flat assembler
Message board for the users of flat assembler.

Index > Windows > Simple asm gone wrong

Author
Thread Post new topic Reply to topic
blacky



Joined: 06 Apr 2006
Posts: 32
Location: JA
blacky 24 Jul 2013, 19:34
Guys, ive been away fasm long time, but im writing a piece of code that should work, but fasm will not assemble it, i think it is syntax related but ive tried every variant

Code:
format PE console
entry start

include 'win32a.inc'
include 'macro/import32.inc'

section '.data' data  readable
        foundDebug db 'Debugger present!!'

section '.txt' code readable executable

        start:

          mov eax, fs:dword ptr[30h]
         ; mov eax,dword ptr [fs:30h] ;PEB
          mov al, [eax+68h] ;NtGlobalFlag
          and al, 70h  ;check flags for debugger
          cmp al, 70h
          je is_debugged
          jmp exif

          .is_debugged:
          push foundDebug
          call [printf]

          .exif:
          call [getch]
          push 0
          call [exit]


section '.imp' import data readable

library msvcrt, 'msvcrt.dll'

import msvcrt,\
               exit, 'exit',\
               printf,'printf',\
               getch,'getch'    
    


FASM claims there are extra characters on this line
mov eax,fs:dword ptr[30h]

Ive tried fs:[30h]
fs:dword[30h]

Is my syntax wrong? is there something else wrong?
Post 24 Jul 2013, 19:34
View user's profile Send private message MSN Messenger Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo 24 Jul 2013, 20:07
Code:
c:\rugxulo\tmp>type blah.asm
mov eax,[fs:dword 30h]

c:\rugxulo\tmp>fasm blah.asm
flat assembler  version 1.70.03  (1048575 kilobytes memory)
1 passes, 8 bytes.

c:\rugxulo\tmp>ndisasm blah.bin
00000000  646766A130000000  mov eax,[fs:dword 0x30]
    


Is that what you wanted? Unlike MASM, FASM doesn't need "ptr" and expects seg overrides inside brackets.
Post 24 Jul 2013, 20:07
View user's profile Send private message Visit poster's website Reply with quote
blacky



Joined: 06 Apr 2006
Posts: 32
Location: JA
blacky 25 Jul 2013, 01:30
I'd shake your hand sir, but well..I can't. Thanks that did the trick.
Post 25 Jul 2013, 01:30
View user's profile Send private message MSN Messenger Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude 25 Jul 2013, 16:10
hmm i have a question.. i see in various anti-debugging tricks:

mov eax,dword[fs:00000018] ; or fs:18h?
mov eax,dword[eax+30h]
movzx eax,byte[eax+2]
...

and others:

mov eax,dword[fs:30h]
movzx eax,byte[eax+2]
...

what does 'mov eax,dword[fs:00000018]' point to exactly and why its ignored in some examples?

btw blacky, this would be a better approach

Code:
start:

mov eax,dword[fs:30h]
mov eax,dword[eax+68h]
test eax,0x70
jz .end
cinvoke printf,foundDebug
.end:
cinvoke getch
cinvoke exit,0
    


Last edited by randomdude on 26 Jul 2013, 10:34; edited 1 time in total
Post 25 Jul 2013, 16:10
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr 25 Jul 2013, 19:55
randomdude,

dword [fs:18h] (TEB.Tib.Self) is a linear pointer to TEB itself. In user mode you can use offsets within fs segment directly (in kernel mode fs:0 points to KPCR).

BTW, your example looks strange (cinvoke [printf] and such), maybe you've meant ccall (or cinvoke printf)? Also puts() seems to fit better than printf().
Post 25 Jul 2013, 19:55
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4352
Location: Now
edfed 26 Jul 2013, 08:40
you don't need the size overide since eax is still a dword.
Code:
mov eax,[fs:30h]
    
Post 26 Jul 2013, 08:40
View user's profile Send private message Visit poster's website Reply with quote
randomdude



Joined: 01 Jun 2012
Posts: 83
randomdude 26 Jul 2013, 10:35
ok thx Smile

forgot to remove the []. fixed

edfed wrote:
you don't need the size overide since eax is still a dword.
Code:
mov eax,[fs:30h]
    


i know, i always specific it to avoid misunderstandings Razz
Post 26 Jul 2013, 10:35
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.