Hi guys
Hope that one of you can help me since this is driving me mad :( Please take a look at the below code snippets
LOADER_SIZE equ (loader_end - loader_start) ; LOADER_SIZE = 0Eh bytes
loader_start:
mov eax, [esp]
and eax, 0FFFF0000h
cmp dword ptr [eax], 00905A4Dh
loader_end equ $
and now this :
LOADER_SIZE equ (loader_end - loader_start) ; LOADER_SIZE = 16h bytes
loader_start:
mov eax, [esp]
and eax, 0FFFF0000h
cmp dword ptr [eax], 00905A4Dh
je @found
loader_end equ $
As you can see LOADER_SIZE varies. And there is no way that my JE @found (short jump btw) can add 8 bytes !! That is going on ?? Is this a MASM/RADASM problem or am I going something wrong here ?? Never had this problem before ... ::)
Hope some of you guys can enlighten me !!
Terb
PS. I'm using MASM 8.2 and RADASM 2.2.0.3c
8B0424 mov eax, dword ptr [esp]
250000FFFF and eax, FFFF0000
81384D5A9000 cmp dword ptr [eax], 00905A4D
740C je 0040101C
You may have made a slight notation mistake.
This code is 16 bytes long.
Without the jump it is 14 bytes long.
14 (decimal) = 0Eh -- without the jump
16 (decimal) = 10h -- with the jump
The problem appears to be the value assigned by:
LOADER_SIZE equ (loader_end - loader_start)
If this is a MASM bug it's present in 6.14, 6.15, and 7.00.
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
include \masm32\include\masm32rt.inc
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
.data
.code
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
start:
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
loader_start1:
mov eax, [esp]
and eax, 0FFFF0000h
cmp dword ptr [eax], 00905A4Dh
loader_end1:
LOADER_SIZE1 equ (loader_end1 - loader_start1)
mov eax, OFFSET loader_end1
sub eax, OFFSET loader_start1
print ustr$(eax),13,10
print ustr$(LOADER_SIZE1),13,10
loader_start2:
mov eax, [esp]
and eax, 0FFFF0000h
cmp dword ptr [eax], 00905A4Dh
je @found
loader_end2:
LOADER_SIZE2 equ (loader_end2 - loader_start2)
@found:
mov eax, OFFSET loader_end2
sub eax, OFFSET loader_start2
print ustr$(eax),13,10
print ustr$(LOADER_SIZE2),13,10
mov eax,input(13,10,"Press enter to exit...")
exit
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end start
14
14
16
22
Press enter to exit...
Suspicious code.
http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf Yep!
Closed until you can have a better explaination of your use for this. Private Message me concerning this please.
New member posting on an advanced topic again.
Thank you roticv, for the post.
Regards, P1
I have unlocked this topic for the purpose as a PEcryptor similar in techniques to Comrades 'no imports' work.
Regards, P1 :8)
Thanks for unlocking P1. I really appreciate it. As I explained to P1 I'm using the 'loader' for a PE cryptor. And the purpose of the above code snippet is to get modulebase of kernel32 so that I can get export-table (LoadLibrary, GetProcAddress, etc etc) as explained by comrade (thanx btw). I'm sorry for creating such a fuzz !!
@ MichaelW: Thanks.. But I do believe I'm using masm8.2, but I will have a look at it !!
Terb
Quote from: terb on September 13, 2005, 06:41:47 PM
@ MichaelW: Thanks.. But I do believe I'm using masm8.2, but I will have a look at it !!
I think you are using version 8.2 of the MASM32 package. The version of the MASM (ML.EXE) included in the package is 6.14.
QuoteIf this is a MASM bug it's present in 6.14, 6.15, and 7.00.
And 7.10 (VC/C++ 2003).