"Wrong" size calculated

[terb]

Hi guys

Hope that one of you can help me since this is driving me mad  :( Please take a look at the below code snippets

Code Select Expand



LOADER_SIZE equ (loader_end - loader_start) ; LOADER_SIZE = 0Eh bytes

loader_start:
    mov eax, [esp]
    and eax, 0FFFF0000h
    cmp dword ptr [eax], 00905A4Dh
loader_end equ $



and now this :

Code Select Expand



LOADER_SIZE equ (loader_end - loader_start) ; LOADER_SIZE = 16h bytes

loader_start:
    mov eax, [esp]
    and eax, 0FFFF0000h
    cmp dword ptr [eax], 00905A4Dh
    je @found
loader_end equ $



As you can see LOADER_SIZE varies. And there is no way that my JE @found (short jump btw) can add 8 bytes !! That is going on ?? Is this a MASM/RADASM problem or am I going something wrong here ??  Never had this problem before ... ::)

Hope some of you guys can enlighten me  !!

Terb

PS. I'm using MASM 8.2 and RADASM 2.2.0.3c

[Tedd]

Code Select Expand

8B0424                  mov eax, dword ptr [esp]
250000FFFF              and eax, FFFF0000
81384D5A9000            cmp dword ptr [eax], 00905A4D
740C                    je 0040101C

You may have made a slight notation mistake.
This code is 16 bytes long.
Without the jump it is 14 bytes long.

14 (decimal) = 0Eh    -- without the jump
16 (decimal) = 10h    -- with the jump

[MichaelW]

The problem appears to be the value assigned by:

LOADER_SIZE equ (loader_end - loader_start)

If this is a MASM bug it's present in 6.14, 6.15, and 7.00.

Code Select Expand


; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    include \masm32\include\masm32rt.inc
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
    .data
    .code
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
start:
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
  loader_start1:
    mov eax, [esp]
    and eax, 0FFFF0000h
    cmp dword ptr [eax], 00905A4Dh
  loader_end1:
    LOADER_SIZE1 equ (loader_end1 - loader_start1)

    mov   eax, OFFSET loader_end1
    sub   eax, OFFSET loader_start1
    print ustr$(eax),13,10
    print ustr$(LOADER_SIZE1),13,10

  loader_start2:
    mov eax, [esp]
    and eax, 0FFFF0000h
    cmp dword ptr [eax], 00905A4Dh
    je @found
  loader_end2:
    LOADER_SIZE2 equ (loader_end2 - loader_start2)
  @found:

    mov   eax, OFFSET loader_end2
    sub   eax, OFFSET loader_start2
    print ustr$(eax),13,10
    print ustr$(LOADER_SIZE2),13,10

    mov   eax,input(13,10,"Press enter to exit...")
    exit
; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
end start


Code Select Expand


14
14
16
22

Press enter to exit...


[roticv]

Suspicious code.

[P1]

http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf   Yep!

Closed until you can have a better explaination of your use for this.   Private Message me concerning this please. 

New member posting on an advanced topic again.

Thank you roticv, for the post.

Regards,  P1

[P1]

I have unlocked this topic for the purpose as a PEcryptor similar in techniques to Comrades 'no imports' work.

Regards,  P1  :8)

[terb]

Thanks for unlocking P1. I really appreciate it. As I explained to P1 I'm using the 'loader' for a PE cryptor. And the purpose of the above code snippet is to get modulebase of kernel32 so that I can get export-table (LoadLibrary, GetProcAddress, etc etc) as explained by comrade (thanx btw). I'm sorry for creating such a fuzz !!

@ MichaelW: Thanks.. But I do believe I'm using masm8.2, but I will have a look at it !!

Terb

[MichaelW]

@ MichaelW: Thanks.. But I do believe I'm using masm8.2, but I will have a look at it !!

I think you are using version 8.2 of the MASM32 package. The version of the MASM (ML.EXE) included in the package is 6.14.

[GregL]

If this is a MASM bug it's present in 6.14, 6.15, and 7.00.

And 7.10 (VC/C++ 2003).