I need to experiment with three things but I am having trouble finding them..
well SP is stack pointer, how do I get the value of what is in the program counter and the frame pointer?
well SP is stack pointer, how do I get the value of what is in the program counter and the frame pointer?
Frame pointer is usually (E)BP.
The program counter is also called (E)IP and is pushed on the stack during a CALL instruction.
The program counter is also called (E)IP and is pushed on the stack during a CALL instruction.
How would I read in the EIP (program counter) into a variable? EIP is not valid according to masm32..
label1:
call @F
@@:
pop eax
sub eax, 5
eip of label 1 is in eax.
awesome, thanks
How about this:
LABEL1:
mov eax,$
or
LABEL1:
mov eax,OFFSET LABEL1
The eip of LABEL 1 is in EAX.
LABEL1:
mov eax,$
or
LABEL1:
mov eax,OFFSET LABEL1
The eip of LABEL 1 is in EAX.
even better, thanks.. I presume I could do a:
label1:
mov eax, OFFSET label1
jmp eax ;address from the label - would put this into a loop ?
the reason I am asking these crazy questions is, I am trying to emulate setjmp and longjmp for some c code.. there are 16 ints (dwords), according to an include file from gcc, that is somehow populated.. see below, it is from the setjmp.h file and the documentation is priceless..
Now so far I am saving 9 of those:
EAX,EDX,EBX,ECX,ESI,EDI,ESP,EBP, and the EIP
anyone ever work with this and know of any pitfalls if I go with 9 ints with the last 7 empty? or documentation for it?
label1:
mov eax, OFFSET label1
jmp eax ;address from the label - would put this into a loop ?
the reason I am asking these crazy questions is, I am trying to emulate setjmp and longjmp for some c code.. there are 16 ints (dwords), according to an include file from gcc, that is somehow populated.. see below, it is from the setjmp.h file and the documentation is priceless..
Now so far I am saving 9 of those:
EAX,EDX,EBX,ECX,ESI,EDI,ESP,EBP, and the EIP
anyone ever work with this and know of any pitfalls if I go with 9 ints with the last 7 empty? or documentation for it?
/*
* The buffer used by setjmp to store the information used by longjmp
* to perform it's evil goto-like work. The size of this buffer was
* determined through experimentation; it's contents are a mystery.
* NOTE: This was determined on an i386 (actually a Pentium). The
* contents could be different on an Alpha or something else.
*/
#define _JBLEN 16
#define _JBTYPE int
typedef _JBTYPE jmp_buf[_JBLEN];
LABEL1:
mov eax,OFFSET LABEL1
Will only work if your program is running at the base address you linked it to, or have had relocations applied. Roticv's tricv will work with code that's been moved but haven't had relocations applied - useful when doing code injection or unpacker/decrypter stubs.
label1:
mov eax, OFFSET label1
jmp eax ;address from the label - would put this into a loop ?
Yep. You might as well load EAX outside the loop, btw... as if it mattered ;)
As for the setjmp/longjmp comment, it sounds like the library coders are retards (no wonder if it's GNU :P). If you're doing your own setjmp/longjmp implementation, you'll probably be just fine if you have a buffer big enough for PUSHAD+POPAD, unless you also want to store flags and segment registers.
Hi f0dder,
for executables you can rely on the base being static. For DLL's you can use :
LABEL1:
mov eax,$
it will give the relocated label. This is for GoAsm, I have no idea if MASM has this capability.
for executables you can rely on the base being static. For DLL's you can use :
LABEL1:
mov eax,$
it will give the relocated label. This is for GoAsm, I have no idea if MASM has this capability.
thanks fodder and donkey :) I have discovered that the address directly after the setjmp has to be stored so when longjmp is called, it jumps back to that address, so it seems to me they must go with inline assembly (macro-like)..
and for anyone who wants to know, I have mapped two of the 16 integers by simple comparisons and ollydbg:
int jmp_buf[16]; //array&type
env[0]=?
env[1]=EBX
..
env[5]=EIP
the others come close to each other and I will have to figure out a different way to solve.
and fodder, you can pushad all the regs to a dword 'array' ? how is that, moving the stack pointer address to the assembler dword ptr? From a C point of view, it wouldnt better to just mov the regs independently?
and for anyone who wants to know, I have mapped two of the 16 integers by simple comparisons and ollydbg:
int jmp_buf[16]; //array&type
env[0]=?
env[1]=EBX
..
env[5]=EIP
the others come close to each other and I will have to figure out a different way to solve.
and fodder, you can pushad all the regs to a dword 'array' ? how is that, moving the stack pointer address to the assembler dword ptr? From a C point of view, it wouldnt better to just mov the regs independently?
donkey, DLLs with reloc information (default behaviour for most linkers when building .DLL's) will be relocated fine if they don't get loaded at their preferred base address, so your code will work just fine for about everything. The other method is for injected code, or decrypter/unpacker stubs that need to be moved to VirtualAlloc'ed memory (can't use the stack anymore, if we want to be compatible with per-page eXecute permission flag).
The capability is related to the linker rather than the assembler, btw - the object file formats spit out by the assembler must support relocations to be linked successfully :)
drarem, I really meant "the registers handled by PUSHAD+POPAD", but the esp-fiddling is an interesting idea :P. Hell, it could probably even be implemented safely... anyway, why don't you have a look at the library source? If it's GCC it's GNU, so it's opensource and you can just have a look. Or use olly or whatever to trace into a longjmp call?
The capability is related to the linker rather than the assembler, btw - the object file formats spit out by the assembler must support relocations to be linked successfully :)
drarem, I really meant "the registers handled by PUSHAD+POPAD", but the esp-fiddling is an interesting idea :P. Hell, it could probably even be implemented safely... anyway, why don't you have a look at the library source? If it's GCC it's GNU, so it's opensource and you can just have a look. Or use olly or whatever to trace into a longjmp call?
last question, then I promise to go away at least for tonight =)
below is the code I cut and paste from the debugger (shame on me), and it is very close to working..
yes this is for some freebie project, there is one line I am having trouble compling, it is the
mov eax,DWORD PTR FS:[0].
The compiler error says:
sLib.asm(78) : error A2108: use of register assumed to ERROR
Is there an alternative? I understand some of what is going on,
<code>
setjmp2 proc
MOV EDX,DWORD PTR SS:
MOV DWORD PTR DS:,EBP
MOV DWORD PTR DS:,EBX ;yep the second index is ebx
MOV DWORD PTR DS:,EDI
MOV DWORD PTR DS:,ESI
MOV DWORD PTR DS:,ESP
MOV EAX,DWORD PTR SS: ;and here is how it gets the EIP from the main call
MOV DWORD PTR DS:,EAX ;and stores it in the sixth array element
mov EAX, DWORD PTR FS:[0] ;error, is this exception handling? if so what is it
MOV DWORD PTR DS:,EAX
CMP EAX,-1
JNZ SHORT skipthis
MOV DWORD PTR DS:,-1
JMP SHORT tohere
skipthis:
MOV EAX,DWORD PTR DS:
MOV DWORD PTR DS:,EAX
tohere:
SUB EAX,EAX
; RETN
ret
</code>
below is the code I cut and paste from the debugger (shame on me), and it is very close to working..
yes this is for some freebie project, there is one line I am having trouble compling, it is the
mov eax,DWORD PTR FS:[0].
The compiler error says:
sLib.asm(78) : error A2108: use of register assumed to ERROR
Is there an alternative? I understand some of what is going on,
<code>
setjmp2 proc
MOV EDX,DWORD PTR SS:
MOV DWORD PTR DS:,EBP
MOV DWORD PTR DS:,EBX ;yep the second index is ebx
MOV DWORD PTR DS:,EDI
MOV DWORD PTR DS:,ESI
MOV DWORD PTR DS:,ESP
MOV EAX,DWORD PTR SS: ;and here is how it gets the EIP from the main call
MOV DWORD PTR DS:,EAX ;and stores it in the sixth array element
mov EAX, DWORD PTR FS:[0] ;error, is this exception handling? if so what is it
MOV DWORD PTR DS:,EAX
CMP EAX,-1
JNZ SHORT skipthis
MOV DWORD PTR DS:,-1
JMP SHORT tohere
skipthis:
MOV EAX,DWORD PTR DS:
MOV DWORD PTR DS:,EAX
tohere:
SUB EAX,EAX
; RETN
ret
</code>
Assume fs:nothingfs:[0] points to seh handler.
Actually FS:[0] points to the SEH chain (linked list) of exception handlers for the current thread.