

section '.data' data readable writeable

        buffer rb 30

section '.text' code readable executable

proc main

     mov dword[esp],0x12345678
     mov dword[esp+4],0x87654321
     mov eax,[esp+4]
     cinvoke wsprintf,buffer,'%u',eax
     invoke MessageBox,0,buffer,buffer,MB_OK
     invoke ExitProcess,0


section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'

section '.reloc' fixups data discardable    
b1528932 18 Oct 2010, 14:16
under [esp] u have return address, you destroy it.
[esp+4] does not belong even to you...


 enter 128,0

push 0x87654321
push 0x12345678
push f
lea eax,[ebp-128]
push eax
call [wsprintfW]

push 0
push 0
lea eax,[ebp-128]
push eax
push 0
call [MessageBoxW]


Overflowz 18 Oct 2010, 15:27
Hmm.. I dont understand that.. can you see this example and tell me how it works ? I dont mean the exploit, only that edi has all of hex values there.. thanks. here's site
baldr 18 Oct 2010, 17:10

Examine all the code. It allocates some space on stack and sets edi to point to that area. Then [edi+offset] is used to access allocated memory, like with ebp for standard stack frame.

Wait a minute…
Overflowz wrote:
I'm trying to move some values into 1 register like this..
mov dword[ebp],0x12345678
mov dword[ebp+4],0x87654321
I've underlined the part that've catched my eye. These instructions move values to memory pointed by ebp register, not to the register itself.
Overflowz 18 Oct 2010, 19:03
hmm.. can u write working example with comments please ? cause I'm not expert about that things.. thank you.
baldr 18 Oct 2010, 19:53

An example of what?
Overflowz wrote:
but how I can split those things to make in msgbox ebp = 0x12345678 and ebp+4 0x87654321
One way to read this is: ebp is equal to 0x12345678. Consequently, ebp+4 is equal to 0x12345678+4 (==0x1234567C), not 0x87654321.

Another approach to interpret it is that dwords at addresses ebp and ebp+4 must have values 0x12345678 and 0x87654321 respectively at some point in MessageBoxA() function.
Well, that function almost immediately establishes standard stack frame (famous push ebp / mov ebp, esp), in which case dword[ebp] contains caller's ebp, and dword[ebp+4] is return address. Place call [MessageBoxA] at address 0x8765431B (not an easy task Wink), put 0x12345678 in ebp, and after push / mov those dwords will contain desired values (though I don't know what it's useful for: function arguments are starting from ebp+8).

State clearly what you're trying to achieve.
Overflowz 19 Oct 2010, 08:15
damn its so hard Sad I understand that ebp+4 is 0x1234567C but other things I don't.. can't understand what to copy where and etc.. What I'm asking is for example
mov [ebp],0x12345678
mov [ebp+4],0x87654321
and then I have defined those:
var1 dd 10
var2 dd 10
and then I want to move 0x12345678 and 0x87654321 into those like:
mov [var1],ebp
mov [var2],ebp+4
but I fail.. any example please ? Razz
When all else fails, read the source

revolution 19 Oct 2010, 10:05
Overflowz: What do you want to do? Do you want to display the ASCII hex string equivalent of the binary numbers 0x12345678 & 0x87654321?

Your question is confusing and unclear. Perhaps you can show an example of what you want to see as the final output.
Overflowz 19 Oct 2010, 11:30
Yes.. I'm trying to do that but from 1 register. so when for example:
printf,ebp should be 0x12345678
printf,ebp+4 should be 0x87654321
and sorry for my bad English.
revolution 19 Oct 2010, 12:19
Do you mean like this:
format PE GUI 4.0
include 'WIN32AX.INC'

entry main

section '.data' data readable writeable

        buffer rb 30

section '.text' code readable executable

proc main
 mov     ebp,esp
     sub     esp,8
       mov     dword[ebp-4],0x12345678
     mov     dword[ebp-8],0x87654321
     mov     eax,[ebp-4]
 cinvoke wsprintf,buffer,'0x%8x',eax
       invoke  MessageBox,0,buffer,buffer,MB_OK
    mov     eax,[ebp-8]
 cinvoke wsprintf,buffer,'0x%8x',eax
       invoke  MessageBox,0,buffer,buffer,MB_OK
    invoke  ExitProcess,0

section '.idata' import data readable

library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'

section '.reloc' fixups data discardable    
Overflowz 19 Oct 2010, 14:49
Yes, thank you! Smile btw can you explain me why sub esp,8 and then why mov ebp,esp can't we just move in esp ? why using ebp instead of esp ? ty.
mindcooler 19 Oct 2010, 15:02
Addressing with ebp is shorter, and you can manipulate the stack without getting lost.
Overflowz 19 Oct 2010, 17:50
Hmm thank you and 1 more question, why it uses esp and not other register like edi or ecx or other.. ?
revolution 19 Oct 2010, 22:22
ESP is your stack. You use this for temporary storage. No other register can be used in this way.
Overflowz 20 Oct 2010, 10:13
I tried on EBP and worked fine too. and other registers doesn't seem to be working.. only ESP and EBP. is EBP same as ESP ?
revolution 20 Oct 2010, 12:24
You can't simply use EBP whenever you feel like it. You have to first set up the initial value (see my code above) else you will clobber the API/callers stack. Without any set up sometimes you can be lucky and it will work, but other times ...
Overflowz 20 Oct 2010, 18:28
Ahh I got it. thank you very much!
