News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Stack... a double Dutch.

Started by hell0, October 09, 2009, 07:38:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

hell0

October 09, 2009, 07:38:50 PM Last Edit: October 10, 2009, 02:59:27 PM by hutch--
[deleted]

PBrennick

#1
October 09, 2009, 07:45:08 PM
Because ESP is actually referencing a memory location so ESP is a pointer to a memory address and the contents of that address is the value popped.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

hell0

#2
October 09, 2009, 08:23:44 PM Last Edit: October 10, 2009, 03:00:09 PM by hutch--
[deleted]

hell0

#3
October 09, 2009, 08:32:05 PM Last Edit: October 10, 2009, 03:00:43 PM by hutch--
[deleted]

BlackVortex

#4
October 09, 2009, 09:01:01 PM
Delta offset trick, checking for the MZ signature ...   :boohoo:

Hmmm, creating a virus are we ? I see no future for this thread.

But in an asm-related answer : when you have 00400xxx and perform an OR against 0FFFh and then a XOR against 0FFFh, you get 400000. It's a way to round it down to a 1000 boundary. You can use 0FFFFh to round it to a 10000 boundary.

qWord

#5
October 09, 2009, 09:23:45 PM
Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick
never saw such an tricky way for calculating zero :bg
FPU in a trice: SmplMath
It's that simple!

PBrennick

#6
October 09, 2009, 10:12:02 PM
I, also, am concerned about this thread and its goals. What exactly are you trying to do? Are you searching memory for executables? Looks that way to me.

Paul
The GeneSys Project is available from:
The Repository or My crappy website

hell0

#7
October 10, 2009, 06:51:34 AM Last Edit: October 10, 2009, 03:01:13 PM by hutch--
[deleted]

sinsi

#8
October 10, 2009, 06:58:05 AM
It sounds like someone is disassembling something and can't get it  :bdg
To be fair, a lot of programs check the MZ and header (C++ or .net?) - I'm talking about commercial (and MS windows) programs.

Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick, checking for the MZ signature ...   :boohoo:
heh
Light travels faster than sound, that's why some people seem bright until you hear them.

BlackVortex

#9
October 10, 2009, 07:41:08 AM
Quote from: qWord on October 09, 2009, 09:23:45 PM
Quote from: BlackVortex on October 09, 2009, 09:01:01 PM
Delta offset trick
never saw such an tricky way for calculating zero :bg
Ehehe ... it only returns 0 if it's ran on 400000. If the code is relocated, then it returns the delta difference, which you're supposed to add to all offsets. So that the code works the same, no matter on which offset it's relocated.

@ hell0
One of the Iczelion tutorials explain a nice way to check the validity of an executable file. Check them out, it's one of the first few tutorials. I remember he also sets an exception handler to avoid screwups while reading.

hutch--

#10
October 10, 2009, 07:45:45 AM
 :tdown

> for enlightening a hazy part of my understanding...

It will get a lot hazier a lot faster if I even hear the word virus or anything that even vaguely sniffs of it.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

hell0

#11
October 10, 2009, 08:30:00 AM
A hypothetical caution that weaken the very spirit of research.

regards...

hutch--

#12
October 10, 2009, 11:52:01 AM
 :bg

Another one bites the dust.  :P
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php

hutch--

#13
October 10, 2009, 02:57:39 PM
Sorry qWord but I chucked this guy out for a reason, I don't want his type of interests supported here.
Download site for MASM32      New MASM Forum
https://masm32.com          https://masm32.com/board/index.php
Print
Go Up Pages1
User actions