absjmp MACRO address
LOCAL opend
db 0E9h
dd address - opend
opend = $+401000h-sectaddr

sectaddr equ $ ;at first occurence of .code statement set the constant
absjmp 810000h
xor eax,eax
absjmp 401000h
mov eax,eax
absjmp 400000h

I tested it.
It generates right opcode jmp near imm
Unfortunatly you must
1. Change values if you not use default base and alignment
2. Manualy set sectaddr value at first .code statement.
offset @code might be used instead of it but you need shl it 4 and masm can not do it.
Posted on 2002-05-21 15:09:45 by The Svin

I'm sorry hutch, but you are wrong. "jmp 401000h" ought to jump to address 401000h (which can't be assembled directly when doing coff output, but would work with eg binary output), while "jmp [401000h]" (or "jmp dword ptr [401000h]") should jump to the address pointed to by the dword at address 401000h. Brackets mean indirection. You don't think that "jmp eax" and "jmp " ought to produce the same instructions, do you now?

This is f0dder_asm, how does this theory of indirection only handle the standard MASM syntax like,

mov ax, MyVar[2]

Is this too indirect for your theory ? :) Should MASM rewrite the use of indexing or added displacements on the basis of this theory ?

mov ax, [ebp-whatever+2]

I have no real objection to assemblers that are a bit toothless in the parsing department and it seems there are people who want to play with them but when you are finished playing games, you write 32 bit windows assembler in MASM if you want to get something written in your lifetime. :)

Imagine a toilet that has a sheet of really rough sandpaper nailed to the wall with a caption, "You can tell the men from the boys by the paper they use".

Most ordinary mortals will still use the normal stuff but there will be that bunch of others who will at least try and use the sandpaper.

Doing things the hard way for no reason may be asthetically pleasing to some but most want to get the job done without the irritations and this goes for writing assembler. With MASM you have the parsing grunt to offer simplified syntax that is not so notation burdened as others that are less powerful in their parsing.

Still, if you want to add more garbage, try prefixing the registers with % like GAS does, perhaps thats the proper way for people who cannot recognise the expressions typed in.


Posted on 2002-05-21 22:55:31 by hutch--

This is f0dder_asm

mean indirection in most x86 assemblers,
and "most places" in masm. Masm seems quite ambiguous
about this though. That you have to add a DS "override"
to make it understand you want A100104000 and not
B8010400 from "mov eax, [401000h]" is plain silly.

I can live with the fact that masm doesn't enforce
brackets on indirection and that it has some additionaly
quirky ways of doing indirection, like variable,
even if these are syntactically flawed & ugly to me.
But that it f_ucks around with standard stuff like
the above... bleh.
Posted on 2002-05-22 00:00:58 by f0dder

Probably just me who don't understand masm's macro argument expansion then. I would have assumed...
This doesn't have to do with the macro argument expansion, but with MASM's qualified type resolution. Assumptions like this continue to make things harder than they should be for you. Maybe a good read of the manual is in order - I am sorry that it is not in your native language - for I'm sure these matters would be trivial for you to grasp.
Posted on 2002-05-22 14:11:02 by bitRAKE
Some additional info for those who not familiar with
((short) jmp address) opcode.
While first byte of those opcode is easy to use - it's 0E9h (sign of short jmp)
next dword of opcode is address, but it's relative address not absolute.
It = address you need to jmp minus of next opcode
for example 0E9 00000000h - means to jmp to the next instruction.
Keeping in mind that I knew base address and section alignment I worked out macro
that way
1. In the first occurence of .code statement(wich is address of code section)
I put
sectaddr equ $
2. And the macro was:
absjmp MACRO address
LOCAL opend
db 0E9h
dd address - opend
opend = $+401000h-sectaddr
401000h here is base + section alignment and actually it's equal to sectaddr.
But I couldn't write just opend = $ 'cause it would rise error about relocation :)

I test it with different values - macro worked all right generating right opcode each time.
Then I wandered if different debuggers and disassemblers could show it right way.
Here is the end of introduction, now the notes this post is about.
Here is code tested:

sectaddr equ $ ;at first occurence of .code set the constant
absjmp 810000h
xor eax,eax
absjmp 401000h
mov eax,eax
absjmp 400000h
cmp al,1
adc al,al
and al,3
jmp @B

OllyDbg behavior was most strange:
'Cause it "understood" jmps very well but failed to disassm
very simple following jmps code:

00401000 <Mo> $-E9 FBEF4000 JMP 00810000
00401005 . 33C0 XOR EAX,EAX
00401007 .^E9 F4FFFFFF JMP testinst.<ModuleEntryPoint>
0040100C . 8BC0 MOV EAX,EAX
0040100E .-E9 EDEFFFFF JMP testinst.00400000
;here OllyDbg failed:
00401013 3C DB 3C
00401014 01 DB 01
00401015 12 DB 12
00401016 C0 DB C0
00401017 24 DB 24
00401018 . 03EB ADD EBP,EBX
0040101A . F8 CLC

Olly should have treated
db 3c, 01 as cmp al,1
db 12, c0 as adc al,al
db 24, 03 as and al,03
db eb, 08 as jmp to 40101B-8 (to 401013)

But your can see how it took the opcode
Without preceding short jmps OllyDbg disassm the opcode well.
Why did it not do it after the jmps - is a mystery to me :)

Next try was with Hiew.
It understood everything ok exept for jmp lower that base address:

.00401000: E9FBEF4000 jmp 00040F400
.00401005: 33C0 xor eax,eax
.00401007: E9F4FFFFFF jmp .000401000
.0040100C: 8BC0 mov eax,eax
.0040100E: E9EDEFFFFF jmp 0FFFFF400
.00401013: 3C01 cmp al,001 ;""
.00401015: 12C0 adc al,al
.00401017: 2403 and al,003 ;""
.00401019: EBF8 jmps .000401013

Now Soft Ice.
That was the only one who got everything right :)

00401000: E9FBEF4000 jmp 00040F400
00401005: 33C0 xor eax,eax
00401007: E9F4FFFFFF jmp .000401000
0040100C: 8BC0 mov eax,eax
0040100E: E9EDEFFFFF jmp .000400000
00401013: 3C01 cmp al,001
00401015: 12C0 adc al,al
00401017: 2403 and al,003
00401019: EBF8 jmps .000401013

That's it.
Posted on 2002-06-04 10:36:01 by The Svin
Svin: why did you choose 810000h as jump ?

if i change 810000h (wich points nowhere on my system)
to 77F01000h (KERNEL32.ModuleEntryPoint) OllyDbg
decodes fine.

i use OllyDbg 1.07 (step 1)
Posted on 2002-06-05 02:42:51 by TBD
"Yeah, it happens sometimes. OllyDbg is highly
heuristical (and a bit fuzzy).

Without full context, it's hard to get exact reason.
Most possibly, some other commands references
address 00401018 as data or jump destination,
or the real commands looked too improbable to
be a real sequence."

this is Olly's response on Svin's post.

also Olly added "new switch analysis is ready,
and stack walk also looks promising. Maybe in a
week or two I'll post 1.07a on my homepage" :alright:

nice :tongue:
Posted on 2002-06-10 02:07:30 by TBD
why did you choose 810000h as jump

I chose different mem locations.
As for 8?????h addresses in 9x a lot of usefull system data here.
Most strange things was that it decoded the jmp right way, but failed to decode very simple opcode followed it.

My regards to Oleh, he is doing very well with his tool.
Posted on 2002-06-19 19:54:35 by The Svin
Thats in esence, the reason why I dont like MASM.

;P Bye bye
Posted on 2002-07-19 12:16:54 by sheroc