Size Question..

Index > Windows > Size Question..

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 09:41

Hello everyone.. I got stuck about size thing.. I'm trying following but I can't understand how to do that.. here's example:

Code:

format PE GUI 4.0
include 'WIN32A.INC'
entry main
section '.data' data readable writeable
lpBuffer rb 256
szBuffer rb 256
section '.text' code readable executable
proc main
invoke GetCurrentDirectory,256,lpBuffer
mov ecx,-1
mov edi,lpBuffer
xor al,al
cld
repne scasb
not ecx
dec ecx
mov dword[szBuffer],ecx
mov edi,szBuffer+lpBuffer ; <--------- Problem is here.
mov al,5ch
stosb
invoke MessageBox,0,lpBuffer,szBuffer,MB_OK
invoke ExitProcess,0
endp
section '.idata' import data readable
library user32,'user32.dll',kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'
section '.reloc' fixups data discardable

I am trying to store '\' on lpBuffer's last string. I mean:
if GetCurrentDirectory = C:\Users\User\Desktop
it should store byte here = C:\Users\User\Desktop\ <
someone can explain me how to do that ? Thanks.

22 Oct 2010, 09:41

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 09:59

that's mean S=S1+S2 (S: String) as VB, C, ............ ?

22 Oct 2010, 09:59

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 10:01

Nope, lpBuffer = Current Path and szBuffer = Size of Path.

22 Oct 2010, 10:01

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 10:06

Code:

mov edi,szBuffer
add edi,dword[lpBuffer]
add edi,1
mov edi,'\'
add edi
mov edi,0

it's true?

22 Oct 2010, 10:06

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 10:14

Nope.. Do you tested it before you post ? >.> Cause it doesn't work for me. and also "add edi" = syntax error. removed that and not working also. and why mov edi,szBuffer and then add edi,dword[lpbuffer] ? it should result for example size is 25, it will be 25C:\users... not the 25+C:\Users... and BTW It should be CHAR string for MessageBox API.

22 Oct 2010, 10:14

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20513
Location: In your JS exploiting you and your system

revolution 22 Oct 2010, 10:38

Try this:

Code:

format PE GUI 4.0

include 'WIN32A.INC'

entry main

section '.data' data readable writeable
  lpBuffer rb 256
;;   szBuffer rb 256         ;not needed

section '.text' code readable executable

proc main
      invoke  GetCurrentDirectory,256,lpBuffer
    mov     ecx,-1
      mov     edi,lpBuffer
        xor     al,al
       cld
 repne   scasb
       not     ecx
 dec     ecx
;;       mov     dword[szBuffer],ecx             ;not needed
 lea     edi,[lpBuffer+ecx]
  mov     al,5ch
      stosb
       mov     al,0                            ;null terminate
     stosb
       invoke  MessageBox,0,lpBuffer,lpBuffer,MB_OK
        invoke  ExitProcess,0
endp

section '.idata' import data readable
        library user32,'user32.dll',kernel32,'kernel32.dll'
     include 'API\USER32.INC'
 include 'API\KERNEL32.INC'

section '.reloc' fixups data discardable

22 Oct 2010, 10:38

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 10:45

Worked Fine! Thank you! BTW I don't understand whats difference between LEA and MOV ? I can't understand on sites what difference is there.. can you tell me please ?

22 Oct 2010, 10:45

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 10:47

my way!

Code:

proc main
invoke GetCurrentDirectory,256,lpBuffer
mov esi,lpBuffer
mov edi,szBuffer
.count:
  lodsb
  stosb
  test al,al
  jnz  .count
sub esi,1
mov byte [esi],'\'
add esi,1
mov byte[esi],0
invoke MessageBox,0,lpBuffer,szBuffer,MB_OK
invoke ExitProcess,0
endp

22 Oct 2010, 10:47

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 10:50

that's true?

22 Oct 2010, 10:50

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 10:53

Yes it is. Thanks Smile

22 Oct 2010, 10:53

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 10:53

if not copy

Code:

format PE GUI 4.0
include 'WIN32A.INC'
entry main
section '.data' data readable writeable
  lpBuffer rb 256
section '.text' code readable executable
proc main
  invoke GetCurrentDirectory,256,lpBuffer
  mov esi,lpBuffer
  .count:
    lodsb
    test al,al
    jnz  .count
  sub esi,1
  mov byte [esi],'\'
  add esi,1
  mov byte[esi],0
  invoke MessageBox,0,lpBuffer,lpBuffer,MB_OK
  invoke ExitProcess,0
endp
section '.idata' import data readable
library user32,'user32.dll',\
        kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'
section '.reloc' fixups data discardable

22 Oct 2010, 10:53

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 10:56

Works fine. Thank you Smile

btw nice logic u have !

22 Oct 2010, 10:56

shoorick

Joined: 25 Feb 2005
Posts: 1614
Location: Ukraine

shoorick 22 Oct 2010, 10:57

lea lets to provide address calculation (sometimes used not only for address):
lea esi,[eax] = mov esi,eax
lea esi,[eax + edx*4 + 5] has no mov equivalent
if you have in ebx pointer to array of dwords and in ecx current element, you can load pointer to this element into esi with this way:
lea esi,[ebx + ecx*4] ; (4 - size of dword, maximal multiplicator for lea is 8 )
--------------
btw, instruction mnemonics have sence. LEA means Load Effective Address.

Last edited by shoorick on 22 Oct 2010, 11:00; edited 1 time in total

22 Oct 2010, 10:57

pearlz

Joined: 07 Jun 2010
Posts: 55
Location: Viet Nam

pearlz 22 Oct 2010, 10:59

Code:

  sub esi,1
  mov word[esi],0x005c

22 Oct 2010, 10:59

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 11:03

shoorick, thanks that was pretty new good example for me.
pearlz, I understand other thanks Smile

22 Oct 2010, 11:03

baldr

Joined: 19 Mar 2008
Posts: 1651

baldr 22 Oct 2010, 13:13

Overflowz,

GetCurrentDirectory() returns number of characters (i.e. words for Unicode flavor) that are written to lpBuffer.

Code:

        include "Win32WX.Inc"; Win32AX works too
        .code
here:   invoke  GetCurrentDirectory, sizeof.buffer, buffer
if 1=sizeof.TCHAR
        mov     word [buffer+sizeof.TCHAR*eax], '\'; ANSI
else
        mov     dword [buffer+sizeof.TCHAR*eax], '\'; Unicode
end if
        invoke  MessageBox, HWND_DESKTOP, buffer, NULL, MB_OK
        ret

        .data
sizeof.buffer = MAX_PATH
buffer  TCHAR   sizeof.buffer dup ?

        .end    here

GetCurrentDirectory() can return other values too: 0 if an error occurs, >nBufferLength when buffer isn't large enough.

22 Oct 2010, 13:13

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 22 Oct 2010, 20:21

hmm interesting but thats not for me.. Razz

Thanks anyway Smile

)

22 Oct 2010, 20:21

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum