flat assembler
Message board for the users of flat assembler.
Index
> Windows > Simple asm gone wrong |
Author |
|
rugxulo 24 Jul 2013, 20:07
Code: c:\rugxulo\tmp>type blah.asm mov eax,[fs:dword 30h] c:\rugxulo\tmp>fasm blah.asm flat assembler version 1.70.03 (1048575 kilobytes memory) 1 passes, 8 bytes. c:\rugxulo\tmp>ndisasm blah.bin 00000000 646766A130000000 mov eax,[fs:dword 0x30] Is that what you wanted? Unlike MASM, FASM doesn't need "ptr" and expects seg overrides inside brackets. |
|||
24 Jul 2013, 20:07 |
|
blacky 25 Jul 2013, 01:30
I'd shake your hand sir, but well..I can't. Thanks that did the trick.
|
|||
25 Jul 2013, 01:30 |
|
randomdude 25 Jul 2013, 16:10
hmm i have a question.. i see in various anti-debugging tricks:
mov eax,dword[fs:00000018] ; or fs:18h? mov eax,dword[eax+30h] movzx eax,byte[eax+2] ... and others: mov eax,dword[fs:30h] movzx eax,byte[eax+2] ... what does 'mov eax,dword[fs:00000018]' point to exactly and why its ignored in some examples? btw blacky, this would be a better approach Code: start: mov eax,dword[fs:30h] mov eax,dword[eax+68h] test eax,0x70 jz .end cinvoke printf,foundDebug .end: cinvoke getch cinvoke exit,0 Last edited by randomdude on 26 Jul 2013, 10:34; edited 1 time in total |
|||
25 Jul 2013, 16:10 |
|
baldr 25 Jul 2013, 19:55
randomdude,
dword [fs:18h] (TEB.Tib.Self) is a linear pointer to TEB itself. In user mode you can use offsets within fs segment directly (in kernel mode fs:0 points to KPCR). BTW, your example looks strange (cinvoke [printf] and such), maybe you've meant ccall (or cinvoke printf)? Also puts() seems to fit better than printf(). |
|||
25 Jul 2013, 19:55 |
|
edfed 26 Jul 2013, 08:40
you don't need the size overide since eax is still a dword.
Code: mov eax,[fs:30h] |
|||
26 Jul 2013, 08:40 |
|
randomdude 26 Jul 2013, 10:35
ok thx
forgot to remove the []. fixed edfed wrote: you don't need the size overide since eax is still a dword. i know, i always specific it to avoid misunderstandings |
|||
26 Jul 2013, 10:35 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.