flat assembler
Message board for the users of flat assembler.
Index
> Windows > Need an fASM equivalent of a few MASM instructions |
Author |
|
okasvi 21 May 2006, 02:15
you could use [edi+IMAGE_DOS_HEADER.e_magic] for first one.
depending on which datadirectory you want to operate with [edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY] or [edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+(<INDEX>*sizeof.IMAGE_DATA_DIRECTORY)] replacing <INDEX> with DataDirectory number-1 for checking IMAGE_DOS_SIGNATURE just compare with e_magic with 'MZ' |
|||
21 May 2006, 02:15 |
|
yetifoot 21 May 2006, 02:45
way above my head except problem 1
include 'macro\proc32.inc' |
|||
21 May 2006, 02:45 |
|
okasvi 21 May 2006, 03:10
yetifoot wrote: way above my head except problem 1 include '%fasminc%\win32a.inc' PointerToPEHeader proc hMod:DWORD = proc PointerToPEHeader, hMod ;code ret endp _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
21 May 2006, 03:10 |
|
StakFallT 21 May 2006, 18:30
That helped a bit, thanks
I'm having a very similiar problem though not far below it that don't seem to be able to be solved using those methods (no phun intended) though Here's part of the CryptSniffer.inc CrypstSniffer.Inc: Code: struc IMAGE_DATA_DIRECTORY { .VirtualAddress dd ? ;.VirtualAddress = $ ;.size dd ? .size = $ - . } virtual at 0 IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY end virtual struc IMAGE_OPTIONAL_HEADER32 { .Magic dw ? .MajorLinkerVersion db ? .MinorLinkerVersion db ? .SizeOfCode dd ? .SizeOfInitializedData dd ? .SizeOfUninitializedData dd ? .AddressOfEntryPoint dd ? .BaseOfCode dd ? .BaseOfData dd ? .ImageBase dd ? .SectionAlignment dd ? .FileAlignment dd ? .MajorOperatingSystemVersion dw ? .MinorOperatingSystemVersion dw ? .MajorImageVersion dw ? .MinorImageVersion dw ? .MajorSubsystemVersion dw ? .MinorSubsystemVersion dw ? .Win32VersionValue dd ? .SizeOfImage dd ? .SizeOfHeaders dd ? .CheckSum dd ? .Subsystem dw ? .DllCharacteristics dw ? .SizeOfStackReserve dd ? .SizeOfStackCommit dd ? .SizeOfHeapReserve dd ? .SizeOfHeapCommit dd ? .LoaderFlags dd ? .NumberOfRvaAndSizes dd ? ;.DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>) ;.DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES ;.DataDirectory IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ? .DataDirectory IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ? ;.DataDirectory IMAGE_DATA_DIRECTORY rept 16 (?) } ;virtual at 0 ; IMAGE_OPTION_HEADER32 IMAGE_OPTION_HEADER32 ;end virtual IMAGE_OPTIONAL_HEADER equ <IMAGE_OPTIONAL_HEADER32> struc IMAGE_FILE_HEADER { .Machine dw ? .NumberOfSections dw ? .TimeDateStamp dd ? .PointerToSymbolTable dd ? .NumberOfSymbols dd ? .SizeOfOptionalHeader dw ? .Characteristics dw ? } ;virtual at 0 ; IMAGE_FILE_HEADER IMAGE_FILE_HEADER ;end virtual struc IMAGE_NT_HEADERS { .Signature dd ? ;.FileHeader IMAGE_FILE_HEADER <> .FileHeader IMAGE_FILE_HEADER ? ;.OptionalHeader IMAGE_OPTIONAL_HEADER32 <> .OptionalHeader IMAGE_OPTIONAL_HEADER32 ? .Size = $ - . } ;virtual at 0 ; IMAGE_NT_HEADERS IMAGE_NT_HEADERS ;end virtual CryptSniffer.asm Code: ;cmp [edi+IMAGE_NT_HEADERS.Signature], [IMAGE_NT_SIGNATURE] ;cmp [esp+IMAGE_NT_HEADERS.Signature], [IMAGE_NT_SIGNATURE] ;cmp [edi+IMAGE_NT_HEADERS.Signature], "MZ" cmp [edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY], [IMAGE_NT_SIGNATURE] jne NOTImageNTSignature je PostImageNTSignature I get "Error: invalid operand" but I've tried all kinds of things, nothing seems to fix it.. Also you sure on the checking based on "MZ" thing? 'Cause I opened up a windows (gui based) application and the header contains an MZ, as does a normal dos program (Hence why above you seen me "attempting" to try a constant such as MZ for the compare ) Also I tried reading the manual about the virutal command, but I just can't make heads or tails out of it's description.. in plain english (lol) when should you use virtual? Is there any kinds of asm tutorials out there that give insight as to the creative uses someone might use an instruction/opcode for rather than just it's straight textbook definition? Oh and one other quick question while I'm here..register use.. I see an insane amount of conflicting claims of what the standard set of registers should be used for... I see eax being said that the "a" stand for accumlator, and the "b" in ebx stand for "base" and ecx being said that the "c" stands for counter (hence only numerical data can (or should?) be placed in there.. edx the "d" stands for data.. etc.. but then I look at other peoples' code and it's all over the place, their's no rhyme or reason, it's almost like whatever they felt like using or needed to use without conforming to some sort of standard. So, is there a standard, and is this standard cast in stone or is it just a standard that most people tend to follow? And do those letters -really- acctually stand for that or is that just someone's way to make it easy to remember?? Sorry in advance for being such a pest, just not matter how much I think I finally got a grip on it, I find I don't heh :/ -- StakFallT |
|||
21 May 2006, 18:30 |
|
okasvi 22 May 2006, 04:56
as i said 'MZ' is for checking for correct DOS-header, 'PE' is for correct NT-header, read Iczelion's PE-tutorial, there is conversion of it for fasm too if i remember correctly, but anyway for text -> http://win32assembly.online.fr/tutorials.html -> 'PE Tutorials'
btw. dont know if this is any help for you but here is my not-so-well-working IAT-crypter which adds section crypts IAT, on runtime it decrypts etc.... http://h1.ripway.com/okasvi/PeTo-IAT.rar |
|||
22 May 2006, 04:56 |
|
StakFallT 22 May 2006, 16:00
hmm.. even though it looks like most of the attachment is in MASM syntax, it's still useful to me, and it seems to do everything and then some, except two problems I'm still stuck on..
this line Trying all different kinds of things, the errors I get are: Code: mov edi, pExecPEHeader.IMAGE_OPTIONAL_HEADER32[IMAGE_DATA_DIRECTORY.size] Code: mov edi, [pExecPEHeader.IMAGE_OPTIONAL_HEADER32.DataDirectory.size] So if I had to pick, I'd say the undefined one is probably the closest one to performing what it is the line should be performing... which is why I maintain there is something critically wrong with this but I don't know what... It looks like the virtual statement blocks.. What's super odd is at first I thought fASM would not let me do virtual at 0..<blah><blah>end virtual on strucs containing labels of non-standard (Standard being, dd, db, etc) data.. But then I confirmed that was not the case because the virtual statement-block right after the declaration of IMAGE_DATA_DIRECTORY yields an invalid instruction (if I leave it uncommented as is) and the struc doesn't contain anything odd.. so I'm back to square 1... Code: struc IMAGE_DATA_DIRECTORY { .VirtualAddress dd ? ;.VirtualAddress = $ ;.size dd ? ;.size = $ - . } virtual at 0 IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY end virtual struc IMAGE_OPTIONAL_HEADER32 { .Magic dw ? .MajorLinkerVersion db ? .MinorLinkerVersion db ? .SizeOfCode dd ? .SizeOfInitializedData dd ? .SizeOfUninitializedData dd ? .AddressOfEntryPoint dd ? .BaseOfCode dd ? .BaseOfData dd ? .ImageBase dd ? .SectionAlignment dd ? .FileAlignment dd ? .MajorOperatingSystemVersion dw ? .MinorOperatingSystemVersion dw ? .MajorImageVersion dw ? .MinorImageVersion dw ? .MajorSubsystemVersion dw ? .MinorSubsystemVersion dw ? .Win32VersionValue dd ? .SizeOfImage dd ? .SizeOfHeaders dd ? .CheckSum dd ? .Subsystem dw ? .DllCharacteristics dw ? .SizeOfStackReserve dd ? .SizeOfStackCommit dd ? .SizeOfHeapReserve dd ? .SizeOfHeapCommit dd ? .LoaderFlags dd ? .NumberOfRvaAndSizes dd ? ;.DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES dup(<>) ;.DataDirectory IMAGE_DATA_DIRECTORY IMAGE_NUMBEROF_DIRECTORY_ENTRIES ;.DataDirectory IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ? ;.DataDirectory IMAGE_DATA_DIRECTORY [IMAGE_NUMBEROF_DIRECTORY_ENTRIES] dup ? .DataDirectory dd sizeof.IMAGE_DATA_DIRECTORY ;.VirtualAddress dd ? ;.VirtualAddress = $ ;.size dd ? ;.size = $ - . ;.DataDirectory IMAGE_DATA_DIRECTORY rept 16 (?) ;.Size = $ - . } ;virtual at 0 ; IMAGE_OPTION_HEADER32 IMAGE_OPTION_HEADER32 ;end virtual Btw, your right about Iczelion's PE Tutorials, I finnaly understand now about why he MZ shows up in both Dos and Windows Applications! Thanks for the help so far, again I really appreciate it! -- StakFallT EDIT: Oh about the converted tutorials, The link used to be: http://sulaiman.netadvant.com/fasm/index.html I think... but it no longer works... good damn thing I saved just about every one of those tutorials locally Only thing though is apparently only the core section (The ones numbered 1-20something) was converted, none of the specialized tutorial sets.. |
|||
22 May 2006, 16:00 |
|
okasvi 22 May 2006, 23:33
he made somekind of PE-format walkthrough atleast.
"even though it looks like most of the attachment is in MASM syntax" it's fasm if you are talking about peto-iat.rar |: |
|||
22 May 2006, 23:33 |
|
Tomasz Grysztar 22 May 2006, 23:52
StakFallT: sorry that I didn't have time to read through all your problems, but I just noticed you sometimes use STRUC facilities in a bit wrong way. Try to do it like:
Code: struc IMAGE_DATA_DIRECTORY { .: .VirtualAddress dd ? .size = $ - . } Because when you use the "." inside the STRUC definition to access the name of structure instance, then preprocessor no longer generates this label automatically for you - this is so you can customize the STRUC macro definitions fully. Thus this: Code: struc alpha { .x dd 7 } my alpha generates code that looks like: Code: my: my.x dd 7 While this: Code: struc alpha { .x dd $-. } my alpha generates code like: Code: my.x dd $-my and this causes "undefined symbol" error, since "my" is not defined (as opposed to "my.x"). Then this: Code: struc alpha { .: .x dd $-. } my alpha generates the correct: Code: my: my.x dd $-my and finally: Code: struc alpha { . dd $-. } my alpha yields: Code: my dd $-my PS. And this: Code: virtual at 0
IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRETORY
end virtual causes "invalid instruction" error because of the mispelling, there is no C in IMAGE_DATA_DIRECTORY. |
|||
22 May 2006, 23:52 |
|
rugxulo 23 May 2006, 21:59
AX is usually used by MUL, LODSB, STOSB, AAA, etc., BX is used by XLAT and as base register in LEA AX,[BX+DI] etc., CX is used by LOOP, JCXZ, SHR, and REP instructions, DX is used by INT 21h,9 and CWD, MUL sometimes, etc. SI and DI are used with string instructions (MOVSB, CMPSB, etc.). BP is used for stack frames ([BP] refers to SS: by default) but can often be used as general purpose register (LEA CX,[BP+10]). Otherwise, use registers wherever you want (ADD SI,DI or INC BP or SHR BP,1). Hope this helps.
|
|||
23 May 2006, 21:59 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.