01 .386
02 .model flat
03 extrn ExitProcess: proc
05 .data
06 dummy dd 0
08 .code
09 start:
10 call delta
11 delta:
12 pop ebp
13 sub ebp, offset delta ; get the imagebase from the current process
14 push 0
15 call ExitProcess
16 end startLines (08-13) are part of a larger program. i’ve borrowed these lines to figure out certain measures that i was unable to follow. Especially, where the author has commented the line13 to 'get the imagebase from the current process’ assuming that, that must the objective of this work out at this stage.
line10, there is a call delta, which pushes the address of the next instruction to the stack. This address is again pop-ed to ebp register. Subtracting Delta offset from ebp result in 0 i.e. ebp=00000000.
After executing the instruction at line (13), the reading in td32 is as seen below, with ebp=00000000. i suppose that imagebase is 0040100h.
:00401000 E800000000 call VX.00401005 eax 00000000 ?
:00401005 5D pop ebp ebx 7FFD9000 ?
:00401006 81ED05104000 sub ebp,00401005 ecx 0012FFB0
:0040100C 6A00 push 00000000 edx 7C90E514 ?
:0040100E E800000000 call KERNEL32.ExitProcess esi 01650074 ?
:00401013 FF2530304000 jmp [00403030] edi 7C80F291 ?
:00401019 0000 add ,al ebp 00000000 ?may i request for help to comprehend this procedure.
how does the (call delta), lend a hand to 'get the imagebase from the current process' ?
thank you.
Actually it doesn't get the image base. You are correct in your analysis of the code. I'm not exactly sure what the creator of this code was thinking. Try this out.
It should return what you are looking for. A much shorter (but NT specific) method would be to use:
.386
.model flat, stdcall
option casemap: none
include \masm32\include\Windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
dummy dd 0
.code
assume fs: nothing
start:
call delta
delta:
pop ebp
sub ebp, offset delta - offset start
push 0
call ExitProcess
end startIt should return what you are looking for. A much shorter (but NT specific) method would be to use:
.386
.model flat, stdcall
option casemap: none
include \masm32\include\Windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
dummy dd 0
.code
assume fs: nothing
start:
mov eax, fs:[0] ; get process environment block
mov eax, ; _PEB.ImageBaseAddress is put in eax.
push 0
call ExitProcess
end startyes... you are right!!
just as you have suggested, using the code
gets the value of imagebase in ebp register.
thank you.
offline: does the word baseimage means the same as imagebase?
just as you have suggested, using the code
sub ebp, offset delta - offset startgets the value of imagebase in ebp register.
thank you.
offline: does the word baseimage means the same as imagebase?