flat assembler
Message board for the users of flat assembler.

Index > Main > mutiple if conditions

Author
Thread Post new topic Reply to topic
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 21 Jul 2023, 01:46
i am writing a pe parser. the sections characteristics dword field hold multiple bits, that tells the properties of the section.

in-order to find out, this is how C code looks like.

if (characteristics & 0x20000000 == 0x20000000)
{ printf("exec"); }
if (characteristics & 0x40000000 == 0x40000000)
{ printf("read"); }
if (characteristics & 0x00000020 == 0x00000020)
{ printf("code"); }
if (characteristics & 0x80000000 == 0x80000000)
{ printf("write"); }
if (characteristics & 0x00000040 == 0x00000040)
{ printf("initialized"); }

now, while doing this in assembly, i am doing like this.

characteristics_check_0:
xor rdx, rdx
mov edx, dword [value.section_header.virtual_characteristics]
and edx, 0x20000000
cmp edx, 0x20000000
je characteristics_is_executable
jmp characteristics_check_1
characteristics_is_executable:
invoke printf, " .executable. "

characteristics_check_1:
xor rdx, rdx
mov edx, dword [value.section_header.virtual_characteristics]
and edx, 0x40000000
cmp edx, 0x40000000
je characteristics_is_mem_read
jmp characteristics_check_2
characteristics_is_mem_read:
invoke printf, " .read. "

characteristics_check_2:
xor rdx, rdx
mov edx, dword [value.section_header.virtual_characteristics]
and edx, 0x00000020
cmp edx, 0x00000020
je characteristics_is_mem_exe_code
jmp characteristics_check_3
characteristics_is_mem_exe_code:
invoke printf, " .code. "

characteristics_check_3:
xor rdx, rdx
mov edx, dword [value.section_header.virtual_characteristics]
and edx, 0x80000000
cmp edx, 0x80000000
je characteristics_is_mem_write
jmp characteristics_check_4
characteristics_is_mem_write:
invoke printf, " .write. "

characteristics_check_4:
xor rdx, rdx
mov edx, dword [value.section_header.virtual_characteristics]
and edx, 0x00000040
cmp edx, 0x00000040
je characteristics_is_mem_initialized_data
jmp characteristics_comeout
characteristics_is_mem_initialized_data:
invoke printf, " .initialized data. "

characteristics_comeout:

i want to know, what i am doing is the right approach or is there better way to do this... like with less jmp, less labels, or better way to handle multiple if's ... i am looking for this in fasm and not fasmg....
Post 21 Jul 2023, 01:46
View user's profile Send private message Reply with quote
ProMiNick



Joined: 24 Mar 2012
Posts: 786
Location: Russian Federation, Sochi
ProMiNick 21 Jul 2023, 06:17
there are many ways to do this, but because value.section_header.virtual_characteristics is a bit set we could scan it in loop
preserve esi,edi around
Code:
mov     esi,1 ; initial value could be differ, for ex $20 or whatever with 1 bit set
mov     edi, [value.section_header.virtual_characteristics]
loop:
test    edi,esi
jne     .skip
bsr     eax,esi
push    dword[characteristics+eax*4-4]
call    dword [printf] ; we live in 2023, console is a bit obsolete UI. could thou imagine console interface for example on smartphones? - unimaginable.
.skip:
;test    esi,$00000800 ; they could be not skipped but handled specialy ...
;jmp     @F
;shl     esi,8         ;, or skipped could be larger block of bits
;@@:
shl     esi,1
jnc     loop    


Code:
characteristics:
...             ;00000001
                ;00000002
                ;00000004
                ;00000008
...             ;00000010
dd ch_code      ;00000020
dd ch_idata     ;00000040
...             ;00000080
                ;00000100
                ;00000200
                ;00000400
                ;00000800
                ;00001000
                ;00002000
                ;00004000
                ;00000080
                ;00010000
                ;00020000
                ;00040000
                ;00080000
                ;00100000
                ;00200000
                ;00400000
                ;00800000
                ;01000000
                ;02000000
                ;04000000
                ;08000000
...             ;10000000
dd ch_exec      ;20000000
dd ch_read      ;40000000
dd ch_write     ;80000000     

Code:
ch_code         db ' .code. ',0
ch_idata        db ' .initialized data. ',0
ch_exec         db ' .executable. ',0
ch_read         db ' .read. ',0
ch_write        db ' .write. ',0     
Post 21 Jul 2023, 06:17
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20139
Location: In your JS exploiting you and your system
revolution 21 Jul 2023, 08:16
Each check can be simplified with bt:
Code:
characteristics_check:
        bt      dword [value.section_header.virtual_characteristics],29
        jnc     .check_executable_done
        invoke  printf, " .executable. "
    .check_executable_done:
;...    
Also, you don't need "xor rdx,rdx". When writing edx the upper bits are zeroed.
Post 21 Jul 2023, 08:16
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3946
Location: vpcmipstrm
bitRAKE 21 Jul 2023, 15:25
The nice thing about BSF/BSR is the early exit, imho. If only one bit is set then there is no test for the others. ProMiNick's recommendation with minor change (just to show bit instructions working together):
Code:
        mov eax, [some_bit_flags]
        mov [.local_bits], eax
.more_bits:
        bsf eax, [.local_bits]
        jz .done
; clear bit and respond to it being set
        btr [.local_bits], eax
        lea rcx, [some_bit_table]
        invoke printf, [rcx + rax*8]
        jmp .more_bits
.done:    
... with a low image base, we can even fall-back to the familiar 32-bit offset: "invoke printf, dword [some_bit_table + rax*4]" -- avoiding the LEA to setup the address and using a smaller pointer table. The set bits are effectively the loop counter.

* Happy 20 years to the board and me. One could say that BSR/BSF are bitRAKE's. Very Happy

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 21 Jul 2023, 15:25
View user's profile Send private message Visit poster's website Reply with quote
Picnic



Joined: 05 May 2007
Posts: 1386
Location: Piraeus, Greece
Picnic 21 Jul 2023, 22:08
bitRAKE wrote:
Happy 20 years to the board and me.

bitRAKE, I admire your knowledge, style and attitude all these years on this forum.

Sorry for the off-topic comment int0x50.
just felt the need to write this.
Post 21 Jul 2023, 22:08
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1588
Location: Toronto, Canada
AsmGuru62 22 Jul 2023, 01:42
FASM has .if/.endif macro extensions, so you would not need these labels.
Post 22 Jul 2023, 01:42
View user's profile Send private message Send e-mail Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 24 Jul 2023, 14:23
@AsmGuru62 @Picnic @bitRAKE @revolution @ProMiNick

this really helps .. that's ok @Picnic .. i enjoy it ...
Post 24 Jul 2023, 14:23
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.