Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Help Please

Hey

I've got the simple task of getting the value of all of the registers (EAX, EBX, EDI etc) and need to print all these to a text file, with a new line for each value. I currently have:

_regdump:

MOV EDI, EAX
PUSH EAX
CALL _fopen
ADD esp, 8

PUSH DWORD MESSAGE1
;PUSH EDI
CALL _printf
ADD ESP, 8

PUSH EAX
CALL _fclose
ADD ESP, 4

MESSAGE1
db 'it works', 0
........................................................................
With this code, it prints "it works" to the screen, then crashes, without writing anything to the file. I've commented out the "PUSH EDI" as it creates further problems. Any help with either problem would be greatly appreciated.


Comments

  • AsmGuru62AsmGuru62 Member Posts: 6,519
    : Hey
    :
    : I've got the simple task of getting the value of all of the
    : registers (EAX, EBX, EDI etc) and need to print all these to a text
    : file, with a new line for each value. I currently have:
    :
    : _regdump:
    :
    : MOV EDI, EAX
    : PUSH EAX
    : CALL _fopen
    : ADD esp, 8
    :
    : PUSH DWORD MESSAGE1
    : ;PUSH EDI
    : CALL _printf
    : ADD ESP, 8
    :
    : PUSH EAX
    : CALL _fclose
    : ADD ESP, 4
    :
    : MESSAGE1
    : db 'it works', 0
    : .....................................................................
    : ...
    : With this code, it prints "it works" to the screen, then crashes,
    : without writing anything to the file. I've commented out the "PUSH
    : EDI" as it creates further problems. Any help with either problem
    : would be greatly appreciated.
    :
    :
    :
    [color=Blue]You should use _fprintf instead of _printf. Also, first you should save all registers for dumping into memory and then print them one by one. Because, when you start calling all kind of functions (_fopen, _printf) the registers contents changes, so you dump wrong values.[/color]
  • BitByBit_ThorBitByBit_Thor Member Posts: 2,444
    To add to MT's response:
    The reason it crashes is because after the "ADD ESP, 4", you fall into the 'data section': "db 'it works', 0", which should be equivalent to some pretty stunning code :)

    Best Regards,
    Richard

    The way I see it... Well, it's all pretty blurry
  • MarsmanMarsman Member Posts: 26
    : :
    : :
    : :
    : [color=Blue]You should use _fprintf instead of _printf. Also, first
    : you should save all registers for dumping into memory and then print
    : them one by one. Because, when you start calling all kind of
    : functions (_fopen, _printf) the registers contents changes, so you
    : dump wrong values.[/color]

    Ok, i think i get what you are saying. I know this is simple, but for some reason i just can't get it. This is what i have progressed to. Am i on the right track?

    _regdump:

    PUSH EAX
    MOV EAX, [esp+8]
    CALL _fopen
    ADD ESP,8


    PUSH DWORD MESSAGE1
    POP EAX
    MOV EAX, ECX
    PUSH EAX
    CALL _fprintf
    ADD ESP,8


    PUSH EAX
    CALL _fclose
    ADD ESP,4


    RET ; Return to calling program.

    MESSAGE1
    dB 'is working',0

    Thanks


  • BitByBit_ThorBitByBit_Thor Member Posts: 2,444
    :
    : Ok, i think i get what you are saying. I know this is simple, but
    : for some reason i just can't get it. This is what i have progressed
    : to. Am i on the right track?
    :

    Your current code corrupts the stack and uses it incorrectly at places. Also, I think you need to learn about calling conventions.

    I figure the best way to explain in this case is to show you most of the code.
    [code]
    ; Put the regdump in the text section
    SECTION .text

    ; void regdump(const char* filename);
    _regdump:
    ; First we set up a stack frame using the base pointer (EBP)
    push ebp ;Preserve it's original value
    mov ebp, esp ;Set it to point to the beginning of the stack frame
    ; When you need to store local variables on the stack, change the
    ; value in the next line to the amount of bytes you need to reserve
    sub esp, 4 ;In this case it's easiest to store the FILE*
    ; returned by fopen on the stack
    ; Here you preserve all the registers you want to print.
    ; Note that using the code above, EBP and ESP can not be printed
    ; Also, to print the original value of the EIP, you'll need to
    ; add extra (more complicated) code
    push eax
    push ebx
    push ecx
    push edx
    ...

    ; First we open the file. Note that we have to pass the parameters
    ; to fopen properly: right to left, through the stack
    push dword szMode ; Pass the Mode-string to fopen
    push dword [ebp+8] ; Pass our first parameter to fopen
    call _fopen
    ; Return value is in EAX, store on the stack (in reserved space)
    mov [ebp-4], eax
    ; Remove the push'd arguments from the stack
    add esp, 8

    ; The following will print the last PUSH'd item
    ; on the 'preserve list' above. If you didn't add any
    ; items to the ... space, then this should be EDX
    ;The third parameter for fprintf is EDX which is already
    ;first on the stack
    push dword szPrintEAX ;Second parameter for fprintf
    push [ebp-4] ;First parameter (FILE*)
    call _fprintf
    ; Remove arguments from the stack (including the original EDX)
    add esp, 12

    ; Now the same piece of code for each item on the 'preserve' list
    ; Remember: you'll be printing from last to first, so if you want
    ; to print EAX before EBX then you'll have to PUSH eax AFTER ebx
    ...

    ; Now close the file
    push [ebp-4]
    call _fclose
    pop eax ;Remove argument

    ; Clean up:
    mov esp, ebp
    pop ebp
    ret

    ; Put the data in the data section
    SECTION .data
    szMode db "w", 0
    szPrintEDX db "EDX = %Ld", 0
    [/code]
    Best Regards,
    Richard

    The way I see it... Well, it's all pretty blurry
Sign In or Register to comment.