flat assembler
Message board for the users of flat assembler.
Index
> Windows > windows pe64 console. how to get the commandline argc argv? |
Author |
|
Feryno 16 Dec 2022, 17:24
In my PC the code compiled into this, which I ran under debugger, I see there the misaligned stack:
Code: 0000000000401000 4883EC30 sub rsp,30 0000000000401004 48C7C100204000 mov rcx,00402000 000000000040100B 48C7C208204000 mov rdx,00402008 0000000000401012 49C7C010204000 mov r8,00402010 0000000000401019 49C7C100000000 mov r9,00000000 0000000000401020 48C744242000000000 mov qword [rsp+20],00000000 0000000000401029 FF1571200000 call qword [00000000004030A0] ; []=00007FFDB50879D0=msvcrt.__getmainargs 000000000040102F 4883C430 add rsp,30 0000000000401033 4883EC20 sub rsp,20 0000000000401037 EB13 jmp 000000000040104C 0000000000401039 417267 jc 00000000004010A2 000000000040103C 6320 movsxd esp,[rax] 000000000040103E 636F75 movsxd ebp,[rdi+75] 0000000000401041 6E outsb 0000000000401042 7420 jz 0000000000401064 0000000000401044 69732025640D0A imul esi,[rbx+20],0A0D6425 000000000040104B 00488D add [rax-73],cl 000000000040104E 0DE6FFFFFF or eax,FFFFFFE6 0000000000401053 488B15A60F0000 mov rdx,[0000000000402000] ; []=0000000000000000 000000000040105A FF1548200000 call qword [00000000004030A8] ; []=00007FFDB50C8B50=msvcrt.printf 0000000000401060 4883C420 add rsp,20 0000000000401064 488B059D0F0000 mov rax,[0000000000402008] ; []=0000000000000000 000000000040106B 4883EC20 sub rsp,20 000000000040106F EB15 jmp 0000000000401086 0000000000401071 50 push rax 0000000000401072 726F jc 00000000004010E3 0000000000401074 677261 jc 00000000004010D7 0000000000401077 6D insd 0000000000401078 206E61 and [rsi+61],ch 000000000040107B 6D insd 000000000040107C 65206973 GS and [rcx+73],ch 0000000000401080 2025730D0A00 and [00000000004A1DF9],ah ; [00000000004A1DF9]=? 0000000000401086 488D0DE4FFFFFF lea rcx,[0000000000401071] ; []=206D6172676F7250 000000000040108D 488B10 mov rdx,[rax] 0000000000401090 FF1512200000 call qword [00000000004030A8] ; []=00007FFDB50C8B50=msvcrt.printf 0000000000401096 4883C420 add rsp,20 000000000040109A 48C7C301000000 mov rbx,00000001 00000000004010A1 483B1D580F0000 cmp rbx,[0000000000402000] ; []=0000000000000000 00000000004010A8 7341 jnc 00000000004010EB 00000000004010AA 488305560F000008 add qword [0000000000402008],08 ; []=0000000000000000 00000000004010B2 488B054F0F0000 mov rax,[0000000000402008] ; []=0000000000000000 00000000004010B9 4883EC20 sub rsp,20 00000000004010BD EB10 jmp 00000000004010CF 00000000004010BF 61 illegal popa 00000000004010C0 7267 jc 0000000000401129 00000000004010C2 765B jbe 000000000040111F 00000000004010C4 25645D203D and eax,3D205D64 00000000004010C9 2025730D0A00 and [00000000004A1E42],ah ; [00000000004A1E42]=? 00000000004010CF 488D0DE9FFFFFF lea rcx,[00000000004010BF] ; []=5D64255B76677261 00000000004010D6 4889DA mov rdx,rbx 00000000004010D9 4C8B00 mov r8,[rax] 00000000004010DC FF15C61F0000 call qword [00000000004030A8] ; []=00007FFDB50C8B50=msvcrt.printf 00000000004010E2 4883C420 add rsp,20 there should be sub rsp,38h correctly unfortunatelly I can't help you how to fix macros... I do not use macros, I do most of things by my own hands btw I wouldn't use mov rcx,00402000 but LEA RCX,[address] other notes it is quite inefficient to add and sub rsp so many times, it is enough to sub rsp at once in the prologue and then do not add/sub rsp during the procedure, restoring rsp back only at the epilogue at once this program runs fine at me: Code: format PE64 CONSOLE at (1 shl 32) on 'nul' section '.text' code readable executable entry $ push rbx ; here we use stack for memory variables a = 1 ; return address from the procedure (the last RET instruction uses it to return back to the caller) b = 1 ; number of pushed registers (only 1 register push RBX) ; we will set up 'c' later as it cannot yet be calculated d = 1 ; 1 qword for 5th param startupinfo e = 1 ; 1 qword used for env f = 1 ; 1 qword used for argv g = 1 ; 1 qword used for argc h = 1 ; 5th param passed to function via stack i = 4 ; number of qwords reserved for system - qwords [rsp+8*0],... [rsp+8*3] c = (a+b+d+e+f+g+h+i) and 1 ; aligning stack 10h, this could be 0 or 1 qword stack_frame_size = 8*(c+d+e+f+g+h+i) sub rsp,stack_frame_size ; the stack frame looks like: ; <- top of stack ; a (ret addr) ; b (pushed regs) ; c (nothing or 1 qword for aligning at 10h) ; d, e, f, g (stack frame) ; h (1 qword for passing 5th arg) ; i (4 qwords) ; <- current RSP lea rax,[rsp+8*(i+h+g+f+e)] and qword [rax],0 mov qword [rsp+8*i],rax ; 5th param xor r9,r9 ; 4th param lea r8,[rsp+8*(i+h+g+f)] ; 3rd param lea rdx,[rsp+8*(i+h+g)] ; 2nd param lea rcx,[rsp+8*(i+h)] ; 1st param call [__getmainargs] test eax,eax jz OK lea rcx,[msg_error] call [printf] jmp exit OK: mov edx,[rsp+8*(i+h)] lea rcx,[msg_argc] call [printf] mov rax,[rsp+8*(i+h+g)] mov rdx,[rax] lea rcx,[msg_progname] call [printf] mov ebx,1 align 10h L0: cmp [rsp+8*(i+h)],ebx jbe exit mov rax,[rsp+8*(i+h+g)] mov r8,[rax + rbx*8] mov edx,ebx lea rcx,[msg_argv] call [printf] inc ebx jmp L0 align 10h exit: xor ecx,ecx call [ExitProcess] ; this should not execute, but it is here as and example of epilogue add rsp,stack_frame_size pop rbx xor eax,eax ret section '.data' data readable writeable msg_error db '__getmainargs failed',0Dh,0Ah,0 msg_argc db 'Argc count is %d',0Dh,0Ah,0 msg_progname db 'Program name is %s',0Dh,0Ah,0 msg_argv db 'argv[%d] = %s',0Dh,0Ah,0 section '.idata' import data readable writeable dd 0,0,0, RVA kernel_name, RVA kernel_table dd 0,0,0, RVA msvcrt_name, RVA msvcrt_table dd 0,0,0, 0, 0 kernel_table: ExitProcess dq RVA _ExitProcess dq 0 msvcrt_table: __getmainargs dq RVA ___getmainargs printf dq RVA _printf dq 0 kernel_name db 'KERNEL32.DLL',0 msvcrt_name db 'MSVCRT.DLL',0 ; kernel32.dll: _ExitProcess db 0,0,'ExitProcess',0 ; msvcrt.dll: ___getmainargs db 0,0,'__getmainargs',0 _printf db 0,0,'printf',0 here its disasm: Code: 0000000100001000 53 push rbx 0000000100001001 4883EC50 sub rsp,50 0000000100001005 488D442440 lea rax,[rsp+40] 000000010000100A 48832000 and qword [rax],00 000000010000100E 4889442420 mov [rsp+20],rax 0000000100001013 4D31C9 xor r9,r9 0000000100001016 4C8D442438 lea r8,[rsp+38] 000000010000101B 488D542430 lea rdx,[rsp+30] 0000000100001020 488D4C2428 lea rcx,[rsp+28] 0000000100001025 FF1521200000 call qword [000000010000304C] ; []=00007FFDB50879D0=msvcrt.__getmainargs 000000010000102B 85C0 test eax,eax 000000010000102D 740F jz 000000010000103E 000000010000102F 488D0DCA0F0000 lea rcx,[0000000100002000] ; []=69616D7465675F5F 0000000100001036 FF1518200000 call qword [0000000100003054] ; []=00007FFDB50C8B50=msvcrt.printf 000000010000103C EB62 jmp 00000001000010A0 000000010000103E 8B542428 mov edx,[rsp+28] 0000000100001042 488D0DCE0F0000 lea rcx,[0000000100002017] ; []=756F632063677241 0000000100001049 FF1505200000 call qword [0000000100003054] ; []=00007FFDB50C8B50=msvcrt.printf 000000010000104F 488B442430 mov rax,[rsp+30] 0000000100001054 488B10 mov rdx,[rax] 0000000100001057 488D0DCC0F0000 lea rcx,[000000010000202A] ; []=206D6172676F7250 000000010000105E FF15F01F0000 call qword [0000000100003054] ; []=00007FFDB50C8B50=msvcrt.printf 0000000100001064 BB01000000 mov ebx,00000001 0000000100001069 90 nop 000000010000106A 90 nop 000000010000106B 90 nop 000000010000106C 90 nop 000000010000106D 90 nop 000000010000106E 90 nop 000000010000106F 90 nop 0000000100001070 395C2428 cmp [rsp+28],ebx 0000000100001074 762A jbe 00000001000010A0 0000000100001076 488B442430 mov rax,[rsp+30] 000000010000107B 4C8B04D8 mov r8,[rax+rbx*8] 000000010000107F 89DA mov edx,ebx 0000000100001081 488D0DB70F0000 lea rcx,[000000010000203F] ; []=5D64255B76677261 0000000100001088 FF15C61F0000 call qword [0000000100003054] ; []=00007FFDB50C8B50=msvcrt.printf 000000010000108E FFC3 inc ebx 0000000100001090 EBDE jmp 0000000100001070 0000000100001092 90 nop 0000000100001093 90 nop 0000000100001094 90 nop 0000000100001095 90 nop 0000000100001096 90 nop 0000000100001097 90 nop 0000000100001098 90 nop 0000000100001099 90 nop 000000010000109A 90 nop 000000010000109B 90 nop 000000010000109C 90 nop 000000010000109D 90 nop 000000010000109E 90 nop 000000010000109F 90 nop 00000001000010A0 31C9 xor ecx,ecx 00000001000010A2 FF15941F0000 call qword [000000010000303C] ; []=00007FFDB6B6E860=KERNEL32.ExitProcess 00000001000010A8 4883C450 add rsp,50 00000001000010AC 5B pop rbx 00000001000010AD 31C0 xor eax,eax 00000001000010AF C3 ret |
|||
16 Dec 2022, 17:24 |
|
songjiangshan 25 Dec 2022, 01:49
thanks @Feryno
it works |
|||
25 Dec 2022, 01:49 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.