flat assembler
Message board for the users of flat assembler.

Index > Heap > stdcall discordance?

Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
EBX, ESI, EDI and EBP are all safe to use without fear of corruption in Windows API calls.


Well, I remember once I coded a simple Delphi app that used some of the window enumeration APIs (I can't remember exactly what function was). After never understanding why the while loop was always infinite I decided to debug it at assembly level. Surprised I was when the "I" variable was always at a very high value after returning from the API function and of course, "I" was registered in one of those registers (EBX or EDI, I can't remember know).

Of course this is a direct violation of stdcall, but at least on Win98SE there was some APIs that liked to fuck things up.

The solution was:
Code:
asm
  push affected-reg
end

api_func(...)

asm
  pop affected-reg
end
    


I wish I have the code, but hard disks tend to decide that we don't need all of our data anymore from time to time...
Post 20 Dec 2007, 18:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
I wish I have the code, but hard disks tend to decide that we don't need all of our data anymore from time to time...
Ever heard of the term backup?
Post 20 Dec 2007, 18:31
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
LocoDelAssembly wrote:
Of course this is a direct violation of stdcall, but at least on Win98SE there was some APIs that liked to fuck things up.
I think you may have had a virus that was hooking the function and not properly restoring it's mess. It would seem unlikely that the Windows compiler would forget about the register and corrupt it.
Post 20 Dec 2007, 18:41
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

Ever heard of the term backup?


Such thing is possible?!?!?!

I did this so long time ago that I can remember if it was possible for that computer to got infected but since surely there was no AV the doors was a little more open.

Seems that I did backup that fortunately, the API was EnumThreadWindows.
Code:
    asm

    push EBX

    end;

    EnumThreadWindows(T.ThreadId, @EnumThreadWndProc, 0);

    asm

    pop EBX

    End;

    

(EnumThreadWndProc is declared as stdcall and I checked with OllyDbg that EBX is untouched by its code).

However, now that I see the code again in fact it is not possible an infinite loop, it should was a premature exit. I will try to test it on a Win98SE box again to see if EBX is altered and slip this part of the topic for further discussion.

[edit] About compiler making mistakes with stdcall, remember that Win98SE featured assembly optimized code at some parts[/edit]
Post 20 Dec 2007, 19:01
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
(To be continued)
Post 20 Dec 2007, 22:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
I did some searching for someone mentioning about Win98SE not properly complying to stdcall. Found nothing, not a single piece of info, zero.

I would have expected to see at least something in Usenet at a minimum. Someone would have been bitten by it and complained.

Maybe I missed something.

LocoDelAssembly wrote:
About compiler making mistakes with stdcall, remember that Win98SE featured assembly optimized code at some parts
Perhaps, but why optimise EnumThreadWindows? Not exactly a high use bottleneck function!

PS: Why are we in Heap? Seems kinda Windowsy to me.
Post 21 Dec 2007, 12:44
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:
PS: Why are we in Heap? Seems kinda Windowsy to me.


Because the idea of a virus is so possible that the thread is not worth enough for Windows forum. Also, the code is very noob, I note that because of the lamish commentary inside.

It will be better to verify my past experiencies before assuming I was totally right at those times Razz

PS: I find wierd not finding at least some reference telling that certain virus is buggy Confused I hope I was not noob enough to have another problem and that in fact the push EBX/pop EBX did nothing to solve the problem Confused

[edit]
Quote:
Perhaps, but why optimise EnumThreadWindows? Not exactly a high use bottleneck function!


But perhaps it refers to some Kernel32.dll functions that resides in the asm section. But as said above, probably was my fault.[/edit]
Post 22 Dec 2007, 01:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
I searched for 'ebx (corrupt OR changed OR destroyed) (win98 OR win98SE) EnumThreadWindows'. Maybe my search was too specific. I deliberately left out 'virus', I didn't want to restrict it to just viruses since it may have been a windows fault.
Post 22 Dec 2007, 02:35
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.