flat assembler
Message board for the users of flat assembler.

Index > Heap > Some assembly questions.

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Hello everyone. I have some questions about assembly language.. I'm shame because I learned assembly without know more or basic information. So, here's my questions.
1) How people is changing from bits to bits ? I mean 16/32/64. I mean, when I'm using Windows DEBUG.exe program, I can't use E* registers.. only 16 bits.. why ?
2) How can I get IP/EIP register value ?
3) What does EBP register do ? I really stuck.
4) How does 32 bit assembly use calls ? For example, when calling MessageBox API, how it shows that message with window, sound and etc.. ?
5) How functions like KilFastSystemCall or other ones from HAL, ntoskrnl work ?
6) How does APIs work ?? Very Happy (Hard question I guess)

Thank you for your time. Smile
Post 17 May 2011, 22:22
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
sniff... sniff... this smells like homework...sniff
=D

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 17 May 2011, 22:34
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Hardware <--- Kernel <----- User space <---- You
EBP is used for stack data handling.Mostly..


Question 4:
user32.dll contains the code that plays the sound and creates a window. You call that procedure via a link..

btw we still have to that skype thing Very Happy
Post 17 May 2011, 22:45
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
ass0
Nope, believe it or not, in my country nobody are interested in assembly, even for work. I just love it and want to know more about it.. that's all )
Post 17 May 2011, 23:21
View user's profile Send private message Reply with quote
Teehee



Joined: 05 Aug 2009
Posts: 568
Location: Brazil
Teehee
Overflowz wrote:
2) How can I get IP/EIP register value ?


Code:
mov eax, eip    
?

_________________
Sorry if bad english.
Post 17 May 2011, 23:36
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
it's Invalid operand. I think EIP can't be accessed directly. There should be something different way.
Post 17 May 2011, 23:50
View user's profile Send private message Reply with quote
Teehee



Joined: 05 Aug 2009
Posts: 568
Location: Brazil
Teehee
Code:
push eip
pop eax    
?
Post 17 May 2011, 23:51
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Teehee
Mate, it's same Smile push/pop/mov/dec/inc/etc... EIP = invalid operand.
Post 17 May 2011, 23:58
View user's profile Send private message Reply with quote
Teehee



Joined: 05 Aug 2009
Posts: 568
Location: Brazil
Teehee
Code:
call please_the_eip_value    

? or
Code:
mov eax,$    

?
Post 18 May 2011, 00:02
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Quote:

6) How does APIs work ?? (Hard question I guess)

an API is just an Aplication Programing Interface. Somthing like a library of code for doing some bunch of thing, like display graphics: direct3d, directdraw, gdi, gdi+, opengl and others.... For sound theres directsound or openal.


the wikipedia has a good link
http://en.wikipedia.org/wiki/Application_programming_interface

4) How does 32 bit assembly use calls ? For example, when calling MessageBox API, how it shows that message with window, sound and etc.. ?


Its a WinAPI related question. MessageBox is a function of WinAPI.
How it works? you can use a debugger and view al the stuff, just make a breakpoint and jump into it, and follow the program flow through user32.dll, kernel.dll and others


1) How people is changing from bits to bits ? I mean 16/32/64. I mean, when I'm using Windows DEBUG.exe program, I can't use E* registers.. only 16 bits.. why ?

debug.exe I guess its a DOS debugger. So it cant debug win32 apps. You need to use other debuger, like ollydbg or perhaps the windbg that comes with the ddk (or you can get it in the web) But the ollydbg is more user frendly.
Post 18 May 2011, 00:24
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Enko
I know how APIs work, it does it's own function but I asked how it works deeper ?
And also, I know what debugger means and I'm already using 32 bit debugger but I don't understand, how can switch from 16 tu 32 bits and so on ? For example, how people can write 16 bit or 32 OS ? How it should be supported ?
P.S I hate my own English grammar !!!!
Post 18 May 2011, 00:44
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
To look deabply into the WINAPI you can debug it using ollydbg the user previleged ring, and if you want to see the windows kernel, you will need to use the windbg in kernel mode, conect the host pc with serial cable to a server pc that will debug the kernel of the host pc. Or you can get the same result, using wmware, installing a virtual windows, and then debuging it with windbg, there are some preaty good user guids on how to do that.


And for the 16 bit and 32 bit part, I sugest you read the INTEL ARCHITECTURE MANUALS
http://www.intel.com/products/processor/manuals/

they will explain you wat is real mode, protected mode (32 bit) and the long mode (64 bit)
What is the diference beetween them, and how to enter each of them.
Don-t get scared, they are really very light writed. J
Post 18 May 2011, 00:53
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji

For ring0 debugging, Syser is a good alternative.
But to begin, only ring3 + Olly ... this is already a very good learning environment.

_________________
I am not young enough to know everything (Oscar Wilde)- Image
Post 18 May 2011, 03:35
View user's profile Send private message Send e-mail Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
Yes, I'm already using Ring3 debugger, and OllyDBG is my choice cause it helps me alot. and also Immunity Debugger (For some reasons.) but I haven't worked with Ring0 privileged programs.. I don't know what kernel is or does.. I think I need to read some book about it. I need deep information, not wikipedia.. I'll read manual now.. Thanks. Smile
Post 18 May 2011, 08:23
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Overflowz wrote:
Yes, I'm already using Ring3 debugger, and OllyDBG is my choice cause it helps me alot. and also Immunity Debugger (For some reasons.) but I haven't worked with Ring0 privileged programs.. I don't know what kernel is or does.. I think I need to read some book about it. I need deep information, not wikipedia.. I'll read manual now.. Thanks. Smile

Start with intel manuals ^^
I Think its a must read to any x86 assembly programer.
Post 18 May 2011, 13:10
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Real mode (Ring0){ Windows Display Driver here } <-- user32.dll calls it to draw a window <--- Your app here ( CreateWindowEx )
Post 18 May 2011, 18:13
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
can someone suggest me some books ? Smile
Post 18 May 2011, 19:36
View user's profile Send private message Reply with quote
xleelz



Joined: 12 Mar 2011
Posts: 86
Location: In Google Code Server... waiting for someone to download me
xleelz
no... but try osdev.org and osdever.net if you want to know more about how the actual operating system works (or how it should work anyway).
Post 18 May 2011, 21:18
View user's profile Send private message Reply with quote
Teehee



Joined: 05 Aug 2009
Posts: 568
Location: Brazil
Teehee
Overflowz wrote:
2) How can I get IP/EIP register value ?


I just found the answer (i hope so):

Code:
[Position-independent code in 32-bit mode]

Position-independent code is required for making shared objects (*.so) in 32-bit Unix-like 
systems. The most common method for making position-independent code in 32-bit Linux 
and BSD is to use a global offset table (GOT) containing the addresses of all static objects. 
The GOT method is quite inefficient because the code has to fetch an address from the 
GOT every time it reads or writes data in the data segment. A faster method is to use an 
arbitrary reference point, as shown in the following example: 

; Example 3.5. Position-independent code, 32 bit, YASM syntax 
SECTION .data 
alpha:  dd      1 
beta:   dd      2 
SECTION .text 
funca:  ; This function returns alpha + beta 
        call    get_thunk_ecx             ; get ecx = eip 
refpoint:                                 ; ecx points here 
        mov     eax, [ecx+alpha-refpoint] ; relative address 
        add     eax, [ecx+beta -refpoint] ; relative address 
        ret 
get_thunk_ecx:  ; Function for reading instruction pointer 
        mov     ecx, [esp] 
        ret

The only instruction that can read the instruction pointer in 32-bit mode is the call
instruction. In example 3.5 we are using call get_thunk_ecx for reading the instruction 
pointer (eip) into ecx. ecx will then point to the first instruction after the call. This is our 
reference point, named refpoint.  (get_thunk_ecx must be a separate function with its 
own return because a call without a return would cause mispredictions of subsequent 
returns). All objects in the data segment can now be addressed relative to refpoint with 
ecx as pointer. 
This method is commonly used in Mac systems, where the mach-o file format supports 
references relative to an arbitrary point. Other file formats don't support this kind of 
reference, but it is possible to use a self-relative reference with an offset. The YASM and 
Gnu assemblers will do this automatically, while most other assemblers are unable to 
handle this situation. It is therefore necessary to use a YASM or Gnu assembler if you want 
to generate position-independent code in 32-bit mode with this method. The code may look 
strange in a debugger or disassembler, but it executes without any problems in all 32-bit 
x86 operating systems
    


from here: http://www.agner.org/optimize/optimizing_assembly.pdf

_________________
Sorry if bad english.
Post 18 May 2011, 22:48
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Its imposible to access directly to the EIP register.

To read EIP you can:
Code:
  call      eipreg
       eipreg:
       pop eax   
    


and to set EIP
Code:
   call    some_function
   ;or
   jmp  some_label
    
Post 18 May 2011, 23:09
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.