Index
> Main > How to get into assembly programmingGoto page Previous 1, 2 |
| Author |
|
|
Walter 04 Nov 2019, 13:32
In addition, there is the book that Tomasz participated as a technical consultant on.
Mastering Assembly Programming |
|||
04 Nov 2019, 13:32 |
|
|
rc 04 Nov 2019, 14:10
Walter wrote: In addition, there is the book that Tomasz participated as a technical consultant on. I already bought this book (twice) (as kindle and as paperback to support the author). Its really good, although pretty heavy to begin with.  Last edited by rc on 05 Nov 2019, 10:06; edited 1 time in total |
|||
|
04 Nov 2019, 14:10 |
|
|
st 05 Nov 2019, 07:23
rc wrote: What debugger do you use? In general, I prefer debuggers over print debugging. What is confusing though is, that unlike in high level languages you don't exactly step through the lines of code you have written. So you end up stepping through the code that the assembler has written out of your code. That's pretty confusing. I mean, that makes sense since you can't step through your macros and stuff line by line as they get converted into assembly as well, but that's confusing: what line in the debugger corresponds to the the line in my code. And also plain assembly code you have written is changed by the assembler due to optimization I guess. |
|||
|
05 Nov 2019, 07:23 |
|
|
rc 05 Nov 2019, 10:04
Quote: WinXP is the last Windows version which has full-featured NTVDM (environment to run old apps) without severe limitations. Oh, didn't know that. Thought the last version was Window ME. Quote: It you are familiar with VS, C++ and can do basic stuff (arrays, pointers etc), I would recommend you try to compile some simple C code, debug it with asm listing enabled, then recompile with optimization and examine step-by-step again. Hope a few iterations will help to get a clue. Thats actually a good idea, thanks for the tip. |
|||
|
05 Nov 2019, 10:04 |
|
|
Tomasz Grysztar 05 Nov 2019, 10:41
rc wrote:
|
|||
|
05 Nov 2019, 10:41 |
|
|
rc 06 Nov 2019, 11:10
Tomasz Grysztar wrote: Windows Me was last in the 9x line, which was running on top of an actual DOS. NTVDM is something different - it is a subsystem on NT kernel that allows to run DOS programs in V86 mode. Also, it has a great DPMI implementation (an exemplary one), so you can run tools like FASMD with no problems. Ah ok, then i have confused this. |
|||
|
06 Nov 2019, 11:10 |
|
|
ProMiNick 06 Nov 2019, 15:05
Moving to assembly can be started from bad things (bad for HLL). But they will help.
1. In assembly there is no types (all types only in mind of programmer). 2. Procedure in assembly is not an object - is just a piece of code with assigned local visibility of variables(params & locals) placed on stack. 3. There is no practical needance in objects or classes - all what makes HLL compiler at backend - in assembly programmer have to do manualy - and object will be just a structure not more. 4. in HLL var definition like "name type absolute var_of_another_type" is very rare case of typecasting(typemixing) - in assembly it is normal situation. 5. it is possible to not define result of function (result is eax usualy) even we not use result returned by winapi it remains in eax register 6. in assembly code could be exception protected too but no one will protect statical initialization (or zeroing) of structure - there is only sense to protect api calls and instruction that realy can cause exceptions (like div). 7. In assembler there is nothing private - everything is global accessed. 8. Standart string types in assembly pChar & pWChar 9. In assembly -there in no needance in highly limited main proc, assembly operate over entry point - and entry point is procedure too! (stupid assumption removed - in edx - entrypoint address, not TEB), but in EBX is PEB (less informative then TEB) prove of 9 pt. Code: format PE GUI 4.0 entry start include 'win32w.inc' virtual at 0 PEB: db $A4 dup (?) .OSMajorVersion db ? db 3 dup (?) .OSMinorVersion db ? db 3 dup (?) end virtual section '.text' code readable executable proc start mov al,[ebx+PEB.OSMajorVersion] add byte[_Version],al mov al,[ebx+PEB.OSMinorVersion] add byte[_Version+2*sizeof.TCHAR],al invoke MessageBox,NULL,_Version,_winVerTitle,MB_OK ;xor eax,eax ;mov eax,ExitCode ; there is no needance in xor eax,eax - MessageBox already done that for us ret endp section '.data' data readable writeable _Version TCHAR '0.0',0 _winVerTitle TCHAR 'Windows version',0 section '.idata' import data readable writeable library user32,'USER32.DLL' ; even without kernel32 import include 'os specific/windows/api/x86/user32.inc' another variant prove of pt.9 (modified template): Code: format PE GUI 4.0 entry start include 'win32w.inc' virtual at 0 PEB: dd ?,? .ImageBaseAddress dd ? end virtual section '.text' code readable executable proc start mov eax,[ebx+PEB.ImageBaseAddress] ;invoke GetModuleHandle,0 - cut it off - it is require kernel32 mov [wc.hInstance],eax invoke LoadIcon,0,IDI_APPLICATION mov [wc.hIcon],eax invoke LoadCursor,0,IDC_ARROW mov [wc.hCursor],eax invoke RegisterClass,wc test eax,eax jz error invoke CreateWindowEx,0,_class,_title,WS_VISIBLE+WS_DLGFRAME+WS_SYSMENU,128,128,256,192,NULL,NULL,[wc.hInstance],NULL test eax,eax jz error msg_loop: invoke GetMessage,msg,NULL,0,0 cmp eax,1 jb end_loop jne msg_loop invoke TranslateMessage,msg invoke DispatchMessage,msg jmp msg_loop error: invoke MessageBox,NULL,_error,NULL,MB_ICONERROR+MB_OK end_loop: mov eax,[msg.wParam] ; invoke ExitProcess,[msg.wParam] - cut it off - it is require kernel32 ret ; endp proc WindowProc uses ebx esi edi, hwnd,wmsg,wparam,lparam cmp [wmsg],WM_DESTROY je .wmdestroy .defwndproc: invoke DefWindowProc,[hwnd],[wmsg],[wparam],[lparam] jmp .finish .wmdestroy: invoke PostQuitMessage,0 xor eax,eax .finish: ret endp section '.data' data readable writeable _class TCHAR 'FASMWIN32',0 _title TCHAR 'Win32 program template',0 _error TCHAR 'Startup failed.',0 wc WNDCLASS 0,WindowProc,0,0,NULL,NULL,NULL,COLOR_BTNFACE+1,NULL,_class msg MSG section '.idata' import data readable writeable library \;kernel32,'KERNEL32.DLL',\ user32,'USER32.DLL' ;include 'os specific/windows/api/x86/kernel32.inc' include 'os specific/windows/api/x86/user32.inc' so kernel32 isn`t main library of OS (as smbody thought) - it is next level of abstraction over TEB & PEB, everything (heaps,TLS, critical sections,SEH, envitonment vars, working directory, etc...) could be accesed and modified manualy via these structures and via substructures they point to. But MS not recomend to do that. (While everithing needed is within address space of current process there is no needance in kernel32, all the rest stubbed|wrapped in kernel32 points to ntdll). |
|||
|
06 Nov 2019, 15:05 |
|
|
rc 08 Nov 2019, 09:38
Thanks ProMiNick that's a nice little summary of the concepts of assembly language!
|
|||
|
08 Nov 2019, 09:38 |
|
|
DimonSoft 08 Nov 2019, 18:41
ProMiNick, just wondering, is the EBX value for the real entry point guaranteed (documented somewhere) to hold the pointer or is it a version-specific stuff? Any links to share?
P.S. ImageBase can be retrieved even easier and in a “more documented” way: Code: ImageBase = $ - rva $ Note also, that lack of ExitProcess may cause the process to stay alive due to threads injected by some components in newer Windows versions. |
|||
|
08 Nov 2019, 18:41 |
|
|
ProMiNick 08 Nov 2019, 20:59
DimonSoft, PEB.ImageBaseAddress is exactly place where GetModuleHandle grab information about imageBase,
PEB.OSMajorVersion & PEB.OSMinorVersion is exactly place where GetOSVersion frabs its data. they acces. Almost everything that kernel32 does is access PEB or TEB and reading or modifiing its members. thou could force relocation to exe adding errorneus imagebase & adding reloc section - so calculated in design time "ImageBase = $ - rva $" would have same errorneus value, but value extracted from PEB in real time will be correct. Value of EBX is guaranteed to be on all windows from win95 up to win10 within all builds until now (nothing stops microsoft to change this on newer versions of win10 & newer Win servers, but they don`t do such changes for more than 20 years). Moreover (need testing) on other platforms MS gifts pointer to PEB too (in other register specific to platform of course) About injected threads - MS injected theads succesfully exited when control returned from entrypoint to ImageLoader. Programers of third party threads are self responsible for freeing threads they injected. |
|||
|
08 Nov 2019, 20:59 |
|
|
Tomasz Grysztar 08 Nov 2019, 21:15
ProMiNick wrote: thou could force relocation to exe adding errorneus imagebase & adding reloc section - so calculated in design time "ImageBase = $ - rva $" would have same errorneus value |
|||
|
08 Nov 2019, 21:15 |
|
|
revolution 09 Nov 2019, 01:52
DimonSoft wrote: ... just wondering, is the EBX value for the real entry point guaranteed (documented somewhere) to hold the pointer or is it a version-specific stuff? |
|||
|
09 Nov 2019, 01:52 |
|
| Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|