News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Windows XP and the STACK

Started by Polizei, May 21, 2005, 12:04:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Polizei

May 21, 2005, 12:04:51 PM
I don't know, but when I've finished writing my PEPack-er I have had some problems when using it on Windows XP systems
I've tested it on Win2K Pro SP4, and have had the same problem too (It worked only on Win95/Win98)
After a lot of debugging I`ve found out that the problem is in the stackpointer (ESP)
I think that the problem is in some API's in Windows XP that are not the same as in Win9x, I mean, they don't fix the stack I don't know why ...

Some ideas ??

AeroASM

#1
May 21, 2005, 12:26:27 PM
Check that all of your apis are stdcall. Stdcall functions have to clean up the stack themselves.

tenkey

#2
May 21, 2005, 08:22:28 PM
My first question always, for someone trying to run a "perfect" Win9x application on NT subsystems, is "Did you follow the register saving conventions?".
*****
Calling API functions.
Caller cannot expect these registers to remain unchanged.

EAX, ECX, EDX
*****
In your callback functions, example: window procedures and dialog procedures
Callee must restore initial values of these registers before returning. Otherwise, you may break the code that calls you. Of course, if you never use these registers, it's not necessary to "save and restore" them.

EBX, ESI, EDI (and EBP, if you're not using standard stack frame code)
*****
The following register must be handled correctly to function in 9x, so you shouldn't need to adjust it.

ESP
*****
DF convention

DF (descending flag) must be cleared, so that string ops (using REP) are ascending on 1) calling an API, and 2) returning to Windows (from callback).
A programming language is low level when its programs require attention to the irrelevant.
Alan Perlis, Epigram #8

Polizei

#3
May 21, 2005, 10:03:11 PM
AeroASM,
I will check all Windows' APIs that I use ;))
I know that wsprintfA is a C function, but it's always fixed by the compiler
The problem can be in another API ... I should debug it ;))

tenkey,
I don't believe that the problem will be in the registers, or in the Direction Flag, because I don't use REP and the "optimized" string instructions. I've always used MOV AL, [BLABLA] / MOV [BLABLA], AL eventually
And, by the way, I always perform a PUSHAD/POPAD when I use ESI/EDI, and I have never used EBP in programs I made

AeroASM

#4
May 22, 2005, 08:45:32 AM
That is probably the problem. Functions normally leave the return value in eax. But POPAD restores all registers including eax. Therefore your functions won't return the value you want.

roticv

#5
May 22, 2005, 12:06:05 PM
Polizei, do you have an example packed with your packer? I might take some time off to look at it.

Polizei

#6
May 31, 2005, 08:54:40 PM
AeroASM, the problem cannot be in the POPAD instruction because I'm making a MOV [ESP+1Ch], EAX before it.
The **ckin' problem must be in the Calling Convention of the functions in MS Virus XP ;))

roticv, I'll upload my PEPacker on my webpage, but I must firstly create this webpage ;))
Print
Go Up Pages1
User actions