Stack addresses

[n00b!]

It was only a joke, see the smilie  :lol

But, are the 'experiences' I made with the stack alright or wrong? ._.
And what's with the questions in it?  :P

[hutch--]

noob,

Just a note on the two instructions, ENTER and LEAVE. They were originally designed to make stack frames for procedures in high level languages, C among others but particularly the ENTER instruction is very slow and is rarely used these days, even in compilers. MASM terminates its stack frames with LEAVE and this works OK as it tests about as fast as the normal ESP/EBP code but is smaller.

Its no big deal to write procedures without a stack frame as long as you understand what is happening when you use ESP addressing directly. The main factor is you must correct ESP every time you modify the stack with PUSH or POP. This can be tedious if you have a number of function calls in the procedure which push arguments onto the stack but effectively after every PUSH you add 4 bytes to ESP until the CALL is made. If the function you call is STDCALL, it corrects the stack for you but if its a C calling convention, you must manually corect ESP after the function has returned.

[jj2007]

Its no big deal to write procedures without a stack frame as long as you understand what is happening when you use ESP addressing directly. The main factor is you must correct ESP every time you modify the stack with PUSH or POP. This can be tedious if you have a number of function calls in the procedure which push arguments onto the stack...

Here is a particularly cute example of the traps you can find without a stack frame. GetRtfStream saves a piece of text from a RichEdit control to a buffer with a pointer SelXXL$:

Code Select Expand

GetRtfStream proc ; buffer is SelXXL$
LOCAL editstream:EDITSTREAM
  mov editstream.pfnCallback, StreamToXXL
  sme EQU invoke SendMessage, hRichEdit,
  sme EM_STREAMOUT, SF_RTFNOOBJS or SFF_SELECTION, addr editstream
  ret
GetRtfStream endp

OPTION PROLOGUE:NONE ; this disables ENTER/LEAVE and is
OPTION EPILOGUE:NONE ; recommended only if you do not need LOCALs

; With stack frame: cookie=esp+8, pBuffer=esp+12, NumBytes=esp+16 etc
; Without: cookie=esp+4, pBuffer=esp+8, NumBytes=esp+12 etc

StreamToXXL proc cookie:DWORD,pBuffer:DWORD, NumBytes:DWORD, pBytesWritten:DWORD
invoke RtlMoveMemory, SelXXL$, [esp+12], [esp+12] ; dest, source, count
ret 4*4
StreamToXXL endp
OPTION PROLOGUE:PrologueDef
OPTION EPILOGUE:EpilogueDef


Oops - wasn't pBuffer=esp+8 ?

[MichaelW]

Good example, but I think most beginners will need more then just a vague hint.

[BogdanOntanu]

...
I see. However, it's my job to annoy the "hobby prosecutors" in this forum and make their job a bit harder. You won't understand, so I spare myself any explanations, but believe me, this my job is absolutely necessary ...  :U

I do understand everything  do not worry for me... and I will not spare the explanations I am already there and hence I have all the eternity for this.

I am not prosecuting nobody. My questions and advices come from my own hands on experience. It is the truth that I know to be correct from my experience. However IF noob thinks that knows better than me then I will not stop him from following his own path. I honestly think he has the right to be wrong.

I only remove stuff that is related to malware or VX wittings because it is the rule of this forums. If he does not do such things then he has nothing to fear from me... anyway he has nothing to fear from me .... but the fact that he/she will not be able to understand or learn and will waste his time.

Checking noob!'s posts and seeing his path of questioning do you honestly think that he is on the right path of learning?.

I will be honest: I do NOT think he is... but this is my own oppinion and of course I can be wrong. And I choose to express it and i think i am free to do so even if it is perceived as "harsh" .

He ignores answers and immediately jumps to new questions that show he did NOT understood or digest the previous answers.

This is highly problematic...not against the rules of course but IMHO not good for him. Kind of trowing a stone in the lake and then 10 wise mans try to take the stone out of the bottom of the lake. Of course people answer gently but have you checked his improvements after each answer he receives?

He asks for pure information and then he rejects "structured information" and this kind of attitude  is not helping IMHO. Information without structure is not a transformation. He will continue to ask dummy questions for years this way. I just want to learn him how to fish instead of giving him a fish every other day of his life.

But feel free to disagree and continue to do your job here. I can agree to disagree with you because I see that you know your own path whatever that might be and you have great skills...  Hence I have no problems with you or what you do even if you somehow think you are making my job harder...

As for noob!... let us see how he evolves  "in time" until now it does not look right. Have you forgotten that he IS THE ONE that at certain point did erased all of his questions here leaving answers that could not be understood by others?  A very fair and honest act ... is it not?

[jj2007]

Good example, but I think most beginners will need more then just a vague hint.

invoke RtlMoveMemory, SelXXL$, [esp+12], [esp+12]

translates to:
push [esp+12]   ; <--- this decreases the stack by 4
push [esp+12]   ; therefore +8 is no longer +8 but rather +12  :wink
push SelXX$
call RtlMoveMemory

[hutch--]

 :bg

There are some things in this world that are not a democracy, how the team run this forum being one of them. The forum publishes its rules and the method by which it interprets them and enforces them and this will never be subject to debate. To run a web site you must register a domain name which by international law must identify the owner and to set up a web site on a commercial server you have to fully identify yourself and this means the webmaster is subject to all of the laws where the server is established.

US DMCA, copyright laws at an international level, a raft of legislation around the world on malicious code are all appropriate when running an open web site and as a consequence the rules of the forum are designed to ensure that our members are not subject to porn, virus code, cracking techniques, hacking technology and the like and this is not going to change.

There are other venues that lurk in the shadows for this range of crap and if anyone really and truly must play in the sh*tpit then they can go to site of that type but this one will never go down that path.

When one of the admin team ask the question on content of a posting, the choice is to either answer the question or see the post removed, that is not going to change either as we have years of practice dealing with people posting virus and trojan code or related questions, trying to sneak in cracking questions, web hacking techniques and the like with the same old pile of crap trying to justify their freedm of choice to trash other peoples computers.

We are in fact broad and tolerant and encourage low level programming but with hundreds of years of member experience available across our members and team, there will be no nonsence suffered here at all.

The topic has been edited according to the forum rules. If anyone is interested in debate, do so in the Colosseum.