ASM Community

absjmp MACRO address

LOCAL opend

db 0E9h

dd address - opend

opend = $+401000h-sectaddr

endm

.code

sectaddr equ $ ;at first occurence of .code statement set the constant

start:

	absjmp 810000h

	xor eax,eax

	absjmp 401000h

	mov eax,eax

	absjmp 400000h

	

I tested it.
It generates right opcode jmp near imm
Unfortunatly you must
1. Change values if you not use default base and alignment
2. Manualy set sectaddr value at first .code statement.
offset @code might be used instead of it but you need shl it 4 and masm can not do it.

Grin,

=====================================
I'm sorry hutch, but you are wrong. "jmp 401000h" ought to jump to address 401000h (which can't be assembled directly when doing coff output, but would work with eg binary output), while "jmp [401000h]" (or "jmp dword ptr [401000h]") should jump to the address pointed to by the dword at address 401000h. Brackets mean indirection. You don't think that "jmp eax" and "jmp " ought to produce the same instructions, do you now?
=====================================

This is f0dder_asm, how does this theory of indirection only handle the standard MASM syntax like,

    mov ax, MyVar[2]

Is this too indirect for your theory ? :) Should MASM rewrite the use of indexing or added displacements on the basis of this theory ?

    mov ax, [ebp-whatever+2]

I have no real objection to assemblers that are a bit toothless in the parsing department and it seems there are people who want to play with them but when you are finished playing games, you write 32 bit windows assembler in MASM if you want to get something written in your lifetime. :)

Imagine a toilet that has a sheet of really rough sandpaper nailed to the wall with a caption, "You can tell the men from the boys by the paper they use".

Most ordinary mortals will still use the normal stuff but there will be that bunch of others who will at least try and use the sandpaper.

Doing things the hard way for no reason may be asthetically pleasing to some but most want to get the job done without the irritations and this goes for writing assembler. With MASM you have the parsing grunt to offer simplified syntax that is not so notation burdened as others that are less powerful in their parsing.

Still, if you want to add more garbage, try prefixing the registers with % like GAS does, perhaps thats the proper way for people who cannot recognise the expressions typed in.

Regards,

hutch@movsd.com

Whatever.
mean indirection in most x86 assemblers,
and "most places" in masm. Masm seems quite ambiguous
about this though. That you have to add a DS "override"
to make it understand you want A100104000 and not
B8010400 from "mov eax, [401000h]" is plain silly.

I can live with the fact that masm doesn't enforce
brackets on indirection and that it has some additionaly
quirky ways of doing indirection, like variable,
even if these are syntactically flawed & ugly to me.
But that it f_ucks around with standard stuff like
the above... bleh.

This doesn't have to do with the macro argument expansion, but with MASM's qualified type resolution. Assumptions like this continue to make things harder than they should be for you. Maybe a good read of the manual is in order - I am sorry that it is not in your native language - for I'm sure these matters would be trivial for you to grasp.

Some additional info for those who not familiar with
((short) jmp address) opcode.
While first byte of those opcode is easy to use - it's 0E9h (sign of short jmp)
next dword of opcode is address, but it's relative address not absolute.
It = address you need to jmp minus of next opcode
for example 0E9 00000000h - means to jmp to the next instruction.
Keeping in mind that I knew base address and section alignment I worked out macro
that way
1. In the first occurence of .code statement(wich is address of code section)
I put
sectaddr equ $
2. And the macro was:
absjmp MACRO address
LOCAL opend
db 0E9h
dd address - opend
opend = $+401000h-sectaddr
endm
401000h here is base + section alignment and actually it's equal to sectaddr.
But I couldn't write just opend = $ 'cause it would rise error about relocation :)

I test it with different values - macro worked all right generating right opcode each time.
Then I wandered if different debuggers and disassemblers could show it right way.
Here is the end of introduction, now the notes this post is about.
Here is code tested:

.code
sectaddr equ $ ;at first occurence of .code set the constant
start:
absjmp 810000h
xor eax,eax
absjmp 401000h
mov eax,eax
absjmp 400000h
@@:
cmp al,1
adc al,al
and al,3
jmp @B


OllyDbg behavior was most strange:
'Cause it "understood" jmps very well but failed to disassm
very simple following jmps code:

00401000 <Mo> $-E9 FBEF4000          JMP 00810000

00401005      . 33C0                 XOR EAX,EAX

00401007      .^E9 F4FFFFFF          JMP testinst.<ModuleEntryPoint>

0040100C      . 8BC0                 MOV EAX,EAX

0040100E      .-E9 EDEFFFFF          JMP testinst.00400000

;here OllyDbg failed:

00401013        3C                   DB 3C

00401014        01                   DB 01

00401015        12                   DB 12

00401016        C0                   DB C0

00401017        24                   DB 24

00401018      . 03EB                 ADD EBP,EBX

0040101A      . F8                   CLC

Olly should have treated
db 3c, 01 as cmp al,1
db 12, c0 as adc al,al
db 24, 03 as and al,03
db eb, 08 as jmp to 40101B-8 (to 401013)

But your can see how it took the opcode
Without preceding short jmps OllyDbg disassm the opcode well.
Why did it not do it after the jmps - is a mystery to me :)

Next try was with Hiew.
It understood everything ok exept for jmp lower that base address:

.00401000: E9FBEF4000                   jmp       00040F400

.00401005: 33C0                         xor       eax,eax

.00401007: E9F4FFFFFF                   jmp      .000401000

.0040100C: 8BC0                         mov       eax,eax

;here:

.0040100E: E9EDEFFFFF                   jmp       0FFFFF400

.00401013: 3C01                         cmp       al,001 ;"
"

.00401015: 12C0                         adc       al,al

.00401017: 2403                         and       al,003 ;""

.00401019: EBF8                         jmps     .000401013

Now Soft Ice.
That was the only one who got everything right :)

00401000: E9FBEF4000                   jmp       00040F400

00401005: 33C0                         xor       eax,eax

00401007: E9F4FFFFFF                   jmp      .000401000

0040100C: 8BC0                         mov       eax,eax

0040100E: E9EDEFFFFF                   jmp      .000400000

00401013: 3C01                         cmp       al,001 

00401015: 12C0                         adc       al,al

00401017: 2403                         and       al,003 

00401019: EBF8                         jmps     .000401013

That's it.

Svin: why did you choose 810000h as jump ?

if i change 810000h (wich points nowhere on my system)
to 77F01000h (KERNEL32.ModuleEntryPoint) OllyDbg
decodes fine.

i use OllyDbg 1.07 (step 1)

"Yeah, it happens sometimes. OllyDbg is highly
heuristical (and a bit fuzzy).

Without full context, it's hard to get exact reason.
Most possibly, some other commands references
address 00401018 as data or jump destination,
or the real commands looked too improbable to
be a real sequence."

this is Olly's response on Svin's post.

also Olly added "new switch analysis is ready,
and stack walk also looks promising. Maybe in a
week or two I'll post 1.07a on my homepage" :alright:

nice :tongue:

I chose different mem locations.
As for 8?????h addresses in 9x a lot of usefull system data here.
Most strange things was that it decoded the jmp right way, but failed to decode very simple opcode followed it.

My regards to Oleh, he is doing very well with his tool.

Thats in esence, the reason why I dont like MASM.

;P Bye bye