flat assembler
Message board for the users of flat assembler.
Index
> Windows > The difference in executing null bytes between Win10 and XP |
Author |
|
AsmGuru62 01 Jan 2025, 16:46
The sequence of 8 bytes set to 0x00 is these 4 opcodes:
Code: 00402320 >/$ 0000 ADD BYTE PTR DS:[EAX], AL 00402322 |. 0000 ADD BYTE PTR DS:[EAX], AL 00402324 |. 0000 ADD BYTE PTR DS:[EAX], AL 00402326 |. 0000 ADD BYTE PTR DS:[EAX], AL In theory it is possible that when program starts on XP the Register EAX points to a non-writable memory and these opcodes do harm right away. On next Windows OS the EAX may point to writable block, so the opcodes will not do much harm (maybe later). |
|||
01 Jan 2025, 16:46 |
|
Mat Quasar 01 Jan 2025, 17:31
AsmGuru62 wrote: The sequence of 8 bytes set to 0x00 is these 4 opcodes: Now I have better understanding, null bytes are still opcodes. I agree with the possibility of non-writable memory and later writable memory. I first encountered this about 3 years ago in my compiler project that I forgot to set entry point to the address after variable in writeable code section, and user started complaining. But only today I have the chance to run the experiment. Thanks AsmGuru62. |
|||
01 Jan 2025, 17:31 |
|
macomics 01 Jan 2025, 19:35
Just look in the debugger
EAX points to kernel32.dll .text section (readonly).
|
|||||||||||||||||||
01 Jan 2025, 19:35 |
|
macomics 01 Jan 2025, 19:42
In other OS versions, there may be a different address in eax and, accordingly, other consequences.
|
|||
01 Jan 2025, 19:42 |
|
Mat Quasar 01 Jan 2025, 19:50
macomics wrote: In other OS versions, there may be a different address in eax and, accordingly, other consequences. Nice finding! Looks like you use Windows 7, which is same behaviour as Windows XP (i.e. DS:AX points to read-only memory area). I will check my debugger on Windows 10, after I wake up tomorrow. |
|||
01 Jan 2025, 19:50 |
|
Mat Quasar 01 Jan 2025, 20:05
I think 0xDFFCC is writeable, as startup value for EAX register, on my Windows 10 22H2.
So, the reason behind the difference has been revealed. Thank you everyone!
|
|||||||||||||||||||
01 Jan 2025, 20:05 |
|
macomics 01 Jan 2025, 21:20
Mat Quasar wrote: I think 0xDFFCC is writeable, as startup value for EAX register, on my Windows 10 22H2. |
|||
01 Jan 2025, 21:20 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.