flat assembler
Message board for the users of flat assembler.

Index > Windows > Convert Algorithm to x64

Author
Thread Post new topic Reply to topic
yq8



Joined: 08 May 2015
Posts: 15
yq8
Hey,
Once again I am unsure how to convert an algorithm into x64 bit ready code :

Code:
push ebp
mov ebp, esp
sub esp, 0xc
mov eax, [ebp+0x8]
mov [ebp-0x4], eax
mov eax, [ebp+0xc]
add eax, [ebp-0x4]
dec eax
mov [ebp-0x8], eax
mov eax, [ebp-0x4]
cmp eax, [ebp-0x8]
jae 0x47
mov eax, [ebp-0x8]
movzx eax, byte [eax]
mov [ebp-0x9], al
mov edx, [ebp-0x8]
mov eax, [ebp-0x4]
movzx eax, byte [eax]
mov [edx], al
mov edx, [ebp-0x4]
movzx eax, byte [ebp-0x9]
mov [edx], al
lea eax, [ebp-0x4]
inc dword [eax]
lea eax, [ebp-0x8]
dec dword [eax]
jmp 0x16
mov eax, [ebp+0x10]
mov edx, [ebp+0x8]
mov [eax], edx
leave 
ret 0xc    


I should probably mention that this algorithm is reversing a string..
Would it be enough to just change the registers from eax to rax etc and adjusting the jumps, or is there somethign else needed?
How can I convert this into x64 fasm code properly?
Post 10 May 2015, 11:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17267
Location: In your JS exploiting you and your system
revolution
At a bare minimum you only need to change the calling convention (probably to fastcall) and the registers used for addressing. Registers used for data don't "need" to be changed.
Post 10 May 2015, 12:01
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
Okay,
I tried it, so here again, this is the working x86 code (with fixed jumps)

Code:
push ebp
mov ebp, esp
sub esp, 0xc
mov eax, [ebp+0x8]
mov [ebp-0x4], eax
mov eax, [ebp+0xc]
add eax, [ebp-0x4]
dec eax
mov [ebp-0x8], eax
JUMP1:
mov eax, [ebp-0x4]
cmp eax, [ebp-0x8]
jae JUMP2
mov eax, [ebp-0x8]
movzx eax, byte [eax]
mov [ebp-0x9], al
mov edx, [ebp-0x8]
mov eax, [ebp-0x4]
movzx eax, byte [eax]
mov [edx], al
mov edx, [ebp-0x4]
movzx eax, byte [ebp-0x9]
mov [edx], al
lea eax, [ebp-0x4]
inc dword [eax]
lea eax, [ebp-0x8]
dec dword [eax]
jmp JUMP1
JUMP2:
mov eax, [ebp+0x10]
mov edx, [ebp+0x8]
mov [eax], edx
leave 
ret 0xc    




this is what I've come up with after converting by hand.
x64 code:

Code:
push rbp
mov rbp, rsp
sub rsp, 0x18
mov rax, [rbp+0x10]
mov [rbp-0x8], rax
mov rax, [rbp+0x18]
add rax, [rbp-0x8]
dec rax
mov [rbp-0x10], rax
JUMP1:
mov rax, [rbp-0x8]
cmp rax, [rbp-0x10]
jae JUMP2
mov rax, [rbp-0x10]
movzx rax, byte [rax]
mov [rbp-0x12], ax 0x20
mov rdx, [rbp-0x10]
mov rax, [rbp-0x8]
movzx rax, byte [rax]
mov [rdx], ax
mov rdx, [rbp-0x8]
movzx rax, byte [rbp-0x12]
mov [rdx], ax
lea rax, [rbp-0x8]
inc qword [rax]
lea rax, [rbp-0x10]
dec qword [rax]
jmp JUMP1
JUMP2:
mov rax, [rbp+0x20]
mov rdx, [rbp+0x10]
mov [rax], rdx
leave 
ret 0x18    


Still this code is wrong for some reason, I can't get it to work like the x86 code :/
Any idea whats wrong?
Can you help me to correct my 64-bit asm code please Sad
Post 10 May 2015, 21:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17267
Location: In your JS exploiting you and your system
revolution
As with the other thread you forgot convert your calling convention. The parameters won't be on the stack upon entry, they will be in rcx, rdx and r8. And you shouldn't release the stack upon exit with fastcall.
Post 10 May 2015, 23:39
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
Hey,
I really appreciate your help.
In which register should the parameters be moved into instead?
And can you please explain this a bit more detailed:
"And you shouldn't release the stack upon exit with fastcall."
I've already read on msdn about this but I've a bit of trouble to understand how everything is connected.
What exactly is the mistake in my code?
Just that the parameters are in the wrong registers?
Incorrect offsets.
And about fastcall, I am not entirely sure what this is (I've not worked with x64 asm before yet)
Big thanks for talking your time to help me Smile
Post 11 May 2015, 00:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17267
Location: In your JS exploiting you and your system
revolution
A fastcall function will call the code like this:
Code:
mov rcx,parameter1
mov rdx,parameter2
mov r8,parameter3
mov r9,parameter4
sub rsp,8*4 ;make space but do not initialise it
call YourFunction
add rsp 8*4 ;caller restores the stack    
So the first four parameters are not on the stack, they are in registers.

And the stack is restored by the caller, so your code should not use any restore value in the "ret".
Post 11 May 2015, 00:16
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
Uh, now I am confused.
I am unsure how I should adjust my code so it will use the correct registers Confused
Post 11 May 2015, 17:24
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17267
Location: In your JS exploiting you and your system
revolution
For example: to get the first parameter, instead of using "mov rax,[rbp+0x10]" you could use "mov rax,rcx". Or even just use rcx directly instead of transferring it to another register.
Post 12 May 2015, 01:32
View user's profile Send private message Visit poster's website Reply with quote
yq8



Joined: 08 May 2015
Posts: 15
yq8
Is that the only change which needs to be made?
Post 12 May 2015, 23:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17267
Location: In your JS exploiting you and your system
revolution
No. It was just an example. All the other parameters also need to be considered. And your final "ret" should not have any value after it.

However, that code you are converting looks like something generated from an HLL compiler. It might be better for learning to rewrite the function from scratch directly in assembly and get something that is more readable and efficient.
Post 13 May 2015, 00:09
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.