Jump to content

Recommended Posts

Posted (edited)

I updated this with a couple new functions to make compiling and debugging variables easier.

_fasmg_CompileAu3 will generate the au3 code needed for a standalone function without the library and place it on the clipboard. It will also encode/compress the opcode and generate the required code to decode/decompress, but only if its worth it. If the amount of extra au3 code it takes to decode is more than the number of characters saved from encoding, then I dont see the point. Below is the input/output you would get from the first example where base64 would not be worth it. The base64 saves us about 20 characters in the opcode, but even with a single one liner (with length precalculated when compiled) to decode the string its about 170 character long so for this example it would pick base16. 

Input:

_('procf _main, pConsoleWriteCB, parm1, parm2')
_('     mov edx, [parm1]')
_('     add edx, [parm2]')
_('     invoke pConsoleWriteCB, "edx = ", edx') ;
_('     ret')
_('endp')

_fasmg_compileau3($g_sFasm)

Output:

;base16
Local Static $dBinExec = Binary('0x5589E58B550C03551052E807000000656478203D2000FF5508C9C20C00')
Local Static $tBinExec = DllStructCreate('byte[' & BinaryLen($dBinExec) & ']'), $bSet = DllStructSetData($tBinExec, 1, $dBinExec)
Local Static $aProtect = DllCall('kernel32.dll', 'bool', 'VirtualProtect', 'struct*', $tBinExec, 'dword_ptr', DllStructGetSize($tBinExec), 'dword', 0x40, 'dword*', 0)
Local Static $aFlush = DllCall('kernel32.dll', 'bool', 'FlushInstructionCache', 'handle', (DllCall('kernel32.dll', 'handle', 'GetCurrentProcess')[0]), 'struct*', $tBinExec, 'dword_ptr', DllStructGetSize($tBinExec))

;base64
Local Static $sBinExec = 'VYnli1UMA1UQUugHAAAAZWR4ID0gAP9VCMnCDAA='
Local Static $aDec = DllCall('Crypt32.dll', 'bool', 'CryptStringToBinary', 'str', $sBinExec, 'dword', Null, 'dword', 1, 'struct*', DllStructCreate('byte[' & 29 & ']'), 'dword*', 29, 'ptr', 0, 'ptr', 0)
Local Static $tBinExec = DllStructCreate('byte[' & $aDec[5] & ']', DllStructGetPtr($aDec[4]))
Local Static $aProtect = DllCall('kernel32.dll', 'bool', 'VirtualProtect', 'struct*', $tBinExec, 'dword_ptr', DllStructGetSize($tBinExec), 'dword', 0x40, 'dword*', 0)
Local Static $aFlush = DllCall('kernel32.dll', 'bool', 'FlushInstructionCache', 'handle', (DllCall('kernel32.dll', 'handle', 'GetCurrentProcess')[0]), 'struct*', $tBinExec, 'dword_ptr', DllStructGetSize($tBinExec))

_fasmg_Debug is the other much needed function that has been added. Ive gotten annoyed with copying callbacks from script to script just to debug and wanted something native that could handle all the basics. The function inserts ptr's to callbacks directly into the code so you cant use it in a compiled function but you wouldnt want to do that anyway. This also makes it so we dont have to pass the callback as a parameter.  I have 4 callbacks setup that I think covers all my bases but let me know if not. The function excepts a comma delimited string of "type:var" parings using ":" operator to pair and will generate asm code to call the correct callback. The function excepts all autoit types allowed for dllcall and actually uses the literal string specifying the type to dynamically register a function for that variable type.  I didn't always know this (never really needed to) but apparently we can register the same autoit function multiple times with DllCallbackRegister specifying different parameter types with each registration. With that functionality Im able to just create a "wildcard" type function and register the types as needed so that one callback covers most situations. The other 3 callbacks cover dll structures, raw quoted strings (no variable specified), and lastly references (ex: int*).  For whatever reason, specifying the parameters in the callback as references doesn't work out right and doesn't deference so to get around that I send it to a function that creates a dllstruct at the pointer address and access it that way. I also added ability to specify hi/low values using the '|' operator. So "int64:eax|edx" would show you the combined 64bit value of eax and edx.  

For dll structures I made a made modified (basically a copy) version of _winapi_displaystruct  that will print the data to the console instead of showing you listview. Despite the length of that function, it was actually real easy to modify by just replacing all the GUICtrlCreateListViewItem statements with _addarray() to turn it into a 2darray. All the statements are already deliminted with '|' so that worked out nice. I then pass that 2darray to _Array2DToFormatedStr() to convert and format the alignment of all the columns based on longest element in that column before printing so we have a nice table. The dashes help out with the colors too. Here is the output from the example in the helpfile:

Console.PNG.b6092969b1f64f5e8514ae9c0664200c.PNG

 

Debug Example:      

$_dbg = _fasmg_Debug ; (shortcut)
    
    $sTag = 'byte x;short y;char sNote[13];long odd[3];word w;dword p;char ext[3];word finish'
    _(_fasmg_Au3StructDef('AU3TEST', $sTag))

    _('procf _main, parm1, parm2')
    _('     locals')
    _('         iTestSigned dd -12345')
    _('         iTestUnsigned dd 1234567')
    _('         stest db "This is a local string test",0')
    _('         sBuffer db 128 dup ?')
    _('         tTest AU3TEST x:11,y:22,sNote:"Test Msg",odd:333,odd+4:444,odd+8:555,w:77,p:6666,ext:"exe",finish:1234') ;
    _('     endl')
    _("     xor eax, eax") ; eax = 0
    _('     mov bl, 13') ; bl = 13
    _($_dbg('str:"#########################"')) ;; raw string - no variable specified
    _($_dbg('int:[iTestSigned]')) ; signed test
    _($_dbg('uint:[iTestUnsigned]')) ; unsigned test
    _("     cpuid") ; places cpuid string in ebx:ecx:edx
    _("     lea edi, [sBuffer]") ; Load address (ptr) of sBuffer into edi
    _("     mov [edi], ebx") ; first 4 chars of cpuid
    _("     mov [edi + 4], edx") ;
    _("     mov [edi + 8], ecx")
    _("     mov dword[edi + 12], 0")
    _($_dbg('str:edi')) ; will print cpuid string. Edi is holding ptr to local var "sBuffer"
    _('     mov edx, [parm1]')
    _('     add edx, [parm2]')
    _($_dbg('struct:addr tTest:' & $sTag)) ; printing structure. Only type that expects an extra ':' to specify "$sTag"
    _('     mov ebx, 77')
    _('     rdtsc')
    _($_dbg('str:"-----------------------"'))
    _($_dbg('uint*:addr iTestUnsigned')) ;testing passing a reference to it
    _($_dbg('uint:[iTestUnsigned]')) ; should be same
    _($_dbg('str:"-----------------------"'))
    _('     rdtsc') ; this places 64bit timestamp value in eax|edx
    _($_dbg('dword:ebx,uint:[iTestUnsigned],str:addr stest,dword:eax,uint64:eax|edx')); debugging multiple vars. printing 64bit timestamp stored in eax|edx
    _('     rdtsc')
    _($_dbg('uint64:eax|edx,dword:[parm1]'))
    _('     ret')
    _('endp')

Console Output:

#########################
[iTestSigned]: -12345
[iTestUnsigned]: 1234567
edi: GenuineIntel
Struct addr tTest:
====================================================================
#    Member    Offset        Type           Size      Value       
====================================================================
-    -         0x005EF118    <struct>       0         -           
1    x         0             BYTE           1         11          
-    -         -             <alignment>    1         -           
2    y         2             short          2         22          
3    sNote     4             CHAR[13]       13        Test Msg    
-    -         -             <alignment>    3         -           
4    odd       20            long[3]        12 (4)    [1] 333     
-    -         24            -              -         [2] 444     
-    -         28            -              -         [3] 555     
5    w         32            WORD           2         77          
-    -         -             <alignment>    2         -           
6    p         36            DWORD          4         6666        
7    ext       40            CHAR[3]        3         exe         
-    -         -             <alignment>    1         -           
8    finish    44            WORD           2         1234        
-    -         -             <alignment>    2         -           
-    -         0x005EF148    <endstruct>    48        -           
====================================================================
-----------------------
iTestUnsigned*: 1234567
[iTestUnsigned]: 1234567
-----------------------
ebx: 77
[iTestUnsigned]: 1234567
stest*: This is a local string test
eax: 3773413439
eax|edx: 3154339424745535
eax|edx: 3154339424841536
[parm1]: 5

 

Update 9/14/2019:

I added some additional commenting/renaming options for _fasmg_Debug and also added a small example showing a new trick I learned recently used in position independent coding (pic) to establish where you are in memory.

For the debugging portion you can now also optionally change the name/comment of what you are printing by adding a semicolon ";" with new name/comment. Normally the function will just use the variable name. This replaces it with whatever you put after ";". Lets say here some_var = 6

 _fasmg_Debug('dword:[some_var]') ; would print to console -> [some_var]: 6
 _fasmg_Debug('dword:[some_var];value of some_var') ; would print to console -> value of some_var: 6

 

For the trick I learned, I like this as an alternative to passing the address of the structure to your function if your using any kind of global/static variable like data reservations. Heres a partial snip from original _Ex_GlobalVars example of what Im talking about. pMem is the address of the dllstructure holding are binary code and is passed as a parameter so we can calculate the address of g_Var1:

_('procf _main uses ebx, pMem, pConsoleWriteCB, parm1')
_('     mov ebx, [pMem]') ; This is where are code starts in memory.
_('     mov [ebx + g_Var1], 111')

 The alternative way can be done with these three lines below. Whenever the x86 instruction call is executed, the address of where the function needs to return to when finished (which will be the next line) is always pushed on to the stack. This is normally complemented with the ret instruction which pops that value off the stack and returns you back where you need to go next. Here we never execute ret and pop the address off to eax. delta is then subtracted from that address giving us the original starting point. 

_('call delta')
_('delta: pop eax');  eax now equals address of delta
_('sub eax, delta');  eax now equals start of memory

Heres the full example I added to the zip. This also shows how with fasmg, you get true namespaces and makes any data reservation inside procedures more like static variables. Here both _subfunc1 and _subfunc2 use the same names for label delta and data reservation var. I call the function 3 times just to show the variables holding on to there values between calls. In this example the life of those variables would die when the autoit function exits since I only declared $tbinary as local and not static so keep that it mind. Also notice that I defined those with a 0 and not "?". I dont have a example but without the 0 the data is just empty and there for I think it could cause the dllstructure to not have enough bytes define to hold that extra space for variables. Using 0 will always fill the data out so are BinaryLen() calculation will match up. 

Func _Ex_CurrentPOS()

    $g_sFasm = ''

    _('procf _main')
    _('     stdcall _subfunc1')
    _('     stdcall _subfunc2')
    _('     ret')
    _('endp')

    _('proc _subfunc1')
    _('     call delta'); Calling anything places the address of the next instruction on the stack. we just happen to be calling the next line
    _('     delta: pop eax');in this function the label delta is equal to value 18 which is the offset or distance in bytes from _main
    _('     sub eax, delta'); after poping the address of delta (not offset - real address) to eax we subtract delta to give us the address of _main
    _('     add [eax+var], 2')
    _('     add [eax+g_var], 2')
    _(      $_dbg('dword:[eax+var];subfunc1 var'))
    _(      $_dbg('dword:[eax+g_var];subfunc1 g_var'))
    _('     stdcall _subfunc2')
    _('     ret')
    _('     var dd 0')
    _('endp')

    _('proc _subfunc2')
    _('     call delta')
    _('     delta: pop eax');  here delta=47
    _('     sub eax, delta')
    _('     add [eax+var], 3')
    _('     add [eax+g_var], 3')
    _(      $_dbg('dword:[eax+var];subfunc2 var'))
    _(      $_dbg('dword:[eax+g_var];subfunc2 g_var'))
    _('     ret')
    _('     var dd 0')
    _('endp')

    _('g_var dd 0')

    Local $tBinary = _fasmg_Assemble($g_sFasm,1)
    If @error Then Exit (ConsoleWrite($tBinary & @CRLF))

    DllCallAddress('dword', DllStructGetPtr($tBinary))
    DllCallAddress('dword', DllStructGetPtr($tBinary))
    DllCallAddress('dword', DllStructGetPtr($tBinary))

EndFunc

 

Edited by Beege
code comments
Posted (edited)

X64 Support:

The other day @UEZ gave me some motivation to get x64 working in my udf. At this time there is no fasmg.dll that runs in 64bit mode, but much like the original fasm.dll, the 32bit fasmg.dll is perfectly capable of generating x64 bit code since generating code vs executing code are two different things.  So to get x64 working, a simple method I implemented is to just pass the source over to a 32bit script, generate the code and pass it back. I tried the same thing years ago and it did work when it comes to the 64bit code generation. The problems I had were how I lost so much the debugging options I had in place when running in 32bit mode and defeated a lot of the library's purpose of making asm code writing easier. 

This time I am happy to report that I'm able to get it all working and not lose any of the debugging/format options that are all in place for 32bit. All the macros I have been showing in 32bit exist for 64bit just the same and I have added code to make the proper selection.   I've only written the one debugging example for testing purposes so far but covers a decent amount of the functionality plus took me a solid weekend to get there. 

Here are some of the basics you should know about x64 calling conventions and pitfalls that I learned a so far.  

First is fastcall. There is really only one call type and that is fastcall. With fastcall the first 4 parameters are passed in rcx,rdx,r8,r9. Space is still reserved on the stack for the first 4 parms, but they are empty at first and you can choose to transfer the variables to the space once in the function. rax, rcx, rdx, r8-r11 are all volatile registers so if you are going to be calling another function from within your function or using those registers for other purposes, then you should backup the parameter values in that space. For the other registers that are nonvolatile (rbx, rdi, rsi, r12-r15), its important to save those values using the "uses" operator if you are using them ANYWHERE in your function. x64 seems way less forgiving in that aspect then 32bit did. 

_('procf _main uses rbx rdi, parm1, parm2, parm3, parm4')
_('     mov [parm1], rcx')
_('     mov [parm2], rdx')
_('     mov [parm3], r8')
_('     mov [parm4], r9')

 Two items that tripped me up for a little bit. One is calling a function if the ptr is in rcx. I was passing a callback pointer as my first parameter discovering this. Its kinda obvious now that problem is tied in with ecx being a parameter but was not thinking about it at the time. The other issue is trying to persevere any kind of volatile register between a function call via push/pop. For whatever reason any kind of push R#X; call func; pop R#X fails with some kind of stack alignment issue. You can get around this by either backing up the values in a local variable or transfer whatever volatile register to r12-15 if not being used. If you know what the problem is there please let me know. 

;use of push/pop is ok
_(' push rdx') ; 
_(' pop rcx') ; 
_(' fastcall rax') ; call some function
_(' push rax') ; 
_(' pop rcx') ; 


;its calling a function when ever the stack is not balanced that fails
_(' push rdx') ; preserve rdx
_(' fastcall rax') ; call some function
_(' pop rdx') ; restore

First post has been updated.  Reporting issues, questions, comments. Believe it or not these are all allowed ;)

 

Update - 10/26/2019

I got stack alignment issues figured out. The key is keeping the stack 16 byte aligned and its very easy. Just always push the values you want to preserve in mulitples of 2. In the above code when I only push rdx (1 register) so the alignment is now on 8. We just need to push the value once more or you could also add a 'sub rsp, 8' statement but a little more code.

Here we are pushing 2 registers so this is aligned ok:

_(' push rcx') ; preserve rcx
_(' push rdx') ; preserve rdx
_(' fastcall rax') ; call some function
_(' pop rdx') ; restore
_(' pop rcx') ; restore

Here we would have an odd number of 3 so Ill push the last one twice

_(' push rax') ; preserve rax
_(' push rcx') ; preserve rcx
_(' push rdx') ; preserve rdx
_(' push rdx') ; preserve rdx ; <===========Extra push
_(' fastcall rax') ; call some function
_(' pop rdx') ; restore ; <===========Extra pop
_(' pop rdx') ; restore
_(' pop rcx') ; restore
_(' pop rax') ; restore

With that figured out the _fasm_debug function now properly preserves all the volatile registers so you can see whats in them without wiping other registers. First post updated

Edited by Beege
Posted
5 hours ago, UEZ said:

Thanks for the update @Beege. Meanwhile I've solved my x64 addressing issue and the code seams to run properly for 15/16-bit images.

 

You got it. Good job on your x64 code! I wish it was as easy as swapping R's with E's... but that is certainly not the case! :mad2:

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...