flat assembler
Message board for the users of flat assembler.

Index > Windows > Purpose of sub rsp,20h... in invoke macro

Author
Thread Post new topic Reply to topic
Hotwire



Joined: 17 Sep 2015
Posts: 17
Hotwire 06 Jan 2023, 20:02
Hello!

I am trying to get familiar with Win64 and currently slightly confused

Code like this
Code:
invoke MessageBoxA,0,0,0,0    


is assembled into this
Code:
sub rsp,20h
mov rcx,0
mov rdx,0
mov r8,0
mov r9,0
call [MassageBoxA]
add rsp,20h    


These sub rsp,20h and add rsp,20h can be erased without causing any crashes.
What is the purposes of thess RSP manipulations?

Happy Holidays!
Post 06 Jan 2023, 20:02
View user's profile Send private message Visit poster's website Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1496
Location: Toronto, Canada
AsmGuru62 06 Jan 2023, 21:00
Before x64 Windows API call --- the caller (you) must reserve the shadow room for four 64-bit parameters. And that is where 0x20 coming from.
Post 06 Jan 2023, 21:00
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19085
Location: In your JS exploiting you and your system
revolution 07 Jan 2023, 01:31
To expand upon AsmGuru62's comment.

The reason you must do that is because the Win64 ABI requires it. If you don't do it then your stack will likely be corrupted by the called function. For simple test code that just exits after the call you won't notice the bad stack and it appears to work fine. But for larger code you will quickly notice the stack has been corrupted when your program crashes.


Last edited by revolution on 09 Jan 2023, 12:17; edited 1 time in total
Post 07 Jan 2023, 01:31
View user's profile Send private message Visit poster's website Reply with quote
macgub



Joined: 11 Jan 2006
Posts: 303
Location: Poland
macgub 09 Jan 2023, 11:58
To expand upon Hotwire's question.
I would ask about Win32 bit ABI.
I now that preserving ebx and ebp registers is obligatory. What about esi and edi - I guess I need save/restore it before/after win invoke call. I read somewhere about ebp is a need as proc frame. Can I use as following:
Code:
 push  ebp
 mov   ebp,esp
 sub    esp,300
 sub    ebp,128

  ; I achive [ebp+128] to [ebp-128] shorter addresses to local data

 add   esp,300
 pop   ebp
    

Any other revelations about win32 ABI?
Network is full about win64 not win32 - so I aske here.
Sorry if it was written in some other place of board.
Thanks for answers!!
Post 09 Jan 2023, 11:58
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19085
Location: In your JS exploiting you and your system
revolution 09 Jan 2023, 12:16
Win32 uses the STDCALL calling convention:
EBX, EBP, ESI and EDI must be preserved by the callee

As long as you push and later pop ebp then you can do whatever you want with it within your function. The only caveat is that a debugger might incorrectly try to examine the stack and show you some wrong values.
Post 09 Jan 2023, 12:16
View user's profile Send private message Visit poster's website Reply with quote
macgub



Joined: 11 Jan 2006
Posts: 303
Location: Poland
macgub 09 Jan 2023, 13:04
revolution wrote:
The only caveat is that a debugger might incorrectly try to examine the stack and show you some wrong values.

So - it displays why I sometimes have debugging problems. - Sometimes when I exchange int3 to nop instruction x64dbg (it 32 bit version) wont properly continue run apps I debug..
Thanks for tips...
Post 09 Jan 2023, 13:04
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 19085
Location: In your JS exploiting you and your system
revolution 09 Jan 2023, 13:22
macgub wrote:
So - it displays why I sometimes have debugging problems. - Sometimes when I exchange int3 to nop instruction x64dbg (it 32 bit version) wont properly continue run apps I debug..
I don't think that is related to the EBP value. Something else is causing that problem.
Post 09 Jan 2023, 13:22
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2023, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.