flat assembler
Message board for the users of flat assembler.

Index > Windows > x64 call parameters

Author
Thread Post new topic Reply to topic
Fred



Joined: 22 Oct 2010
Posts: 39
Fred 28 Jul 2011, 01:21
I'll say it right now, I still don't fully understand how x64 calls work. Here's my attempt anyway:
Code:
        sub rsp,58h

        mov [rsp+28h],dword left
        mov [rsp+2Ch],dword right
        mov [rsp+30h],dword front
        mov [rsp+34h],dword frontleft
        mov [rsp+38h],dword frontright
        mov [rsp+3Ch],dword front2
        mov [rsp+40h],dword front2left
        mov [rsp+44h],dword front3

        call    looking
        add     rsp,58h  
    

Now... let's say we want to get "left" from the stack. It's not at rsp+28h... it is at rsp+30h. Is this supposed to happen or (more likely) am I doing it wrong?

This "shadow space" also. How does it work? Can I use it for whatever I want? Or should leave it empty unless i'm doing something specific?
Post 28 Jul 2011, 01:21
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 28 Jul 2011, 01:37
You gave too little info. At what position in code are we trying to get "left" from stack? If inside the procedure "looking", that's because "CALL" instruction pushes return address to stack.

Shadow space is for called procedure, to have place where it can save first 4 parameters parameters (passed in registers) should it need to. In case you don't know, first 4 procedure parameters are passed in registers (it's not obvious in code you posted)

My suggestion: disassemble and/or trace some x64 code that came out of compiler. This is sort of thing which is hard to explain but easy to see for yourself.
Post 28 Jul 2011, 01:37
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Fred



Joined: 22 Oct 2010
Posts: 39
Fred 28 Jul 2011, 01:45
Ah, yes, sorry. I'm trying to access it from within the call.

Quote:
If inside the procedure "looking", that's because "CALL" instruction pushes return address to stack.

I was thinking it might be something like that. Thanks for clearing it out. :)

Quote:
Shadow space is for called procedure, to have place where it can save first 4 parameters parameters (passed in registers) should it need to. In case you don't know, first 4 procedure parameters are passed in registers (it's not obvious in code you posted)

Ah, okay.
Post 28 Jul 2011, 01:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20445
Location: In your JS exploiting you and your system
revolution 28 Jul 2011, 01:54
You only have to follow the fastcall standard when you call an OS API function. Inside your own internal code you can do whatever you want.
Post 28 Jul 2011, 01:54
View user's profile Send private message Visit poster's website Reply with quote
Fred



Joined: 22 Oct 2010
Posts: 39
Fred 28 Jul 2011, 01:58
Hmm. That makes sense. I could swear it wasn't working before if I didn't do sub rsp,28h before a regular call. Maybe I had some api functions in those calls that changed some reg values.
Post 28 Jul 2011, 01:58
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 28 Jul 2011, 06:28
Embarassed

Embarassed Shocked Rolling Eyes


Last edited by typedef on 28 Jul 2011, 17:56; edited 2 times in total
Post 28 Jul 2011, 06:28
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 28 Jul 2011, 09:28
typedef: Now try to think a bit about what you posted, and feel ashamed!
Post 28 Jul 2011, 09:28
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 28 Jul 2011, 17:57
vid wrote:
typedef: Now try to think a bit about what you posted, and feel ashamed!


What are you talking about dude? Very Happy Embarassed
Post 28 Jul 2011, 17:57
View user's profile Send private message Reply with quote
Fred



Joined: 22 Oct 2010
Posts: 39
Fred 20 Aug 2011, 21:59
I wonder what happened here, lol o.o

Didn't get a notification mail... maybe that's a good thing though...
Post 20 Aug 2011, 21:59
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 20 Aug 2011, 22:15
typedef posted something that was wrong, I told him, and he edited it out of his post. Notice the "Last edited by typedef on 28 Jul 2011, 18:56; edited 2 times in total" part.
Post 20 Aug 2011, 22:15
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Fanael



Joined: 03 Jul 2009
Posts: 168
Fanael 20 Aug 2011, 22:34
Yay, asmretard-like methods are still alive! Very Happy
Post 20 Aug 2011, 22:34
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.