Anyone know a method to read the EIP and write the address to buffer? Im sure the solution is simple
Thanks in advanced
Posted on 2002-01-22 20:16:43 by ThrawN
Im in a bit of a hurry, so im not going to "write" and "tweek" the code, but i'll give you my suggestions:

(Assumption: EAX will hold the EIP if moved to it. This is a Look-up topic, or trial and error assumption. Most special registers (and segments) are linked specifically to EAX in a via. the mov instruction, so im assuming that EIP would be as well).

MACRO GetEIP
mov eax, eip
sub eax, 2
invoke ToBaseXToAscii, eax, 16, OFFSET AsciiBuffer
ENDM

The Sub eax, 2 is another "guess" for the length of the "mov eax, eip" instruction. I think its two bytes long (if memory serves me correct). This is to correct back to the code line Before the Macro. If you wanted it after the macro you can likewise dissasemble the program and determing the # of bytes the macro takes and add to eax.

The invoke translates the DWORD EIP to a hex output. A quick method that umberg6007 put together.

Anywho, theres my thoughs... I have a hunch f0dder or someone will fill in the "spaces" :)

:alright:
NaN
Posted on 2002-01-22 22:35:44 by NaN
I didn't think you could access EIP directly? Try:
   call @F

@@:
pop eax ; [b]EIP[/b]
There are a few other methods, but there are only useful if your writing an OS or something.
Posted on 2002-01-22 23:58:40 by bitRAKE
Thats a good trick bitRAKE...

Like i said, my idea was just an assumption that the mov would work. Dont think i woulda figured that out tho :)

NaN
Posted on 2002-01-23 00:59:58 by NaN
How about:


here:
mov eax, offset here


Can it be more difficult than that?

Mirno
Posted on 2002-01-23 05:26:18 by Mirno
Like a former mathematics teacher used to say ironically :

"Why make it simple when you can make it complicated ?" ;)
Posted on 2002-01-23 05:36:02 by JCP
THanks bitRAKE i'll give it a try.
=)
Posted on 2002-01-23 05:43:12 by ThrawN
If you're dealing with position-independent code, BitRAKE's solution
is the best. The idea is to get the "delta" or "how much have we
been relocated" offset. Then you use that on all data access.

Example:


call delta
delta:
pop ebp
sub ebp, offset delta

...
mov eax, [ebp + myVariable]
Posted on 2002-01-23 09:19:09 by f0dder
f0dder, would the 'offset delta' be relocated and therefor EBP would always be zero - regaurdless of position?
Posted on 2002-01-23 10:08:26 by bitRAKE
With standard relocated code, yes. When dealing with code injection
and/or moving pieces of code around in memory, no.
Posted on 2002-01-23 10:18:11 by f0dder