flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > What's the problem here? (ECX clobbered by API calls)
Author
Thread Post new topic Reply to topic
rohagymeg



Joined: 19 Aug 2011
Posts: 77
rohagymeg 17 Jan 2012, 00:28
The first one works as expected. ECX stores the pointer of the heap and is decremented because my loop starts with inc ecx and so the first time it needs to be hHeap-1 to start with the first byte of the heap.

Code:
        invoke HeapAlloc, eax, HEAP_ZERO_MEMORY, [config_size]
        mov ebx, eax
        invoke ReadFile, [hFile], eax, [config_size], no_bytes_read, 0
        mov ecx, ebx
        dec ecx

But in the second one, ECX doesn't point to the same location! But I expect it to do the same but with less instructions.
Code:
        invoke HeapAlloc, eax, HEAP_ZERO_MEMORY, [config_size]
        mov ecx, eax
        invoke ReadFile, [hFile], eax, [config_size], no_bytes_read, 0
        dec ecx

So what am I missing?
Post 17 Jan 2012, 00:28
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4324
Location: Now
edfed 17 Jan 2012, 00:32
maybe ReadFile trash ecx...
Post 17 Jan 2012, 00:32
View user's profile Send private message Visit poster's website Reply with quote
rohagymeg



Joined: 19 Aug 2011
Posts: 77
rohagymeg 17 Jan 2012, 00:51
Thanks edfed! So how do I know which function does what to which register? Very Happy
Post 17 Jan 2012, 00:51
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 17 Jan 2012, 01:02
Does ReadFile destroy EBX, if so.. then that could be the problem.

Try PUSH EBX / POP EBX
Post 17 Jan 2012, 01:02
View user's profile Send private message Reply with quote
Yardman



Joined: 12 Apr 2005
Posts: 244
Location: US
Yardman 17 Jan 2012, 01:20
[ Post removed by author. ]


Last edited by Yardman on 04 Apr 2012, 04:52; edited 1 time in total
Post 17 Jan 2012, 01:20
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 17 Jan 2012, 01:47
Yardman wrote:
There goes typedef talking through his arse again.

Functions (API) preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, and esp, which must be updated according to the calling convention.


Did you make windows ?
Post 17 Jan 2012, 01:47
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler 17 Jan 2012, 02:32
typedef wrote:
Yardman wrote:
There goes typedef talking through his arse again.

Functions (API) preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, and esp, which must be updated according to the calling convention.


Did you make windows ?
Is it required to have made Windows to know its calling convention? Look up stdcall. All of Windows' API uses stdcall except for a few (like less than 5) exceptions.
Post 17 Jan 2012, 02:32
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 17 Jan 2012, 02:37
Tyler wrote:
typedef wrote:
Yardman wrote:
There goes typedef talking through his arse again.

Functions (API) preserve all registers, except for eax, ecx, and edx, which can be changed across a function call, and esp, which must be updated according to the calling convention.


Did you make windows ?
Is it required to have made Windows to know its calling convention? Look up stdcall. All of Windows' API uses stdcall except for a few (like less than 5) exceptions.


Is it required to have a Yardie talk shit to you because you uploaded a picture of a false malware alarm on his code ? (http://board.flatassembler.net/topic.php?p=139518#139518)

I don't think so.
Post 17 Jan 2012, 02:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19872
Location: In your JS exploiting you and your system
revolution 17 Jan 2012, 04:44
typedef: Read about the standard call convention. What Yardman says is correct. EAX, ECX, EDX and EFLAGS are to be considered clobbered by all API functions all other registers except ESP and EIP are preserved. ESP is updated according to the number of parameters used and EIP is of course set to the following instruction.
Post 17 Jan 2012, 04:44
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 17 Jan 2012, 05:28
However, there is something more simpler to consider, the OP stated that when using EBX to save HeapAlloc result (first code block), it worked, but failed with ECX (second code block), so how it comes that preserving EBX may be needed to solve the problem?? (I believe this is was the main cause for Yardman's reaction, the stdcall thing is of secondary or no importance at all. Personally, I think typedef already knew about both stdcall and that ReadFile adheres to that calling convention.)
Post 17 Jan 2012, 05:28
View user's profile Send private message Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 786
Location: Adelaide
sinsi 17 Jan 2012, 06:40
http://agner.org/optimize/
Look for "5. Calling conventions for different C++ compilers and operating systems"
Post 17 Jan 2012, 06:40
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1561
Location: Toronto, Canada
AsmGuru62 17 Jan 2012, 11:35
API preserves EBX,ESI,EDI,ESP,EBP (plus Direction Flag is ALWAYS 0) -- so these can be used to hold stuff between API calls.
The rest of registers may change -- these include EAX,ECX,EDX.

Important!
If user code changes the Direction Flag to one -- it MUST restore it back to 0, otherwise some API will fail.
Windows 'thinks' that DF=0 at all times, so we should keep the same 'thinking' pattern.


Last edited by AsmGuru62 on 17 Jan 2012, 17:43; edited 2 times in total
Post 17 Jan 2012, 11:35
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 17 Jan 2012, 15:05
AsmGuru62, Windows 'thinks' that DF = 0 at all times, (i.e. pointers are incremented, not decremented).
http://msdn.microsoft.com/en-us/library/7td56tzs%28VS.80%29.aspx (Yeah, I know it talks about the C run-time here, but by just inspecting EFLAGS at program entry point, you'll notice DF will also be cleared)
Post 17 Jan 2012, 15:05
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1561
Location: Toronto, Canada
AsmGuru62 17 Jan 2012, 17:42
Oh... right! -- DF=0. My bad! I edited my post.
Post 17 Jan 2012, 17:42
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.