Lost in Space

[skywalker]

Compiler doesn't like the statement.

Is holder the same as holder db 50 dup(0) ?

START PROC

    LOCAL   holder[50] :BYTE
    LOCAL   hRegKey :DWORD
    LOCAL   Disposition :DWORD


    mov          bx,offset holder

[asmfan]

No, they different. The first array (DUP) is compile time thus you can use OFFSET operator to address it and the second one (LOCAL) is runtime one it resides in stack dynamically, while PROC is executed thus you should use LEA instruction.

[skywalker]

No, they different. The first array (DUP) is compile time thus you can use OFFSET operator to address it and the second one (LOCAL) is runtime one it resides in stack dynamically, while PROC is executed thus you should use LEA instruction.

Thanks, it compiles now but still isn't working right.

Code Select Expand


.DATA

   
    ValueOK     db "Registry key added OK",0 
    Sample      db "BOX",0
   
    string       db           "Œ‹?–'˜Û"    ; unencrypted value is 'string'

.CODE

begin:

call START
invoke  ExitProcess,0


START PROC   

    LOCAL   holder[10] :BYTE ; This should hold unencrypted string
    LOCAL   hRegKey :DWORD
    LOCAL   Disposition :DWORD


             invoke  RtlZeroMemory, ADDR holder, sizeof holder ; in kernel32.inc
             lea          ebx, holder
             mov          esi,offset string

descramble:
             lodsb
             not          al
             mov          [ebx],eax
             inc          ebx
             cmp          al,219
             jz           exit
             jmp          descramble

exit:
             ret

START endp

END begin



[asmfan]

I see 2 strange things
1. You can spoil the stack by moving 4 bytes (eax) instead 1 (al)
2. When the cycle ends? When NOT(al)=219 ? Why? If you do till 0 in source compare to 255...

[skywalker]

I see 2 strange things
1. You can spoil the stack by moving 4 bytes (eax) instead 1 (al)
2. When the cycle ends? When NOT(al)=219 ? Why? If you do till 0 in source compare to 255...

I implemented your suggestions. Do you know how I can tell what is in LOCALl holder? It should contain
'string' but I can't see it using Ollydbg.


START PROC   

    LOCAL   holder[10] :BYTE ; This should hold unencrypted string
    LOCAL   hRegKey :DWORD
    LOCAL   Disposition :DWORD


             invoke  RtlZeroMemory, ADDR holder, sizeof holder ; in kernel32.inc
             lea          ebx, holder
             mov          esi,offset string

descramble:
             lodsb
             not          al
             mov          [ebx],al
             inc          ebx
             cmp          al,255
             jz           exit
             jmp          descramble

[MichaelW]

If you know the string will be null terminated, you could just use the print macro:

print ADDR holder,13,10

If RtlZeroMemory is being used for security, shouldn't it be called after you have finished using the buffer?

[asmfan]

Another question do you encrypt the zero terminator as the other chars? If yes then change to cmp   al,0

[skywalker]

Another question do you encrypt the zero terminator as the other chars? If yes then change to cmp   al,0

I am getting undefined symbol for StdOut with the print macro.

begin:

call START
print ADDR holder,13,10
invoke  ExitProcess,0

--------------------------------------------

This is what I'm using to encrypt the string.

Code Select Expand


;-------------------------------------------------2006 Andrew Kennedy--------             
; crypt.asm  Basic encryption of a string                                                 
;            Takes a string, NOT each character, and puts it into array                                     
;                 
;            DOES NOT PRINT THE ALT 219 character !
.model   small
.stack   200h 

.data                               ; not Û = $
                                    ; not $ = Û(Alt 219)

string       db            'Software\skywalkerÛ' 
array        db           ($ - string) dup('1')

.code
               

start:             
             mov          ax,@data
             mov          ds,ax
             
             mov          bx,offset array
             mov          si,offset string
scramble:
             lodsb
             not          al          ; flip bits
             mov          [bx], al
             inc          bx
             cmp          al,'Û'    ; not Û = $ (end of string marker)
             jz           print
             jmp          scramble
print:
             mov          dx,offset array
             mov          ah,9
             int          21h

jmp          exit

             mov          ah,2     ;  print a space
             mov          dl,' '   ;        ->
             int          21h      ;      and another
             mov          dl,'-'   ;       space
             int          21h
             mov          dl,'>'
             int          21h
             mov          dl,' '
             int          21h

             mov          bx,offset array
             mov          si,offset array
descramble:
             lodsb
             cmp          al,'$'
             jz           last_print
             not          al
             mov          [bx],al
             inc          bx
             jmp          descramble
last_print:
             mov          dx,offset array ; decrambled text stored here
             mov          ah,9
             int          21h

exit:
             mov          ax,4c00h
             int          21h

end          start



[Mark Jones]

I am getting undefined symbol for StdOut with the print macro.

Might have to re-install MASM32.

[skywalker]

I am getting undefined symbol for StdOut with the print macro.

Might have to re-install MASM32.

What makes you think that ?

[skywalker]

I am getting undefined symbol for StdOut with the print macro.

Might have to re-install MASM32.

This fills holder with string\ but I can't figure out how to get it null terminated so CreateRegKeyEx will work.

The print macro works fine in other code, don't know why it gets "scared" with this code.

.DATA
   
    ValueOK     db "Registry key added OK",0 
    Sample      db "BOX",0
    holder      db    10 dup(0)
    string      db    "¬‹?–'˜£0"    ; unencrypted value is 'string\'

.CODE

begin:

START PROC   

   
    LOCAL   hRegKey :DWORD
    LOCAL   Disposition :DWORD


             invoke  RtlZeroMemory, ADDR holder, sizeof holder ; in kernel32.inc
             lea          ebx, holder
             mov          esi,offset string

descramble:
             lodsb
             not          al
             mov          [ebx],al
             inc          ebx
             cmp          al,255
             jz           finish
             jmp          descramble

finish:

invoke  RegCreateKeyEx, HKEY_LOCAL_MACHINE, ADDR holder, NULL, NULL,\
            REG_OPTION_NON_VOLATILE, KEY_READ, NULL, ADDR hRegKey, ADDR Disposition

[MichaelW]

Andy,

If holder is defined in the Start procedure, it is not visible outside the procedure. Move the print statement into the procedure and it should work OK.

If the string you started with was null terminated, then when this code reaches the encrypted null terminator it will NOT it to zero, and move it into the destination string:

Code Select Expand


descramble:
lodsb
not al
mov [ebx],al
inc ebx
cmp al,255
jz finish
jmp descramble


The only problem I see is that

cmp al,255

Should be

cmp al,0 ; cmp al,not 255 would also work

[skywalker]

Andy,

If holder is defined in the Start procedure, it is not visible outside the procedure. Move the print statement into the procedure and it should work OK.

If the string you started with was null terminated, then when this code reaches the encrypted null terminator it will NOT it to zero, and move it into the destination string:

I figured that out last night.

I am trying to figure why my RegCreateKeyEx isn't working. It points to a null terminated string now, but isn't
working.

Whether holder is in or out of the procedure, I get this error with the print macro.
Very strange, as the macro works fine in other code ? I even re-installed masm.

C:\masm32\source\crypt5.asm(52) : error A2006: undefined symbol : StdOut
print(1): Macro Called From
  C:\masm32\source\crypt5.asm(52): Main Line Code

[MichaelW]

I misread your statement of the problem so my reply was not correct. On my system the print macro produces a

error A2006: undefined symbol : StdOut

If I fail to include \masm32\include\masm32.inc

[skywalker]

I misread your statement of the problem so my reply was not correct. On my system the print macro produces a

error A2006: undefined symbol : StdOut

If I fail to include \masm32\include\masm32.inc

No problem, I can live without that macro in that code anyway.