flat assembler
Message board for the users of flat assembler.

Index > Main > xor sp,sp

Author
Thread Post new topic Reply to topic
asmrus



Joined: 31 Dec 2005
Posts: 4
Location: .gr + .ru
asmrus 31 Dec 2005, 20:13
xor sp,sp is something like ExitProcess function from kernel
and if yes why everybody use that function and not just xor sp,sp ?

_________________
"...they track us, our interests and our hosts, we track them,
their interests and their hosts, it's an interesting match and we'll
always win, coz we do not do it for money... work well, +ORC"
Post 31 Dec 2005, 20:13
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 01 Jan 2006, 22:03
"xor esp, esp" will cause windows to terminate the application, yes, but it's kind of a "panic" way to do it... ExitProcess is documented, works, will continue working without popping up exceptions, etc. Not much reason to use a hack like "xor esp, esp" unless you're coding for extreme conditions... but then you might as well use a "ret".
Post 01 Jan 2006, 22:03
View user's profile Send private message Visit poster's website Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 02 Jan 2006, 00:01
Where did you get this information from asmrus...?? OH ESP OOPS I thought you meant sp. Using xor sp,sp instead of xor esp,esp.
It seems to only xor party of the esp register... fodder What is the sp register???

When you do xor esp,esp , you can do a push later on and it will terminate


Last edited by shism2 on 02 Jan 2006, 16:47; edited 1 time in total
Post 02 Jan 2006, 00:01
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2139
Location: Estonia
Madis731 02 Jan 2006, 12:30
I think when you push to [0000h] you get some exception. You have to pop like f0dder said.

xor sp,sp was maybe used in DOS ages, but I don't think this would be much more of a use because you have interrupts there.
In Windows (32-bit) you must use xor esp,esp if you want to clear the whole 32 bits.

I haven't tryed - maybe xor esp,esp | pop esp causes exception too. It just sounds too fishy Razz
Post 02 Jan 2006, 12:30
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 02 Jan 2006, 13:12
Quote:
"xor esp, esp" will cause windows to terminate the application
Under a protected 32bit OS (not just windows but all X86 32bit OS's) you can use ESP as a general purpose register just like any other. Of course before you try to 'push', 'pop', 'call' or 'ret' you must have a valid value in ESP. This allows the following valid code in 32bit ring-3 protected mode:
Code:
a_function:
mov [global_var_for_this_thread],esp
mov esp,eax
xor esp,ebx
xor esp,ecx
xor esp,edx
xor esp,esi
xor esp,edi
xor esp,ebp
mov [result],esp
mov esp,[global_var_for_this_thread]
ret    

This can sometimes give you an extra general purpose register to use if you need it. But the code as above is not re-entrant because the global variable will be overwritten each time it is called. For a single thread application this is not a problem, but for multi-threaded app's you need to take extra care with global variables.

In DOS and other real mode OS's the code above can be fatal if interrupts are enabled because the interrupts use the same esp for all code. Thus, you will need a 'cli'/'sti' pair in the code to pretect it from interrupts.

If you deliberately want to cause an exception in WIN32, one of the easiest methods is simply 'UD2'. Even 'CLI' can be used if the 2 byte opcode for ud2 is a problem.
Post 02 Jan 2006, 13:12
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania
Borsuc 02 Jan 2006, 13:13
I think what you're trying to do is:

1) set the stack pointer to an invalid address (aka null)
2) do an operation there

This will generate a page fault exception since you're operating to an invalid address (at least invalid from Windows' point of view Smile )

It's not recommended, simply because it will not clean after your application's mess, like destroying all windows in memory, and this will (probably) generate memory leaks, etc.. It's like using TerminateProcess.

ExitProcess is the recommended function to exit from a process. Smile
Post 02 Jan 2006, 13:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 02 Jan 2006, 13:18
Quote:
It's not recommended, simply because it will not clean after your application's mess
Don't forget about the structured exception handling in WIN32. Such a thing is not necessarily fatal for good app's that properly handle exceptions.
Post 02 Jan 2006, 13:18
View user's profile Send private message Visit poster's website Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2465
Location: Bucharest, Romania
Borsuc 02 Jan 2006, 13:24
Ah yes.. I mean, it's recommended if your app does not handle exceptions properly.
Post 02 Jan 2006, 13:24
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 02 Jan 2006, 16:48
Like fodder said this is for extreme condition programming ( Software protection)
Post 02 Jan 2006, 16:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.