Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Workshop => Topic started by: hell0 on October 09, 2009, 07:38:50 PM

Title: Stack... a double Dutch.
Post by: hell0 on October 09, 2009, 07:38:50 PM
[deleted]
Title: Re: Stack... a double Dutch.
Post by: PBrennick on October 09, 2009, 07:45:08 PM
Because ESP is actually referencing a memory location so ESP is a pointer to a memory address and the contents of that address is the value popped.

Paul
Title: Re: Stack... a double Dutch.
Post by: hell0 on October 09, 2009, 08:23:44 PM
[deleted]
Title: Re: Stack... a double Dutch.
Post by: hell0 on October 09, 2009, 08:32:05 PM
[deleted]
Title: Re: Stack... a double Dutch.
Post by: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick, checking for the MZ signature ...   :boohoo:

Hmmm, creating a virus are we ? I see no future for this thread.

But in an asm-related answer : when you have 00400xxx and perform an OR against 0FFFh and then a XOR against 0FFFh, you get 400000. It's a way to round it down to a 1000 boundary. You can use 0FFFFh to round it to a 10000 boundary.
Title: Re: Stack... a double Dutch.
Post by: qWord on October 09, 2009, 09:23:45 PM
Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick
never saw such an tricky way for calculating zero :bg
Title: Re: Stack... a double Dutch.
Post by: PBrennick on October 09, 2009, 10:12:02 PM
I, also, am concerned about this thread and its goals. What exactly are you trying to do? Are you searching memory for executables? Looks that way to me.

Paul
Title: Re: Stack... a double Dutch.
Post by: hell0 on October 10, 2009, 06:51:34 AM
[deleted]
Title: Re: Stack... a double Dutch.
Post by: sinsi on October 10, 2009, 06:58:05 AM
It sounds like someone is disassembling something and can't get it  :bdg
To be fair, a lot of programs check the MZ and header (C++ or .net?) - I'm talking about commercial (and MS windows) programs.

Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick, checking for the MZ signature ...   :boohoo:
heh
Title: Re: Stack... a double Dutch.
Post by: BlackVortex on October 10, 2009, 07:41:08 AM
Quote from: qWord on October 09, 2009, 09:23:45 PM
Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick
never saw such an tricky way for calculating zero :bg
Ehehe ... it only returns 0 if it's ran on 400000. If the code is relocated, then it returns the delta difference, which you're supposed to add to all offsets. So that the code works the same, no matter on which offset it's relocated.

@ hell0
One of the Iczelion tutorials explain a nice way to check the validity of an executable file. Check them out, it's one of the first few tutorials. I remember he also sets an exception handler to avoid screwups while reading.
Title: Re: Stack... a double Dutch.
Post by: hutch-- on October 10, 2009, 07:45:45 AM
 :tdown

> for enlightening a hazy part of my understanding...

It will get a lot hazier a lot faster if I even hear the word virus or anything that even vaguely sniffs of it.
Title: Re: Stack... a double Dutch.
Post by: hell0 on October 10, 2009, 08:30:00 AM
A hypothetical caution that weaken the very spirit of research.

regards...
Title: Re: Stack... a double Dutch.
Post by: hutch-- on October 10, 2009, 11:52:01 AM
 :bg

Another one bites the dust.  :P
Title: Re: Stack... a double Dutch.
Post by: hutch-- on October 10, 2009, 02:57:39 PM
Sorry qWord but I chucked this guy out for a reason, I don't want his type of interests supported here.
Text only | Text with Images