Hi, its been a while since i last posted here, ive been working though icz's tutorials with much success.
This is the disassembly of a simple program i made which counts to 10 by adding 1 if counter is less than zero
00401000 | E8 07000000 | CALL 0040100C | Entry point for testinject.exe
00401005 | 6A 00 | PUSH NULL | :Arg1 0
00401007 | E8 1E000000 | CALL 0040102A | ExitProcess((unsigned long), (unsigned long))
0040100C | 55 | PUSH EBP |
0040100D | 8BEC | MOV EBP, ESP |
0040100F | 83C4 FC | ADD ESP, -4 |
00401012 | C745 FC 00000000 | MOV DWORD PTR SS:[EBP-4], NULL |
00401019 | 837D FC 0A | CMP DWORD PTR SS:[EBP-4], A |
0040101D | 7C 02 | JL SHORT 00401021 |
0040101F | EB 04 | JMP SHORT 00401025 |
00401021 | 8345 FC 01 | ADD DWORD PTR SS:[EBP-4], 1 |
00401025 | EB F2 | JMP SHORT 00401019 |
00401027 | C9 | LEAVE |
00401028 | C3 | RETN |
00401029 | CC | INT3 |
0040102A | FF25 00204000 | JMP DWORD PTR DS:[402000] | Entry to ExitProcess((unsigned long), (unsigned long))
thats the dissassembly and this is my code.
.code
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
start:
call main
exit
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
main proc
LOCAL counter:DWORD
mov counter, 0
countup:
cmp counter, 10
jl countadd
jmp over
countadd:
add counter, 1
over:
jmp countup
ret
main endp
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end start
the idea is counter will have one added to it if it is less than 10. What i cant figure out though is how the dissassembled code reads counter.
00401019 | 837D FC 0A | CMP DWORD PTR SS:[EBP-4], A |
0040101D | 7C 02 | JL SHORT 00401021 |
0040101F | EB 04 | JMP SHORT 00401025 |
00401021 | 8345 FC 01 | ADD DWORD PTR SS:[EBP-4], 1 |
00401025 | EB F2 | JMP SHORT 00401019 |
this is the basic part of my program. What i dont understand are two things,
1) how is counter read, its obviously been replaced with "DWORD PTR SS:[EBP-4]", but i dont understand how this works.
2) what is meant by SHORT which comes after the jump statement, this ones not so much as essential but just out of curiousity
Be careful with the amount of background you give, certain words will automatically trigger an angry response.
To briefly answer your genuine questions, variables defined with LOCAL are placed on the stack (as they are in practically every language out there). To access these variables, EBP is set up at the start of the procedure (PUSH EBP / MOV EBP, ESP / ADD ESP, -4) to point to the start of those variables. Hence, your local variable is stored at [EBP-4]. The bit before this, (DWORD PTR SS:) means that it is a 4-byte variable (DWORD) stored in the stack segment.
Secondly, a SHORT jump is stored in less bytes (ie. EB F2) than a long jump (FF 25 00 20 40 00). This is because it uses relative addressing - the second byte is a signed (ie. positive or negative (ie. forwards or backwards)) offset from the (I think) start of the next command. So EB F2 will jump backwards by 14 bytes. This simply saves space and potentially execution time, though I doubt it makes much difference any more.
Cheers,
Zooba :U
(Disclaimer: I in no way support code injection into applications not owned by the person who is doing so. The information I have given is given since they are valid questions and are in themselves not dangerous knowledge.)
sorry, i reread the posting rules and have removed the background info to comply with them. Thanks for the help anyway, im sure it will be helpful in other situations as well as this one.
*DEAD*,
Welcome Aboard :U
The forum 'Search' and your favorite seach engine will answer many questions before we can and save you time.
Use a listing to post partial disassemblies. It somewhat proves, we are helpping the programmer. Plus, it helps us to see source to instruction results. Find any mistakes, if any.
\masm32\bin\ml /c /coff /Fl"%1.lst" /FR"%1.pdb" /Sa /Zd /Zf /Zi "%1.asm" > "%1.txt"
00000000 .code
Align 4
00000000 start:
00000000 invoke GetModuleHandle, NULL
00000000 6A 00 * push +000000000h
00000002 E8 00000000 E * call GetModuleHandleA
00000007 A3 00000000 R mov hInstance, eax
invoke NetUserEnum,NULL,0,FILTER_NORMAL_ACCOUNT,addr user_name,MAX_PREFERRED_LENGTH, addr entriesread,addr totalentries,NULL
0000000C 6A 00 * push +000000000h
0000000E 68 0000000C R * push OFFSET totalentries
00000013 68 00000008 R * push OFFSET entriesread
00000018 6A FF * push -000000001h
0000001A 68 00000010 R * push OFFSET user_name
0000001F 6A 02 * push +000000002h
00000021 6A 00 * push +000000000h
00000023 6A 00 * push +000000000h
00000025 E8 00000000 E * call NetUserEnum
.IF eax==ERROR_ACCESS_DENIED
Regards, P1 :8)