Hello,all

what's meaning?
1. PUSH [4]
2. call $+5

regards.
Posted on 2005-07-20 08:59:07 by dcskm4200
1) push the value pointed by ebp+4
2) call the subroutine at offset higher by 5

/edit
corrected the spelling
Posted on 2005-07-20 10:44:34 by ti_mo_n
Hello,Ti_mo_n
Thanks you.

1. push [4]=push
2. $= the address of the subroutine
is it right?
Posted on 2005-07-20 10:53:48 by dcskm4200
$ = current offset.
Posted on 2005-07-20 11:15:01 by roticv
Equivalent to:

push 
call next_instruction
next_instruction:


This is probably used to write relocatable code, because the CALL instruction pushes the address of "next_instruction" in the stack. I guess there's a POP right below it. Also could be some local variable.
Posted on 2005-07-20 11:57:13 by QvasiModo
hey,roticv and QvasiModo
Thanks you.

I don't still understand the "$". here is a snippet code.
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
MsgProc proc STDCALL USES ebx esi edi pzcode: DWORD, wparam: WPARAM, lparam: LPARAM

local dwUserBase:DWORD
local dwOurBase:DWORD
local pfnMessageBoxA:LPVOID

and dwUserBase, 0
and dwOurBase, 0
and pfnMessageBoxA, 0

PUSH [4]
CALL GetUserBase
.if eax != NULL
mov dwUserBase, eax

; Get our base
call $+5
call GetUserBase
.if eax != NULL
mov dwOurBase, eax
.endif
.endif

.if pzcode==HC_ACTION

assume edi: PTR MSG
mov edi, lparam
.if .message==WM_USER+50
PUSH [4]
CALL GetUserBase
.if eax != NULL
mov dwUserBase, eax

; Get our base
call $+5
call GetUserBase
.if eax != NULL
mov dwOurBase, eax

lea ecx, szMessageBoxA
sub ecx, 400000h
add ecx, eax

push ecx ; OFFSET "MessageBoxA"
PUSH dwUserBase
CALL GetProcAddr
.if eax != NULL

mov pfnMessageBoxA, eax

.const
szCap db "That's Works", 0
szMes db "GOTCHA", 0
.code

push MB_OK + MB_SETFOREGROUND + MB_TOPMOST

lea ecx, szCap
sub ecx, 400000h
add ecx, dwOurBase
push ecx

lea ecx, szMes
sub ecx, 400000h
add ecx, dwOurBase
push ecx

push 0
mov eax, pfnMessageBoxA
call eax

.endif
.endif
.endif
.endif
assume edi: nothing
.endif

.if ( dwUserBase != NULL ) && ( dwOurBase != NULL )

;-> szCallNextHookEx
lea ecx, szCallNextHookEx
sub ecx, 400000h
add ecx, dwOurBase

push ecx ; OFFSET "CallNextHookEx"
push dwUserBase
call GetProcAddr
.if eax != NULL
push lparam
push wparam
push pzcode

lea ecx, HookH
sub ecx, 400000h
add ecx, dwOurBase
push ecx

call eax ; CallNextHookEx
.endif
.endif
ret
MsgProc endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

regards
Posted on 2005-07-20 19:11:12 by dcskm4200
dcskm4200,

The $ operator is as Victor explained to you, it is the current location operator but it is part of the assembler, it is not an instruction IN assembly language or more correctly it is NOT an OPCODE built into the processor. If you did a JMP to the current location + 12, what you would find in the code where the jump is located is a jump with a displacement of 12 bytes to its target.
Posted on 2005-07-21 03:38:13 by hutch--
hello,Hutch--
Thanks you.

I'v not understood the " $ = current offset."
Is " $ = current location." right?

This ia a dasm code which be made by IDA.
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.text:004010DE ; Attributes: bp-based frame
.text:004010DE
.text:004010DE ; LRESULT __stdcall fn(int,WPARAM,LPARAM)
.text:004010DE fn              proc near              ; DATA XREF: start+65o
.text:004010DE
.text:004010DE var_C          = dword ptr -0Ch
.text:004010DE var_8          = dword ptr -8
.text:004010DE var_4          = dword ptr -4
.text:004010DE arg_0          = dword ptr  8
.text:004010DE arg_4          = dword ptr  0Ch
.text:004010DE arg_8          = dword ptr  10h
.text:004010DE
.text:004010DE                push    ebp
.text:004010DF                mov    ebp, esp
.text:004010E1                add    esp, 0FFFFFFF4h
.text:004010E4                push    ebx
.text:004010E5                push    esi
.text:004010E6                push    edi
.text:004010E7                and    , 0
.text:004010EB                and    , 0
.text:004010EF                and    , 0
.text:004010F3                push    dword ptr
.text:004010F6                call    sub_40109C
.text:004010FB                or      eax, eax
.text:004010FD                jz      short loc_401113
.text:004010FF                mov    , eax
<--.text:00401102                call    $+5
-->.text:00401107                call    sub_40109C

.text:0040110C                or      eax, eax
.text:0040110E                jz      short loc_401113
.text:00401110                mov    , eax
.text:00401113
.text:00401113 loc_401113:                            ; CODE XREF: fn+1Fj
.text:00401113                                        ; fn+30j
.text:00401113                cmp    , 0
.text:00401117                jnz    short loc_40118F
.text:00401119                mov    edi,
.text:0040111C                cmp    dword ptr , 432h
.text:00401123                jnz    short loc_40118F
.text:00401125                push    dword ptr
.text:00401128                call    sub_40109C
.text:0040112D                or      eax, eax
.text:0040112F                jz      short loc_40118F
.text:00401131                mov    , eax
.text:00401134                call    $+5
.text:00401139                call    sub_40109C
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
1. $=00401102?
2. "Call $+5" = "jmp $+5" ?

regards
Posted on 2005-07-21 06:48:21 by dcskm4200
Here's my comments for the harder to understand code. PS: I think it looks like shit.

  PUSH [4] ;Get the address of the function that called this function
  CALL GetUserBase;Extract the user base -> base address of user32.dll
  .if eax != NULL ;Damn it fails because the the caller is not located in user32.dll
      mov dwUserBase, eax

      ; Get our base
      call $+5 ;push the current address on to a stack and it is used as a parameter to the following function
      call GetUserBase
      .if eax != NULL
        mov dwOurBase, eax
      .endif
  .endif


call $+5 is the same as the following statement. It pushes the address of the label "current" (look at the snippet below) onto the stack (The unqiue feature of the instruction call).


current:
call @F:
@@:
Posted on 2005-07-21 07:23:26 by roticv
hello,roticv
Thanks you.

your comments is nice. according as following code which created by Ollydbg, it may prove right. 
so i think

"Call $+5" =
"
mov eax,[00401102]
Push eax
"
;=============================================================================
004010FB  . 0BC0          OR EAX,EAX
004010FD  . 74 14          JE SHORT Hc_1.00401113
004010FF  . 8945 FC        MOV DWORD PTR SS:,EAX
00401102  . E8 00000000    CALL Hc_1.00401107
00401107  /$ E8 90FFFFFF    CALL Hc_1.0040109C
0040110C  |. 0BC0          OR EAX,EAX
0040110E  |. 74 03          JE SHORT Hc_1.00401113
00401110  |. 8945 F8        MOV DWORD PTR SS:,EAX
00401113  |> 837D 08 00    CMP DWORD PTR SS:,0
00401117  |. 75 76          JNZ SHORT Hc_1.0040118F
00401119  |. 8B7D 10        MOV EDI,DWORD PTR SS:
;=============================================================================

regards
Posted on 2005-07-21 08:18:50 by dcskm4200

according as following code which created by Ollydbg, it may prove right.


No offence, but I just can't believe you can use and understand OllyDbg and IDA, and still are having so much trouble with this :D

$ = memory address of current instruction, as known by the assembler

It's actually a built-in macro that returns the address the code is supposed to have when run. Using it in a CALL or JMP makes sense because they are encoded using displacements, not addresses. For example:

e8 00 00 00 00

means "call the procedure located 5 bytes ahead of the end of this instruction", where "e8" is the CALL opcode, and the remaining 4 bytes are the displacement. It is the same as call $+5, because the CALL instruction itself is 5 bytes long and the $ macro uses the beginning of the instruction.

When the assembler processes a line like "call MyProcedure", it actually calculates the distance in bytes between the call and the procedure and uses that as the displacement.

I also recommend you to read Intel's manuals, you can get them for free at their web site:
http://www.asmcommunity.net/board/index.php?topic=14740.0

Have fun! And don't hesitate to ask more questions, even if mean folks like me make fun of you ;)
Posted on 2005-07-21 10:24:54 by QvasiModo
And if you still don't get it, then wrtie:
jmp? $

...And everything should become clear ;)


"call $+5"? ?is simply? ?"push EIP", which we can't do directly :)
Posted on 2005-07-21 10:35:56 by ti_mo_n

"call $+5"? ?is simply? ?"push EIP", which we can't do directly :)

Much better than my senseless ranting :D
Posted on 2005-07-21 11:28:58 by QvasiModo
Helllo, everybody who replied the question.

it's not enough to answer,
One also has to reply.

My any improvement depends on the tropical help of most super coder.

Thanks again.
Posted on 2005-07-21 19:17:01 by dcskm4200
dcskm4200,

This is probably one place where a disassembler is the rght tool for you to see what is happening here. Write up a simple tst piece like the following and then disassemble it.


nop
nop
nop
jmp $+4
nop
nop
nop


Search for a NOP to find the start of the block then have a look at what the assembler places where the jump is.
Posted on 2005-07-21 19:39:38 by hutch--
Hello,Hutch--
Thanks you.

This is an another clear comments. following code created by Ollydbg.

;=============================================================================
004010E7  . 8365 FC 00    AND DWORD PTR SS:,0
004010EB  . 8365 F8 00    AND DWORD PTR SS:,0
004010EF  . 8365 F4 00    AND DWORD PTR SS:,0
004010F3  . FF75 04        PUSH DWORD PTR SS:
004010F6  . E8 A1FFFFFF    CALL Hc_2.0040109C
004010FB  . 0BC0          OR EAX,EAX
004010FD  . 74 17          JE SHORT Hc_2.00401116
004010FF  . 8945 FC        MOV DWORD PTR SS:,EAX
00401102  . 90            NOP
00401103  . 90            NOP
00401104  . 90            NOP
00401105  . EB 03          JMP SHORT Hc_2.0040110A    ;jmp $+5
00401107    90            NOP
00401108    90            NOP
00401109    90            NOP
0040110A  > E8 8DFFFFFF    CALL Hc_2.0040109C
0040110F  . 0BC0          OR EAX,EAX
00401111  . 74 03          JE SHORT Hc_2.00401116
00401113  . 8945 F8        MOV DWORD PTR SS:,EAX
00401116  > 837D 08 00    CMP DWORD PTR SS:,0
;=============================================================================

best regards
Posted on 2005-07-22 01:05:04 by dcskm4200