Years ago a member name Maverick figured how to replace masm ASSUME back when i was just getting interested in ASM and did not pay proper attention and don't remember if it was even related to the first two type of coding listed below.  Now i have serious need to do this.

Would anyone know of a few ways of how to replace ASSUME or know if it is even  possible with these two type of masm code?  I would greatly appreciate any idea.

Type 1
ASSUME FS : NOTHING
mov eax,fs:[18h]


Type 2
MOV  EAX, pContext
ASSUME EAX : PTR CONTEXT


Below is a example of an replacement code for this type of ASSUME by Vortex.

ASSUME EDX : PTR IMAGE_EXPORT_DIRECTORY
MOV  EBX, .AddressOfNames

Translated to:
MOV  EBX, IMAGE_EXPORT_DIRECTORY.AddressOfNames

Thank in advance
Posted on 2006-08-13 23:08:27 by ic2
For segment registers, you have no choice but to use assume, since there are default assumptions regarding their types.
More generally though, you can think of ASSUME as being a directive which tells the assembler to insert the defined datatype wherever the associated register is mentioned - ie, it saves you some typing.

MOV  EBX, IMAGE_EXPORT_DIRECTORY.AddressOfNames
is exactly the same as
MOV  EBX, .IMAGE_EXPORT_DIRECTORY.AddressOfNames

If its a segment register like FS, you HAVE to use ASSUME.
Otherwise, you NEVER have to use it if you don't want to.
Hope that was clear enough :)
Posted on 2006-08-14 03:55:00 by Homer
You made it very clear about segment registers.  I wasted a lot of time for nothing thinking i could make a brick out of thin air.

but for code this below is it possible for not using ASSUME.  If so i need to know how.


MOV  EAX, aDWORD
ASSUME EAX : PTR WhatEverStruct


Thank you Homer
Posted on 2006-08-14 08:02:07 by ic2
I had some problems messing about with seh in masm before i realized it need a completely pointless instruction to reset  FS
(assume FS:[0]  or something i threw it in my windows.inc so Ive long since forgotten it :D)

1.If you can assemble the code in masm:
Put just that code in an empty project assemble it and disassemble it with IDA,W32Dasm or OllyDebug and all the reg + offset is done for you.

2.If masm wont assemble it
Work out the offsets using the structure and jab it into an empty program using Olly debug (which doesn't share masms stubbornness) then add the code it generates in hex format as db statements (this is helpful with FS )

IE.
db 08bh,0c3h  ;mov eax,ebx

Since your just accessing a register + an offset you can use the following table to do this

;without telling masm ebx is ptr to structure
mov eax, ;to get regEcx

Ive seen this method used alot in old Tasm source codes.
In short, if you choose not to tell masm what your up to, things get alot more tedious.:)
Hope this helps.

;CONTEXT STRUCT
_ContextFlags=00
_iDr0=04
_iDr1=08
_iDr2=12
_iDr3=16
_iDr6=20
_iDr7=24
_ControlWord=28                ; < FLOATING_SAVE_AREA STRUCT
_StatusWord=32
_TagWord=36
_ErrorOffset=40
_ErrorSelector=44
_DataOffset=48
_DataSelector=52
_RegisterArea=56 ;<Warning not DWORD,SIZE_OF_80387_REGISTERS = 80 bytes
_Cr0NpxState=136;(56+80) ;< FLOATING_SAVE_AREA ENDS
_regGs=140
_regFs=144
_regEs=148
_regDs=152
_regEdi=156
_regEsi=160
_regEbx=164
_regEdx=168
_regEcx=172
_regEax=176
_regEbp=180
_regEip=184
_regCs=188
_regFlag=192
_regEsp=196
_regSs=200
_ExtendedRegisters=204 ;<Warning not DWORD

Posted on 2006-08-14 11:16:43 by asmrixstar

You made it very clear about segment registers.  I wasted a lot of time for nothing thinking i could make a brick out of thin air.

but for code this below is it possible for not using ASSUME.  If so i need to know how.


MOV  EAX, aDWORD
ASSUME EAX : PTR WhatEverStruct


Thank you Homer



Do you mean something like this?

SehHandler PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD
MOV EAX, pContext
PUSH SEH.SaveEip
POP .CONTEXT.regEip
PUSH SEH.OrgEsp
POP .CONTEXT.regEsp
PUSH SEH.OrgEbp
POP .CONTEXT.regEbp
MOV EAX, ExceptionContinueExecution
RET
SehHandler ENDP


Regards,
Bryant Keller
Posted on 2006-08-14 20:18:52 by Synfire
Yeah, I bet that's what he meant.

If you wish to NOT use Assume with indirect register accesses, just put the struct's name after the register and before the fieldname as Bryant indicated.

mov .structname.fieldname, somedata

Sure, it's not the only way, but it's the most common syntax you'll see.
Posted on 2006-08-15 00:17:40 by Homer
ASSUME EDX : PTR IMAGE_EXPORT_DIRECTORY
MOV  EBX, .AddressOfNames

Translated to:
MOV  EBX, IMAGE_EXPORT_DIRECTORY.AddressOfNames


This translation is correct for POASM.
Posted on 2006-08-16 13:06:16 by Vortex
.If you can assemble the code in masm:
Put just that code in an empty project assemble it and disassemble it with IDA,W32Dasm or OllyDebug and all the reg + offset is done for you.


Good idea... I plan to try it on some segment register code.  Maybe i can create a module and link it to my POASM program or just do your hex format as db thing.  Please allow me to get back with you about that in the future if i run into a few small problems.

POASM don't support those registers.  I figured that out and accepted that fact after Homer said

For segment registers, you have no choice but to use assume........If its a segment register like FS, you HAVE to use ASSUME.


Thanks Homer.  The minute you said that, it broke my heart :( and ended my search.  I darn near when to hell and back searching code, clues but no bottom line was found.  Don't seem to be a work-around for ASSUME FS : NOTHING and such with POASM i guest.

Thanks Synfire, your code works perfectly with MASM and POASM.  It's going to be fun to watch it run on Olly.

This translation is correct for POASM.


Vortex is right and it works with both MASM and POASM.  I may be switching assemblers, but with no need to ever re-translate code back to MASM.  That's my goal and what this was all about.


Thanks everybody for saving my DAYS...
Posted on 2006-08-17 23:45:47 by ic2
.If you can assemble the code in masm:
Put just that code in an empty project assemble it and disassemble it with IDA,W32Dasm or OllyDebug and all the reg + offset is done for you.


Good idea... I plan to try it on some segment register code.  Maybe i can create a module and link it to my POASM program or just do your hex format as db thing.  Please allow me to get back with you about that in the future if i run into a few small problems.


sure np,
Worth noting though that the 'db trick' only work on delta code.
Any memory access' have to be indirect or your hand generated opcode
will probably point to the wrong memory location.
have fun  :D
Posted on 2006-08-18 02:39:58 by asmrixstar
:D :D

mov ax,fs
mov dx,ds
mov ds,ax
mov eax,ds:[0]
mov ds,dx

:D :D

seriously:

ifndef __POASM__
assume fs:nothing
endif

Posted on 2006-08-18 12:26:11 by drizz
So nothing is impossible.

Thanks drizz


sure np,
Worth noting though that the 'db trick' only work on delta code.
Any memory access' have to be indirect or your hand generated opcode
will probably point to the wrong memory location.
have fun


Thanks asmrixstar.  It will still interesting to work things out with ideas like that just for the experience, possible use or just for fun.  I'm going to try it this weekend.

Btw, who is np
Posted on 2006-08-18 23:12:35 by ic2
asmrixstar = nice eddie (sig change)

np = no problem
Posted on 2006-08-23 16:14:46 by Nice Eddie