flat assembler
Message board for the users of flat assembler.

Index > Main > Stack doesn't hold entire hexvalue of 4 bytes

Author
Thread Post new topic Reply to topic
theguy



Joined: 22 Jan 2015
Posts: 10
theguy
i'm wondering why this happens, if i

Code:
push 0x89675414 
mov eax,[esp-1]
    


Then check the eax register with ollydbg it shows 67541400? Shouldn't it be 89675414?
Post 09 Feb 2015, 00:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17720
Location: In your JS exploiting you and your system
revolution
x86 uses a full-descending stack so to get the last value pushed you should do this:
Code:
mov eax,[esp]    
Post 09 Feb 2015, 00:55
View user's profile Send private message Visit poster's website Reply with quote
theguy



Joined: 22 Jan 2015
Posts: 10
theguy
Ok thank you, this noob appreciates it
Post 09 Feb 2015, 01:00
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3502
Location: Bulgaria
JohnFound
And [esp-1] is incorrect always. If you want to get the previous pushed number you have to use [esp-4].
Post 09 Feb 2015, 05:46
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
> [esp-1] is incorrect always. If you want to get the
> previous pushed number you have to use [esp-4].

Right. Since CPU architecture is bad ... 80386 and above still do use Byte AKA Octet as size unit, but they strongly prefer 32-bit processing.

Code:
  use32
  push ax  ; Size override
  call ... ; Stack is misaligned now ... this is the ticket for the HELL !!!
    


This compiles fine, but only 2 flaws:

- it breaks Win32 API on NT (not on ME) Smile

- it can even crash if "AC" hack is enabled Smile
Post 09 Feb 2015, 08:55
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17720
Location: In your JS exploiting you and your system
revolution
DOS386 wrote:
Right. Since CPU architecture is bad ... 80386 and above still do use Byte AKA Octet as size unit, but they strongly prefer 32-bit processing.

Code:
  use32
  push ax  ; Size override
  call ... ; Stack is misaligned now ... this is the ticket for the HELL !!!
    


This compiles fine, but only 2 flaws:

- it breaks Win32 API on NT (not on ME) Smile

- it can even crash if "AC" hack is enabled Smile
So don't do it. Problem solved.

And I don't think that byte sized addressing is a flaw. It would be worse if we were forced to process EVERYTHING as 32-bit units. And becomes even more wasteful if 64-bit CPUs required 64-bit values for everything.

Actually even 8-bits is a compromise because the x86 CPU can do single bit addressing and processing.
Post 09 Feb 2015, 09:01
View user's profile Send private message Visit poster's website Reply with quote
l_inc



Joined: 23 Oct 2009
Posts: 881
l_inc
revolution
Quote:
Actually even 8-bits is a compromise because the x86 CPU can do single bit addressing

I don't think so. You can do bitwise arithmetics and introduce an artificial addressing scheme in form byte_address:bit_address, where byte_address is 32 to 64 bit long and bit_address is 3 bit long, but this cannot be viewed as a uniform addressing scheme, because the bit store ordering is completely transparent to the user with respect to the ISA.

This differs to the byte addressing in standard 32 bit RISC architectures where native load-storing is 4-bytes wide and 4-bytes aligned, but the ISAs still allow bytewise load-storing, and this way the byte store ordering can be inferred from the returned byte value as well as affects the software logic in general (difference in endianness). That's why a byte is called to be the smallest addressable unit of memory.

_________________
Faith is a superposition of knowledge and fallacy
Post 09 Feb 2015, 12:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17720
Location: In your JS exploiting you and your system
revolution
JohnFound wrote:
If you want to get the previous pushed number you have to use [esp-4].
For a user mode program running in protected mode this is true (although I would have said "popped" rather than "pushed"). But for a real mode program the region below ESP will become corrupted when an interrupt it serviced.
Post 10 Feb 2015, 09:45
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.