flat assembler
Message board for the users of flat assembler.

Index > Windows > Need an fASM equivalent of a few MASM instructions

Author
Thread Post new topic Reply to topic
StakFallT



Joined: 19 Jan 2006
Posts: 48
StakFallT
I decided to put my demo on hold for a little while, was getting burnt out as weeks of debugging went by and had nothing to show for it 'cept the same problems... I also noticed on my current project that I might have gotton sloppy and lazy on the demo code and did stuff like changing registers to variables (even though depending on which nesting it took the register might be a different variable). So I might just have to redo it from scratch.. ah well, live and learn Smile Wasn't without a benefit (was an incredible learning experience Razz )

Anyhow my new project is something a little more backend.. I'm working on a very niche (sp?) app.. It's sorta like an api monitor.. Every API monitor has some issue that prevents it from being perfect for what I'm looking for.. Some are system wide api hooks which slow the system down to a craw.. Some are perfectly ok api monitors except your can't just filter for the cryptography APIs. And some you have to buy and even then you have to manually plug in the declarations of the API calls and some of the data types aren't even supported... so.. hence my new project: Crypt Sniffer.. The idea is an app that works at the workstation that is utilizing the cryptography APIs (-not- intermediary [sp?], like sniffing off a network).

So anyhow, I found some code for MASM that was a port of Wade Brainerd
's C++ apihijack code and I started converting it into fASM code.. I managed to muddle my way through converting to, what I beleive are, equivalent instructions.. However (there's always a however huh? Smile ) I ran into some instructions that I'm just not sure what in the world to make them lol

here's a snippet of the section I'm having issues with
I line numbered the lines so make it easier for referring to the problem points..

Code:
1 ;proc PointerToPEHeader hMod:IMAGE_DOS_HEADER
2 
3 ;if valid >NT PE file,return a pointer to the PEHeader  
4       ;set edi to the module
5       mov edi, [hMod]
6       ;mov edi, hMod.e_magic
7       ;mov edi, edi.e_magic
8       ;push edx
9       ;mov edx, hMod.e_magic
10      ;mov edi, edx
11      ;pop edx
12
13
14      ;assume edi:ptr IMAGE_DOS_HEADER
15      
16      ;going to check two things to make sure we are in a valid PE Module
17      
18      ;check the emagic value
19    cmp edi.e_magic, IMAGE_DOS_SIGNATURE
20    ;cmp hMod.e_magic, IMAGE_DOS_SIGNATURE
21    ;cmp edi, IMAGE_DOS_SIGNATURE
22    jne NOTImageDosSignature
23    je PostImageDosSignature
24
    


Problem points:
Problem 1: I read yesterday in the forums someone said there's no keyword called 'proc'? (What in the he11? lol)
Problem 2 (Multi-problem but unable to break them apart as they all relate back to each other): Here's the original first 9 lines in MASM form
Code:
PointerToPEHeader proc hMod:DWORD
;if valid >NT PE file,return a pointer to the PEHeader  
        ;set edi to the module
        mov edi,hMod
        assume edi:ptr IMAGE_DOS_HEADER

        ;going to check two things to make sure we are in a valid PE Module
        
        ;check the emagic value
    .if [edi].e_magic!=IMAGE_DOS_SIGNATURE  
    


the 9th line works because we've set edi to a IMAGE_DOS_HEADER type.. but there's no assume in fASM, I looked up assume and it appears all that keyword does is just declares <something> as a type of data.. in this case the IMAGE_DOS_HEADER type... so I tried PointerToPEHeader proc hMod:IMAGE_DOS_HEADER and that had problems

Problem 3: I'm almost certain there's a whole hell of alot of problems with this conversion bit I did on the IMAGE_DOS_HEADER struct out of MASM's windows.inc file but here it is
Code:
struc IMAGE_DOS_HEADER
{
  .e_magic           dw      ?
  .e_cblp            dw      ?
  .e_cp              dw      ?
  .e_crlc            dw      ?
  .e_cparhdr         dw      ?
  .e_minalloc        dw      ?
  .e_maxalloc        dw      ?
  .e_ss              dw      ?
  .e_sp              dw      ?
  .e_csum            dw      ?
  .e_ip              dw      ?
  .e_cs              dw      ?
  .e_lfarlc          dw      ?
  .e_ovno            dw      ?
  .e_res             dw   4 dup(?)
  .e_oemid           dw      ?
  .e_oeminfo         dw      ?
  .e_res2            dw  10 dup(?)
  .e_lfanew          dd      ?
  .size = $ - .
}
;virtual at 0
;   IMAGE_DOS_HEADER IMAGE_DOS_HEADER
;end virtual
    


Problem 4: What is the fASM equivalent of: [edi].e_magic or for that matter [any_register].[some_method] ? And what does one do for this line:

Code:
mov edi,[edi].OptionalHeader.DataDirectory[sizeof IMAGE_DATA_DIRECTORY].VirtualAddress
    


Any help would greatly be appreciated, thanks guys! Smile

-- StakFallT
Post 20 May 2006, 22:49
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
you could use [edi+IMAGE_DOS_HEADER.e_magic] for first one.

depending on which datadirectory you want to operate with
[edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY]
or
[edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+(<INDEX>*sizeof.IMAGE_DATA_DIRECTORY)]
replacing <INDEX> with DataDirectory number-1

for checking IMAGE_DOS_SIGNATURE just compare with e_magic with 'MZ'
Post 21 May 2006, 02:15
View user's profile Send private message MSN Messenger Reply with quote
yetifoot



Joined: 20 May 2006
Posts: 7
yetifoot
way above my head except problem 1

include 'macro\proc32.inc'
Post 21 May 2006, 02:45
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
yetifoot wrote:
way above my head except problem 1

include 'macro\proc32.inc'


include '%fasminc%\win32a.inc'


PointerToPEHeader proc hMod:DWORD
=
proc PointerToPEHeader, hMod
;code
ret
endp

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 21 May 2006, 03:10
View user's profile Send private message MSN Messenger Reply with quote
StakFallT



Joined: 19 Jan 2006
Posts: 48
StakFallT
That helped a bit, thanks Smile

I'm having a very similiar problem though not far below it that don't seem to be able to be solved using those methods (no phun intended) though Confused

Here's part of the CryptSniffer.inc

CrypstSniffer.Inc:
Code:
struc IMAGE_DATA_DIRECTORY
{
  .VirtualAddress    dd      ?
  ;.VirtualAddress = $
  ;.size              dd      ?
  .size = $ - .
}
virtual at 0
   IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY
end virtual

struc IMAGE_OPTIONAL_HEADER32
{
  .Magic                         dw      ?
  .MajorLinkerVersion            db      ?
  .MinorLinkerVersion            db      ?
  .SizeOfCode                    dd      ?
  .SizeOfInitializedData         dd      ?
  .SizeOfUninitializedData       dd      ?
  .AddressOfEntryPoint           dd      ?
  .BaseOfCode                    dd      ?
  .BaseOfData                    dd      ?
  .ImageBase                     dd      ?
  .SectionAlignment              dd      ?
  .FileAlignment                 dd      ?
  .MajorOperatingSystemVersion   dw      ?
  .MinorOperatingSystemVersion   dw      ?
  .MajorImageVersion             dw      ?
  .MinorImageVersion             dw      ?
  .MajorSubsystemVersion         dw      ?
  .MinorSubsystemVersion         dw      ?
  .Win32VersionValue             dd      ?
  .SizeOfImage                   dd      ?
  .SizeOfHeaders                 dd      ?
  .CheckSum                      dd      ?
  .Subsystem                     dw      ?
  .DllCharacteristics            dw      ?
  .SizeOfStackReserve            dd      ?
  .SizeOfStackCommit             dd      ?
  .SizeOfHeapReserve             dd      ?
  .SizeOfHeapCommit              dd      ?
  .LoaderFlags                   dd      ?
  .NumberOfRvaAndSizes           dd      ?
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ?
  .DataDirectory                 IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ?
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY rept 16 (?)
}
;virtual at 0
;   IMAGE_OPTION_HEADER32 IMAGE_OPTION_HEADER32
;end virtual

IMAGE_OPTIONAL_HEADER  equ  <IMAGE_OPTIONAL_HEADER32>

struc IMAGE_FILE_HEADER
{
  .Machine               dw   ?
  .NumberOfSections      dw   ?
  .TimeDateStamp         dd   ?
  .PointerToSymbolTable  dd   ?
  .NumberOfSymbols       dd   ?
  .SizeOfOptionalHeader  dw   ?
  .Characteristics       dw   ?
}
;virtual at 0
;   IMAGE_FILE_HEADER IMAGE_FILE_HEADER
;end virtual


struc IMAGE_NT_HEADERS
{
  .Signature         dd                   ?
  ;.FileHeader        IMAGE_FILE_HEADER       <>
  .FileHeader        IMAGE_FILE_HEADER    ?
  ;.OptionalHeader    IMAGE_OPTIONAL_HEADER32 <>
  .OptionalHeader    IMAGE_OPTIONAL_HEADER32 ?
  .Size = $ - .
}
;virtual at 0
;   IMAGE_NT_HEADERS IMAGE_NT_HEADERS
;end virtual

    


CryptSniffer.asm
Code:
;cmp [edi+IMAGE_NT_HEADERS.Signature], [IMAGE_NT_SIGNATURE]
        ;cmp [esp+IMAGE_NT_HEADERS.Signature], [IMAGE_NT_SIGNATURE]
        ;cmp [edi+IMAGE_NT_HEADERS.Signature], "MZ"
        cmp [edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY], [IMAGE_NT_SIGNATURE]
        jne NOTImageNTSignature
        je PostImageNTSignature
    


I get "Error: invalid operand" but I've tried all kinds of things, nothing seems to fix it.. Also you sure on the checking based on "MZ" thing? 'Cause I opened up a windows (gui based) application and the header contains an MZ, as does a normal dos program (Hence why above you seen me "attempting" to try a constant such as MZ for the compare Razz )
Also I tried reading the manual about the virutal command, but I just can't make heads or tails out of it's description.. in plain english (lol) when should you use virtual? Is there any kinds of asm tutorials out there that give insight as to the creative uses someone might use an instruction/opcode for rather than just it's straight textbook definition?

Oh and one other quick question while I'm here..register use.. I see an insane amount of conflicting claims of what the standard set of registers should be used for... I see eax being said that the "a" stand for accumlator, and the "b" in ebx stand for "base" and ecx being said that the "c" stands for counter (hence only numerical data can (or should?) be placed in there.. edx the "d" stands for data.. etc.. but then I look at other peoples' code and it's all over the place, their's no rhyme or reason, it's almost like whatever they felt like using or needed to use without conforming to some sort of standard. So, is there a standard, and is this standard cast in stone or is it just a standard that most people tend to follow? And do those letters -really- acctually stand for that or is that just someone's way to make it easy to remember??

Sorry in advance for being such a pest, just not matter how much I think I finally got a grip on it, I find I don't heh :/

-- StakFallT
Post 21 May 2006, 18:30
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
as i said 'MZ' is for checking for correct DOS-header, 'PE' is for correct NT-header, read Iczelion's PE-tutorial, there is conversion of it for fasm too if i remember correctly, but anyway for text -> http://win32assembly.online.fr/tutorials.html -> 'PE Tutorials'



btw. dont know if this is any help for you but here is my not-so-well-working IAT-crypter which adds section crypts IAT, on runtime it decrypts etc.... http://h1.ripway.com/okasvi/PeTo-IAT.rar
Post 22 May 2006, 04:56
View user's profile Send private message MSN Messenger Reply with quote
StakFallT



Joined: 19 Jan 2006
Posts: 48
StakFallT
hmm.. even though it looks like most of the attachment is in MASM syntax, it's still useful to me, and it seems to do everything and then some, except two problems I'm still stuck on..

this line
Trying all different kinds of things, the errors I get are:
Code:
mov edi, pExecPEHeader.IMAGE_OPTIONAL_HEADER32[IMAGE_DATA_DIRECTORY.size]
    
Gives: "Error: extra characters on line."


Code:
mov edi, [pExecPEHeader.IMAGE_OPTIONAL_HEADER32.DataDirectory.size]
    
Gives "Error: undefined symbol."


So if I had to pick, I'd say the undefined one is probably the closest one to performing what it is the line should be performing... which is why I maintain there is something critically wrong with this but I don't know what... It looks like the virtual statement blocks.. What's super odd is at first I thought fASM would not let me do virtual at 0..<blah><blah>end virtual on strucs containing labels of non-standard (Standard being, dd, db, etc) data.. But then I confirmed that was not the case because the virtual statement-block right after the declaration of IMAGE_DATA_DIRECTORY yields an invalid instruction (if I leave it uncommented as is) and the struc doesn't contain anything odd.. so I'm back to square 1...

Code:
struc IMAGE_DATA_DIRECTORY
{
  .VirtualAddress    dd      ?
  ;.VirtualAddress =  $
  ;.size              dd      ?
  ;.size = $ - .
}
virtual at 0
   IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY
end virtual

struc IMAGE_OPTIONAL_HEADER32
{
  .Magic                         dw      ?
  .MajorLinkerVersion            db      ?
  .MinorLinkerVersion            db      ?
  .SizeOfCode                    dd      ?
  .SizeOfInitializedData         dd      ?
  .SizeOfUninitializedData       dd      ?
  .AddressOfEntryPoint           dd      ?
  .BaseOfCode                    dd      ?
  .BaseOfData                    dd      ?
  .ImageBase                     dd      ?
  .SectionAlignment              dd      ?
  .FileAlignment                 dd      ?
  .MajorOperatingSystemVersion   dw      ?
  .MinorOperatingSystemVersion   dw      ?
  .MajorImageVersion             dw      ?
  .MinorImageVersion             dw      ?
  .MajorSubsystemVersion         dw      ?
  .MinorSubsystemVersion         dw      ?
  .Win32VersionValue             dd      ?
  .SizeOfImage                   dd      ?
  .SizeOfHeaders                 dd      ?
  .CheckSum                      dd      ?
  .Subsystem                     dw      ?
  .DllCharacteristics            dw      ?
  .SizeOfStackReserve            dd      ?
  .SizeOfStackCommit             dd      ?
  .SizeOfHeapReserve             dd      ?
  .SizeOfHeapCommit              dd      ?
  .LoaderFlags                   dd      ?
  .NumberOfRvaAndSizes           dd      ?
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>)
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ?
  ;.DataDirectory                 IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ?
  .DataDirectory                 dd sizeof.IMAGE_DATA_DIRECTORY

  ;.VirtualAddress    dd      ?
  ;.VirtualAddress = $
  ;.size              dd      ?
  ;.size = $ - .

  ;.DataDirectory                 IMAGE_DATA_DIRECTORY rept 16 (?)
  ;.Size = $ - .
}
;virtual at 0
;   IMAGE_OPTION_HEADER32 IMAGE_OPTION_HEADER32
;end virtual

    


Btw, your right about Iczelion's PE Tutorials, I finnaly understand now about why he MZ shows up in both Dos and Windows Applications! Smile


Thanks for the help so far, again I really appreciate it! Very Happy

-- StakFallT

EDIT: Oh about the converted tutorials, The link used to be:
http://sulaiman.netadvant.com/fasm/index.html I think... but it no longer works... good damn thing I saved just about every one of those tutorials locally Smile Only thing though is apparently only the core section (The ones numbered 1-20something) was converted, none of the specialized tutorial sets..
Post 22 May 2006, 16:00
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi
he made somekind of PE-format walkthrough atleast.


"even though it looks like most of the attachment is in MASM syntax"
it's fasm if you are talking about peto-iat.rar |:
Post 22 May 2006, 23:33
View user's profile Send private message MSN Messenger Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7797
Location: Kraków, Poland
Tomasz Grysztar
StakFallT: sorry that I didn't have time to read through all your problems, but I just noticed you sometimes use STRUC facilities in a bit wrong way. Try to do it like:
Code:
struc IMAGE_DATA_DIRECTORY
{
  .:
  .VirtualAddress    dd      ?
  .size = $ - .
}    

Because when you use the "." inside the STRUC definition to access the name of structure instance, then preprocessor no longer generates this label automatically for you - this is so you can customize the STRUC macro definitions fully. Thus this:
Code:
struc alpha
{ .x dd 7 }
my alpha    

generates code that looks like:
Code:
my: 
my.x dd 7    

While this:
Code:
struc alpha
{ .x dd $-. }
my alpha    

generates code like:
Code:
my.x dd $-my    

and this causes "undefined symbol" error, since "my" is not defined (as opposed to "my.x"). Then this:
Code:
struc alpha
{ .:
  .x dd $-. }
my alpha    

generates the correct:
Code:
my:
my.x dd $-my    

and finally:
Code:
struc alpha
{ . dd $-. }
my alpha    

yields:
Code:
my dd $-my    



PS. And this:
Code:
virtual at 0
   IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY
end virtual     

causes "invalid instruction" error because of the mispelling, there is no C in IMAGE_DATA_DIRECTORY.
Post 22 May 2006, 23:52
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2341
Location: Usono (aka, USA)
rugxulo
AX is usually used by MUL, LODSB, STOSB, AAA, etc., BX is used by XLAT and as base register in LEA AX,[BX+DI] etc., CX is used by LOOP, JCXZ, SHR, and REP instructions, DX is used by INT 21h,9 and CWD, MUL sometimes, etc. SI and DI are used with string instructions (MOVSB, CMPSB, etc.). BP is used for stack frames ([BP] refers to SS: by default) but can often be used as general purpose register (LEA CX,[BP+10]). Otherwise, use registers wherever you want (ADD SI,DI or INC BP or SHR BP,1). Hope this helps.
Post 23 May 2006, 21:59
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.