I was trying to build strings by myself. I kept having trouble with moving ebp back into esp and popping ebp. If you look at my code, I have commented out where it once was. I am wanting some reinforcement on why this wasn't working ... althought I have come up with my own thoughts.

I think what my problem was that I was resetting the stack pointer to where it was before and I take it that somewhere in the MessageBox function it, of course, created it's own local variables which was overridding my "STATIC". Am I thinking right on this?? I am just needing ppl to verify/clarify this, thanks.

Just in case somebody was wondering I compiled using QEditor's Console Compile/Link.


.386

.model flat,stdcall
option casemap:none

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.inc


includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

.data?
lpStatic dd ?
.code
start:

push ebp
mov ebp, esp
sub esp, 8
mov dword ptr[ebp-8], "TATS"
mov word ptr[ebp-4], "CI"
mov byte ptr[ebp-2], 0
lea eax, [ebp-8]
mov lpStatic, eax

;mov esp, ebp ;
;pop ebp ;Was here, when MessageBox showed garbage

invoke MessageBox, NULL, lpStatic, lpStatic, MB_OK
mov esp, ebp ;
pop ebp ; Works here
invoke ExitProcess, 0

end start


Thanks alot,
gorshing
Posted on 2002-10-09 22:54:27 by gorshing
You're correct. By convention no routine should alter data on the stack, but data is volitile - you cannot count on knowing what is there (unless you have full control of the processor).
Posted on 2002-10-09 23:00:17 by bitRAKE
The reason it didn't work is as follows:
Stack Frame before restoring esp & ebp
ebp:	0x100	Old ebp

0x0FF ?
0x0FE 0
0x0FC "IC"
esp: 0x0F8 "STAT"


Stack Frame after restoring esp & ebp


esp: 0x104
0x100 Old ebp
0x0FF ?
0x0FE 0
0x0FC "IC"
0x0F8 "STAT"


Stack Frame after push parameters for Message Box


0x100 0x00000000
0x0FC 0x000000F8
0x0F8 0x000000F8
esp: 0x0F4 MB_OK


The API didn't overwrite your stack frame, YOU overwrote it.

bitRAKE:
I've never seen an API mess with my stack frames.
Posted on 2002-10-10 01:11:22 by eet_1024
A debugger can be very help, and increase productivity. I recommed http://home.t-online.de/home/Ollydbg/
Posted on 2002-10-10 01:13:00 by eet_1024
gorshing,

Maybe I missed something in the code you were testing but I wonder why you are using the stack pointer and base pointer.

EBP is no problem if you preserve it but ESP is living dangerously.

Regards,

hutch@movsd.com
Posted on 2002-10-10 04:07:02 by hutch--
hutch--,

The reason is from Stryker's second reply to this thread --> http://www.asmcommunity.net/board/index.php?topic=6199&highlight=xcall

I take it that I shouldn't do this? Could you give me a few pointers?

Thanks,
gorshing
Posted on 2002-10-10 08:54:30 by gorshing

bitRAKE:
I've never seen an API mess with my stack frames.
I've seen some protection use this. PROC-A calls PROC-B, PROC-B calls PROC-C, and PROC-C changes parameters passed by PROC-A. This could be part of some very advanced optimization, too. No compiler I know uses this - they stick with standard conventions.

Small version:
; 32 bytes

xor eax, eax

push eax

push "CI"
push "TATS"
mov edx, esp

invoke MessageBox, eax, edx, edx, eax
add esp, 8 ; correct stack for "STATIC",0,0

call ExitProcess
This version exits with an imbalanced stack.
; 30 bytes

push "CI"
push "TATS"
xor eax, eax
mov edx, esp

invoke MessageBox, eax, edx, edx, eax

dec eax
invoke ExitProcess, eax
If your going to use EBP for the stack frame, then just let PROC/ENDP handle it.
Posted on 2002-10-10 10:15:26 by bitRAKE
Ok, I have another problem that I have solved ... just need to why again. Note this first pasting of code is wrong.
.386

.model flat,stdcall
option casemap:none

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.inc


includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

.data?
lpStatic dd ?
lpWhite dd ?
.code
start:

push ebp
mov ebp, esp
sub esp, 8
mov word ptr[ebp-8], "TS"
mov dword ptr[ebp-6], "CITA"
mov word ptr[ebp-2], 0
lea eax, [ebp-8]
mov lpStatic, eax

sub esp, 6
mov dword ptr[ebp-14], "TIHW"
mov byte ptr[ebp-10], "E"
mov byte ptr[ebp-9], 0
lea eax, [ebp-14]
mov lpWhite, eax
invoke MessageBox, NULL, lpStatic, lpStatic, MB_OK

mov esp, ebp
pop ebp
invoke ExitProcess, 0

end start


My problem was where I started building another string. My program wasn't crashing, but the MessageBox didn't have a title bar, it looked like the picture attached.

But when I changed the code to this
.386

.model flat,stdcall
option casemap:none

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\windows.inc


includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

.data?
lpStatic dd ?
lpWhite dd ?
.code
start:

push ebp
mov ebp, esp
sub esp, 8
mov word ptr[ebp-8], "TS"
mov dword ptr[ebp-6], "CITA"
mov word ptr[ebp-2], 0
lea eax, [ebp-8]
mov lpStatic, eax

sub esp, 8
mov dword ptr[ebp-16], "TIHW"
mov byte ptr[ebp-12], "E"
mov byte ptr[ebp-11], 0
lea eax, [ebp-16]
mov lpWhite, eax
invoke MessageBox, NULL, lpStatic, lpStatic, MB_OK

mov esp, ebp
pop ebp
invoke ExitProcess, 0

end start


The title bar was there. So I am curious of why the first paste of code wasn't working. If I was using Ollydbg correctly, the stack was pushed correctly( of course something was wrong in the first one )

So is there that alignment that was messing me up or what? I don't understand why the MessageBox function showed up weird.

Hopefully I was clear enough about which piece of code works and my problems.

Thanks again for the help,
gorshing
Posted on 2002-10-10 21:49:53 by gorshing
The stack should always be dword aligned.
Posted on 2002-10-10 23:11:17 by bitRAKE
Thanks man, that's what I thought ... just wasn't for sure. I keep hearing about alignment but I just haven't been able to understand what/where it needs to be.

Thanks again,
gorshing
Posted on 2002-10-10 23:15:56 by gorshing
Ok, I am reading MemoryAccessandOrg.pdf from Hdye, I am on page 177

For maximum performance, the stack pointer should always be an even multiple of four; indeed, your program may malfunction under windows or Linux if ESP contains a value that is not a multiple of four and you make an HLA Standard Library or an operating system API call. The only practical reason for pushing less than four bytes at a time on the stack is because you?re building up a double word via two successive word pushes.


So, should I keep the stack 4 or 8 byte align? I haven't tested this though, but if Hyde is wrong here, somebody needs to let him know.

Thanks again,
gorshing
Posted on 2002-10-13 18:32:55 by gorshing
on a 32 bit program? 4 (DWORD size) but to say "multiple of 4" is kinda... ummm!!! ???partly wrong??? IMO, because 8, 12, 16, 20, 24, 28. 32... are multiples of 4.

I'm not an expert but I believe that on 16 bit programs, the stack should be aligned 16 bits (WORD - 2 bytes) and on 32 bit programs... (see above)
Posted on 2002-10-13 19:50:04 by stryker