|
SOLVED: Asm question - Call instruction - Signed # |
Post Reply 
|
Page 12> |
| Author | |
Matts_User_Name 
Senior Member 
Joined: 10 August 2006 Location: USA Online Status: Offline Posts: 610 |
 Quote Reply
 Topic: SOLVED: Asm question - Call instruction - Signed #Posted: 17 July 2009 at 7:54am |
|
Okay, I am quite new to assembly, and this is just a small question that I have been trying to figure out for the past 2 hours. At this point I figured I would get the advice of someone with more experience. Basically I am trying to find the connection between the address where the call instruction is at, to the address of the function being called. Here is what IDA shows: (I only changed the name of the function) BF912B25 E8 B8 B3 F8 FF call XYZ(x,x) Although IDA reports the address of XYZ being BF89DEDD It seems like B8 B3 F8 FF would == FFF8B3B8 because of DWORDs being in little endian format, but adding or subtracting that value to the call instruction's address(BF912B25) is not getting me anywhere near the function's(XYZ) address(BF89DEDD) Usually it seems that all you need to do is add the bytes(in DWORD format) to the address where the call instruction is located. But what is going on here instead is: a subtraction is taking place because the call's address BF912B25 is > than the fn's address BF89DEDD Maybe because of this subtraction the byes B8 B3 F8 FF are translated differently? Perhaps FF might have something to do with a subtraction taking place, instead of an sum? So overall my question is: Given call's address of BF912B25, how exactly are these bytes B8 B3 F8 FF manipulated so that the final address is the address of XYZ: BF89DEDD ? I have done so many different mathematical operations, and haven't even gotten close to BF89DEDD I also tried to find some way for those bytes(B8 B3 F8 FF) to be manipulated so that I got an answer close to 74C48 because that is the difference between calls address(BF912B25) and XYZ's address(BF89DEDD), but I cannot seem to find any pattern or translation/mathematical operation to get that value(74C48) Thank you very much for your help. -Matt PS - If you are as baffled as I am, and need to know exactly what I am debugging and/or need screenshots from IDA for more information, then let me know (I just didn't post them because I am trying to figure it out on my own... but obviously this is quite a set back for me not being able to translate those byte codes into the final address of the function XYZ) Edited by Matts_User_Name - 17 July 2009 at 5:40pm |
|
 |
|
|
cedrou
Newbie 
Joined: 16 June 2008 Location: France Online Status: Offline Posts: 15 |
Quote Reply
Posted: 17 July 2009 at 9:04am |
|
Hi Matt, you just need to add the offset (which is a SIGNED value) to the current instruction offset: 0xBF912B25 + 0xFFF8B3B8 = 0xBF89DEDDCédric
|
|
|
VMExplorer: Explore your processes memory.
|
|
|
|
|
Matts_User_Name
Senior Member
Joined: 10 August 2006 Location: USA Online Status: Offline Posts: 610 |
Quote Reply
Posted: 17 July 2009 at 9:56am |
|
Wow! I cant believe I didn't see that. You would have thought I would have just tried subtracting 8B3B8 to call's address by killing the Fs. That does indeed make sense because that translates to an offset for subtraction. I guess while doing so many tests, that one threw me off because calc.exe reported it as positive number, but now doing a test of entering -1, it gives 0xFFFF,FFFF,FFFF,FFFF and when going back to dec it then reports it as 18,446,744,073,709,551,615 instead! I guess it doesn't do too well with signed numbers from Hex or Bin --> Dec Man I spent 3+ hours working on this... and I had a feeling it was something to do with the Fs. I shall make a note to watch for trailing Fs(in byte display) and recognize it will be a subtraction offset, where I need to kill the Fs Hopefully this helps someone else out there that became tripped up by this. Thank you very much! |
|
|
|
|
Matts_User_Name
Senior Member
Joined: 10 August 2006 Location: USA Online Status: Offline Posts: 610 |
Quote Reply
Posted: 17 July 2009 at 5:39pm |
|
Conclusion Actually I see that just subtracting Apparently the relationship between the difference in the addresses: 7,4C48 and the bytes given FFF8,B3B8 is by the hex number: 1,0000,0000 because FFF8,B3B8 + 7,4C48 = 1,0000,0000 So basically, if the start of the address (DWORD display... or end, in byte display) is a series of Fs that (extend to the 4 digit boundary(because it is a hex number)) then it is going to be in signed format. And if that is the case, then I guess they way to calculate the difference 7,4C48 that needs to be subtracted from call's address: BF91,2B25, and not using the address of the function(XYZ) already given by the debugger: BF89,DEDD (since this is the answer we are looking for, to prove that this is how the debugger is finding it) then we need to do the following... 1. take the number of digits in the code bytes (in this case FFF8,B3B8 would be 8) and for each of those, use 0s: 0000,0000 and then append a 1 as the left-most number to make it signed, which results in the number of: 1,0000,0000 2. Now find the difference between the new signed number 1,0000,0000 and the code bytes FFF8,B3B8 which is 7,4C48 3. And now using our newly calculated difference(7,4C48) we find the difference of call's address BF91,2B25 and 7,4C48 which is BF89,DEDD ---> And now this proves that BF91,2B25 + FFF8,B3B8 = 1,BF89,DEDD and therefore the right most 1 could be removed. Mathematically that would be 1,BF89,DEDD - 1,0000,0000 = BF89,DEDD Examples: (the one above) BF91,2B25 + FFF8,B3B8 = 1,BF89,DEDD --> BF89,DEDD 1. 1,0000,0000 - FFF8,B3B8 = 7,4C48 2. BF91,2B25 - 7,4C48 = BF89,DEDD B000,0050 + FFFF,0025 = 1,AFFF,0075 --> AFFF,0075 1. 1,0000,0000 - FFFF,0025 = FFDB 2. B000,0050 - FFDB = AFFF,0075 B000,0010 + FFF0 = 1,B000,000 --> B000,000 1. 1,0000 - FFF0 = 10 2. B000,0010 - 10 = B000,000 I can see why I was confused now! Hopefully someone out there finds this to be informative. Edited by Matts_User_Name - 17 July 2009 at 9:45pm |
|
|
|
|
wj32
Senior Member
Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 607 |
Quote Reply
Posted: 17 July 2009 at 11:20pm |
|
Lookup two's complement on Wikipedia :).
|
|
|
MCTS: Windows Internals
Process Hacker, a free and open source process viewer. |
|
|
|
|
Matts_User_Name
Senior Member
Joined: 10 August 2006 Location: USA Online Status: Offline Posts: 610 |
Quote Reply
Posted: 18 July 2009 at 8:11am |
|
Yea I have but it is too technical... Seriously, WTF:   I understand signed and unsigned numbers (well the ranges atleast), and how it is all based on powers of 2's, but it just seems like understanding this issue of relative offsets to addresses, given the current address of the instruction, is different in a way. Edited by Matts_User_Name - 18 July 2009 at 8:18am |
|
|
|
|
wj32
Senior Member
Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 607 |
Quote Reply
Posted: 18 July 2009 at 8:53am |
|
Well, that's just how the call/jmp instructions are coded. If you want to do an absolute jump, you can do this:
mov eax, 0x12345678 jmp eax See http://www.geocities.com/thestarman3/asm/2bytejumps.htm |
|
|
MCTS: Windows Internals
Process Hacker, a free and open source process viewer. |
|
|
|
|
BanMe
Groupie 
Joined: 18 August 2006 Location: United States Online Status: Offline Posts: 55 |
Quote Reply
Posted: 19 July 2009 at 2:43am |
|
Indirect calling can go here to ;)
ive modified it since then but hey I just use push instead of pop and I user the Context Registers to pass stuff..newer sources are included in my server.. if you can find it and understand it props to you :D
regards BanMe
|
|
|
|
|
wj32
Senior Member
Joined: 16 January 2009 Location: Australia Online Status: Offline Posts: 607 |
Quote Reply
Posted: 19 July 2009 at 2:55am |
What does this have to do with the topic?  Matts_User_Name was asking about call instructions, not CSR replacements... |
|
|
MCTS: Windows Internals
Process Hacker, a free and open source process viewer. |
|
|
|
|
BanMe
Groupie
Joined: 18 August 2006 Location: United States Online Status: Offline Posts: 55 |
Quote Reply
Posted: 19 July 2009 at 6:31am |
|
you obviously dont read things before you post do you...
yes code like this would definitly serve as a "CSR" Replacement..
maybe if you had read about the code you would understand what its actually about..
so I will lay it out for you...
it is about using the "calling conventions" specificly __stdcall.. in a dynamic and reusable fashion, the fact it "Native" code does not mean you can't reuse the concept's in win32..just use the win32 equivelents..and intrinsics or inline like me. th only api without a obvious equivelent is Native_GetHandleTableHandle but that just returns a handle to a suspended thread created previously.so CreateThread suffices in this respect ;)
the fact you didn't read it before posting shows a feature most common..lazyiness ;}
also 2byte jmps are used in hotpatching and funner hooking techniques..
.
I thought a little injection of "call instruction behavior" would be nice addition to this threads overall value.. maybe I was wrong?
BanMe Edited by BanMe - 19 July 2009 at 6:47am |
|
|
|
|
Post Reply
|
Page 12> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options