Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

How can y get the EIP(HELP!!!!) using ASM.

CristiDRCristiDR Member Posts: 7
How can y get the address of the current intruction( or the next) using 32 bit ASM ??? Anything is wellcome !!!!!!!

«1

Comments

  • CroWCroW Member Posts: 348
    call xxx does push the address of the next instruction,ret does jmp to that location.
    in tasm exists the '$'-operator which returns the current address:

    jmp $ ; infinite loop

    i dont know exactly,wether '$' returns a relativ adress to that location or an absolute one.so try something like that:

    call OpCode
    OpCode:
    pop eax ; ip of 'pop eax' should be in eax now.

    i dont test it,but it should work

  • brain_insidebrain_inside Member Posts: 40
    : call xxx does push the address of the next instruction,ret does jmp to that location.
    : in tasm exists the '$'-operator which returns the current address:
    :
    : jmp $ ; infinite loop
    :
    : i dont know exactly,wether '$' returns a relativ adress to that location or an absolute one.so try something like that:
    :
    : call OpCode
    : OpCode:
    : pop eax ; ip of 'pop eax' should be in eax now.
    :
    : i dont test it,but it should work
    :
    :

    The "$" operator is a constant, so it's only useful if your adresses
    stays the same (the assembler isn't smart enough to know if it changes
    of course).

    If the adress of your program in memory DOES change (the only example
    I know are viruses, I'm interested in what kind of program you are
    trying to write...), use CALL + POP.

  • PharabeePharabee Member Posts: 84
    Get EIP?
    Simply Push the Eip Value
    [code]
    Push Eip ;Maybe, I Have tried it and then "Invalid Instruction"
    pop Eax
    invoke dw2a,Eax,addr Bupp; turn it to ASCII
    invoke TextOut,100,100,adr Bupp,eax ;Show it
    [/code]
  • CristiDRCristiDR Member Posts: 7
    y am using DELPHI and Visual C++(and his ASM) to Write A "secutity System" for my Program. The "IDEA" is simple.
    Y have the code in an array of Bytes that y alloc at some location in memory and jmp to that location (and the code shows a NAG SCREEN for exemple) when a cracker nodify that code it can1t trace it back and the modified code doesn1t execute thenext time.(This idea i have "get" it form a friend hwo works in TRIAL SECURITY.
    The problem is that
    The Array code is(for ex.):
    CodeArray:Array[0..XX] of BYTE=($6e,$00,....);
    when y jmp to the codeArray location the code starts to execute BUT
    how can y get back or ElseWhere.
    In executeble codethe Call MessageBox isdecoded like that:
    the $eb=Call(y am not at home and y don1t know the OPcode Val)
    and A 32bit val that is the diference of the MessageBOX Address-the Address of the next instruction in INTEL FORMAT: 12345678=78563412
    And How can y write in a predefinited code a CALL that changes by the EIP.

    Y think y can explain verry little of what is going on but is help(or you can help me ) is OK.
  • PharabeePharabee Member Posts: 84
    : y am using DELPHI and Visual C++(and his ASM) to Write A "secutity System" for my Program. The "IDEA" is simple.
    : Y have the code in an array of Bytes that y alloc at some location in memory and jmp to that location (and the code shows a NAG SCREEN for exemple) when a cracker nodify that code it can1t trace it back and the modified code doesn1t execute thenext time.(This idea i have "get" it form a friend hwo works in TRIAL SECURITY.
    : The problem is that
    : The Array code is(for ex.):
    : CodeArray:Array[0..XX] of BYTE=($6e,$00,....);
    : when y jmp to the codeArray location the code starts to execute BUT
    : how can y get back or ElseWhere.
    : In executeble codethe Call MessageBox isdecoded like that:
    : the $eb=Call(y am not at home and y don1t know the OPcode Val)
    : and A 32bit val that is the diference of the MessageBOX Address-the Address of the next instruction in INTEL FORMAT: 12345678=78563412
    : And How can y write in a predefinited code a CALL that changes by the EIP.
    :
    : [red]Y think y can explain verry little of what is going on but is help(or you can help me ) is OK.[/red] ;[blue] What is this mean?[/blue]
    :

    When you jump by Call instruction the EIP is pushed to the Stack and value is add by one. So to obtain its address the only thing you have to do is Get that EIP value, decrement it by one. Hint [red] SS:ESP is the address where a value is Pushes[/red].

  • ChojinChojin Member Posts: 39
    i dont know how to get the eip , but i have done a program that gets the ip , maybe you can use it ...

    you just do it a near call , when you do a near call the ip is pushed to stack , so you just have to do this :

    call getip ; near call (only push ip to stack)
    getip : pop ax ; ax = ip

    eip , i dont know ...


  • brain_insidebrain_inside Member Posts: 40
    [b][red]This message was edited by brain_inside at 2003-4-6 0:23:39[/red][/b][hr]
    : i dont know how to get the eip , but i have done a program that gets the ip , maybe you can use it ...
    :
    : you just do it a near call , when you do a near call the ip is pushed to stack , so you just have to do this :
    :
    : call getip ; near call (only push ip to stack)
    : getip : pop ax ; ax = ip
    :
    : eip , i dont know ...
    :
    :
    :

    The processors in the Intel 80x86 family can run in two modes: Real and Protected. Real Mode is what DOS used, limited to 640K of memory. Windows, Linux and other modern operating systems run in Protected Mode.

    As you should know, memory is divided into segments. In Real Mode every segment can be at maximum 64K, so a 16 bit offset (IP) was enough. Protected Mode is capable of huge segments up to 4G, so you need a 32 bit pointer (EIP). I guess you are writing a Windows program (because of MessageBox), so where is your problem? just code

    [code]
    call loc1
    loc1:
    pop [b]e[/b]ax
    [/code]

    if you only pop ax, the higher word of EIP will be left on the stack and cause problems later (did it?)

    If you're doing a DOS program, you won't need EIP because it has no purpose in Real Mode. If you need the 32 bit value of EIP, you could get it by using adress size prefix (tested with NASM):

    [code]
    call DWord loc1
    loc1:
    pop eax
    [/code]

    but it would be easier to first xor eax,eax and then load the 16 bit offset into ax, because the top 16 bit will be zero anyway.
  • PharabeePharabee Member Posts: 84
    : [b][red]This message was edited by brain_inside at 2003-4-6 0:23:39[/red][/b][hr]
    : : i dont know how to get the eip , but i have done a program that gets the ip , maybe you can use it ...
    : :
    : : you just do it a near call , when you do a near call the ip is pushed to stack , so you just have to do this :
    : :
    : : call getip ; near call (only push ip to stack)
    : : getip : pop ax ; ax = ip
    : :
    : : eip , i dont know ...
    : :
    : :
    : :
    :
    : The processors in the Intel 80x86 family can run in two modes: Real and Protected. Real Mode is what DOS used, limited to 640K of memory. Windows, Linux and other modern operating systems run in Protected Mode.
    :
    : As you should know, memory is divided into segments. In Real Mode every segment can be at maximum 64K, so a 16 bit offset (IP) was enough. Protected Mode is capable of huge segments up to 4G, so you need a 32 bit pointer (EIP). I guess you are writing a Windows program (because of MessageBox), so where is your problem? just code
    :
    : [code]
    : call loc1
    : loc1:
    : pop [b]e[/b]ax
    : [/code]
    :
    : if you only pop ax, the higher word of EIP will be left on the stack and cause problems later (did it?)
    :
    : If you're doing a DOS program, you won't need EIP because it has no purpose in Real Mode. If you need the 32 bit value of EIP, you could get it by using adress size prefix (tested with NASM):
    :
    : [code]
    : call DWord loc1
    : loc1:
    : pop eax
    : [/code]
    :
    : but it would be easier to first xor eax,eax and then load the 16 bit offset into ax, because the top 16 bit will be zero anyway.
    :

    ...Also, If you want to push 32-Bit, on Real mode. You need prefix.
    [code]
    your_code:
    p db 0x66
    Push Ip
    pop ax
    pop dx
    [/code]

    now dx:ax contain the EIP value. Convert it to ASCII. I have not test it, but theoritically it will work.
  • brain_insidebrain_inside Member Posts: 40
    : ...Also, If you want to push 32-Bit, on Real mode. You need prefix.
    Not with a 386-aware assembler. For example, you can simply code push eax in NASM.

    : [code]
    : your_code:
    : p db 0x66
    : Push Ip
    : pop ax
    : pop dx
    : [/code]
    :
    : now dx:ax contain the EIP value. Convert it to ASCII.

    You can't push IP because it has no register code. You can look up an opcode table and try to construct this yourself, if you don't believe me.

    : I have not test it, but theoritically it will work.

    You should really test it, at least if you're not certain...
  • AsmGuru62AsmGuru62 Member Posts: 6,519
    : y am using DELPHI and Visual C++(and his ASM) to Write A "secutity System" for my Program. The "IDEA" is simple.
    : Y have the code in an array of Bytes that y alloc at some location in memory and jmp to that location (and the code shows a NAG SCREEN for exemple) when a cracker nodify that code it can1t trace it back and the modified code doesn1t execute thenext time.(This idea i have "get" it form a friend hwo works in TRIAL SECURITY.
    : The problem is that
    : The Array code is(for ex.):
    : CodeArray:Array[0..XX] of BYTE=($6e,$00,....);
    : when y jmp to the codeArray location the code starts to execute BUT
    : how can y get back or ElseWhere.
    : In executeble codethe Call MessageBox isdecoded like that:
    : the $eb=Call(y am not at home and y don1t know the OPcode Val)
    : and A 32bit val that is the diference of the MessageBOX Address-the Address of the next instruction in INTEL FORMAT: 12345678=78563412
    : And How can y write in a predefinited code a CALL that changes by the EIP.
    :
    : Y think y can explain verry little of what is going on but is help(or you can help me ) is OK.
    :
    [blue]Also, when designing the anti-hack code try to put yourself into a hacker's position and try to beat your system. How easy it is to do?

    For example: the hacker may not be modifying the code in the array, but just pass it by with a single JMP, so you can spend a month trying to perfect something, that can be beaten easily.

    There are some nice articles about the designing anti-hack code, but they all in Russian - I never seen anything in English, so I am not sure if they useful, but they definitely a cool read!

    If someone knows the links to such stuff in English, please, let me know.[/blue]
«1
Sign In or Register to comment.