flat assembler
Message board for the users of flat assembler.
Index
> Windows > simple register question.. |
Author |
|
b1528932 18 Oct 2010, 14:16
under [esp] u have return address, you destroy it.
[esp+4] does not belong even to you... try: Code: enter 128,0 push 0x87654321 push 0x12345678 push f lea eax,[ebp-128] push eax call [wsprintfW] push 0 push 0 lea eax,[ebp-128] push eax push 0 call [MessageBoxW] leave ret |
|||
18 Oct 2010, 14:16 |
|
Overflowz 18 Oct 2010, 15:27
Hmm.. I dont understand that.. can you see this example and tell me how it works ? I dont mean the exploit, only that edi has all of hex values there.. thanks. here's site
Code: http://web17.webbpro.de/downloads/PDF%20Exploit%20Article/Shellcode.asm |
|||
18 Oct 2010, 15:27 |
|
baldr 18 Oct 2010, 17:10
Overflowz,
Examine all the code. It allocates some space on stack and sets edi to point to that area. Then [edi+offset] is used to access allocated memory, like with ebp for standard stack frame. Wait a minute… Overflowz wrote: I'm trying to move some values into 1 register like this.. |
|||
18 Oct 2010, 17:10 |
|
Overflowz 18 Oct 2010, 19:03
hmm.. can u write working example with comments please ? cause I'm not expert about that things.. thank you.
|
|||
18 Oct 2010, 19:03 |
|
baldr 18 Oct 2010, 19:53
Overflowz,
An example of what? Overflowz wrote: but how I can split those things to make in msgbox ebp = 0x12345678 and ebp+4 0x87654321 Another approach to interpret it is that dwords at addresses ebp and ebp+4 must have values 0x12345678 and 0x87654321 respectively at some point in MessageBoxA() function. Well, that function almost immediately establishes standard stack frame (famous push ebp / mov ebp, esp), in which case dword[ebp] contains caller's ebp, and dword[ebp+4] is return address. Place call [MessageBoxA] at address 0x8765431B (not an easy task ), put 0x12345678 in ebp, and after push / mov those dwords will contain desired values (though I don't know what it's useful for: function arguments are starting from ebp+8). State clearly what you're trying to achieve. |
|||
18 Oct 2010, 19:53 |
|
Overflowz 19 Oct 2010, 08:15
damn its so hard I understand that ebp+4 is 0x1234567C but other things I don't.. can't understand what to copy where and etc.. What I'm asking is for example
mov [ebp],0x12345678 mov [ebp+4],0x87654321 and then I have defined those: var1 dd 10 var2 dd 10 and then I want to move 0x12345678 and 0x87654321 into those like: mov [var1],ebp mov [var2],ebp+4 but I fail.. any example please ? |
|||
19 Oct 2010, 08:15 |
|
revolution 19 Oct 2010, 10:05
Overflowz: What do you want to do? Do you want to display the ASCII hex string equivalent of the binary numbers 0x12345678 & 0x87654321?
Your question is confusing and unclear. Perhaps you can show an example of what you want to see as the final output. |
|||
19 Oct 2010, 10:05 |
|
Overflowz 19 Oct 2010, 11:30
Yes.. I'm trying to do that but from 1 register. so when for example:
printf,ebp should be 0x12345678 printf,ebp+4 should be 0x87654321 and sorry for my bad English. |
|||
19 Oct 2010, 11:30 |
|
revolution 19 Oct 2010, 12:19
Do you mean like this:
Code: format PE GUI 4.0 include 'WIN32AX.INC' entry main section '.data' data readable writeable buffer rb 30 section '.text' code readable executable proc main mov ebp,esp sub esp,8 mov dword[ebp-4],0x12345678 mov dword[ebp-8],0x87654321 mov eax,[ebp-4] cinvoke wsprintf,buffer,'0x%8x',eax invoke MessageBox,0,buffer,buffer,MB_OK mov eax,[ebp-8] cinvoke wsprintf,buffer,'0x%8x',eax invoke MessageBox,0,buffer,buffer,MB_OK invoke ExitProcess,0 endp section '.idata' import data readable library user32,'user32.dll',kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' section '.reloc' fixups data discardable |
|||
19 Oct 2010, 12:19 |
|
Overflowz 19 Oct 2010, 14:49
Yes, thank you! btw can you explain me why sub esp,8 and then why mov ebp,esp can't we just move in esp ? why using ebp instead of esp ? ty.
|
|||
19 Oct 2010, 14:49 |
|
mindcooler 19 Oct 2010, 15:02
Addressing with ebp is shorter, and you can manipulate the stack without getting lost.
|
|||
19 Oct 2010, 15:02 |
|
Overflowz 19 Oct 2010, 17:50
Hmm thank you and 1 more question, why it uses esp and not other register like edi or ecx or other.. ?
|
|||
19 Oct 2010, 17:50 |
|
revolution 19 Oct 2010, 22:22
ESP is your stack. You use this for temporary storage. No other register can be used in this way.
|
|||
19 Oct 2010, 22:22 |
|
Overflowz 20 Oct 2010, 10:13
I tried on EBP and worked fine too. and other registers doesn't seem to be working.. only ESP and EBP. is EBP same as ESP ?
|
|||
20 Oct 2010, 10:13 |
|
revolution 20 Oct 2010, 12:24
You can't simply use EBP whenever you feel like it. You have to first set up the initial value (see my code above) else you will clobber the API/callers stack. Without any set up sometimes you can be lucky and it will work, but other times ...
|
|||
20 Oct 2010, 12:24 |
|
Overflowz 20 Oct 2010, 18:28
Ahh I got it. thank you very much!
|
|||
20 Oct 2010, 18:28 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.