Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
1
Variables and constants
Using Olly to disassemble and debug your code
New API Functions:
MessageBox
Traditionally programming tutorials start with an app which displays the message "Hello World" in a console. The windows GUI equivalent of this is the MessageBox function.
Start WinAsm, open a new exe project and paste in the messagebox.asm code:
pic1..PNG 133.63K
1814 downloadsClick on "Go All", save project and asm files and hopefully you should see this:
pic2..PNG 19.29K
1641 downloadsNow we will analyse the new parts.
Header & Library Files
windows.inc is a master include file that defines all the Windows data types, function calls, data structures, and constant identifiers so you can refer to them by name in your code. Of note here is that windows.inc defines NULL and MB_OK so that these can be used by name to make the code more readable.
user32.inc and user32.lib are required for invoking MessageBox.
Variables
We have defined 2 zero-terminated text strings called MsgBoxCaption and MsgBoxText. These will be displayed by the message box.
Variables and constants are all declared the same way starting with the identifier (name), size and then value. As strings vary in size they are defined as a byte but zero terminated. Here are some examples:
pic3..PNG 26.74K
1640 downloadsProgram Code
The new instruction invokes the MessageBox function which takes 4 parameters as we can see from Win32.hlp:
pic4..PNG 33.42K
1626 downloadsOur code passes these parameters as follows:
NULL - there is no parent window.
addr MsgBoxText - address of our text string.
addr MsgBoxCaption - address of our caption.
MB_OK - one of a set of pre-defined styles.
The addr operator is used to pass the address of a label or identifier to a function. See below for notes about syntax.
================================================
ADDR and OFFSET
The OFFSET operator returns the address of a variable. It is used to specify the location rather than the content of the variable:
.data
MyVar db 77h ; byte-sized variable called MyVar initialised to 77h
.code
mov eax, MyVar ; copies 77h into eax
mov ebx, offset MyVar ; copies memory address where 77h stored into ebx
Offset can also pass the address of a variable to a function in an invoke instruction. However, it will only work for global variables declared in the .data or .data? sections. It will fail with local variables which you declare upon entry on your proc using the LOCAL statement. These have no offset as they are created on the stack at runtime.
The ADDR operator solves this problem. It is used exclusively with invoke to pass the address of a variable to a function. For global variables it translates to a simple push instruction the same as if OFFSET had been used:
push GlobalVar
However for local variables ADDR translates to:
lea eax, LocalVar ; load effective address of LocalVar into eax
push eax
(It is important to remember that when using addr with local variables, the eax register is used rather than leaving it free for other usage within the procedure.)
lea eax, LocalVar generally equates to mov eax,offset LocalVar but is 1 cpu cycle slower so mov...offset is preferred in cases other than local variables.
==================================================
FURTHER NOTES
The message itself can be spread across multiple lines by using the Carriage Return (13h) and Line Feed (10h) codes to insert a new line. The following code:
pic5..PNG 53.86K
1619 downloadswill produce this:
pic6..PNG 20.42K
1623 downloadsThe last parameter passed to MessageBox controls the style in terms of (amongst other things) the buttons it has:
pic7..PNG 45.83K
1634 downloadsand whether it displays an icon:
pic8..PNG 75.78K
1619 downloadsand which button is selected by default:
pic9..PNG 21.89K
1608 downloadsThe constants which control these are defined in the windows.inc file which can also be opened in WinAsm as shown:
pic10..PNG 233.71K
1695 downloadsA selection of these are also defined in C:\Program Files\WinAsm Studio\API\MasmApiConst.vaa which makes them available from WinAsm's popup autocomplete menu. Use the arrow keys and enter to select from the popup list. Several constants can be combined into a parameter for a function by separating them with "or" or "+". For example changing the code to:
invoke MessageBox, 0, addr MsgBoxText, addr MsgBoxCaption, MB_YESNO + MB_ICONASTERISK + MB_DEFBUTTON2
pic11..PNG 64.79K
1626 downloadswill produce this:
pic12..PNG 24.54K
1597 downloadsWe can see from windows.inc that some of the identifiers are duplicates and also which characteristics the default messagebox used by the system is made up of (which equal zero). Parameters and constants for other API functions are implemented in the same way.
If we open up our messagebox program (the original version) in OllyDbg we see a disassembly of the code that has been placed in our executable:
pic13..PNG 99.56K
1626 downloadsThis is a good habit to get into to help learn debugging skills and see the actual code which MASM produces. The invoke instructions which are used by the assembler and exist purely for the convenience of the programmer have been replaced by the traditional PUSH/CALL sequence. The lines in yellow represent a jump thunk table containing pointers to the Import Address Table for the 2 API calls we made and are added by the linker.
Olly can also load our sourcecode and display it synchronised with the disassembly. For this masm needs to be told to produce a debug version of our app. This can be achieved with WinAsm. From the "Make" menu select "Set Active Build" and choose "Debug Version". Now hit "Go All" again and you will see some additional files in the project folder with .ilk and .pdb extensions.
This time if we load our executable into Olly, we will get slightly more information in the disassembly window (such as the names of our variables) but also if we click on the "Comment" column header bar (see mouse cursor in the screenshot below) it will display the sourcecode corresponding to the instructions in the Disassembly column.
In addition, if we select "Source files" from the "View" menu in Olly and doubleclick our asm file then the entire sourccode will appear in a new window. This can be made to stay on top via the rightclick menu and will show the currently executing instruction highlighted by a black bar:
pic14..PNG 263.83K
1663 downloadsThis can make debugging your own apps quicker and easier but remember that reverse engineering is all about modifying executables without the sourcecode and in general you will be very lucky if you start debugging an app and find that it is a debug version rather than the release version.
Note :
OllyDbg can be downloaded from OllyDbg v1.10 [ Antivir alerts are False Positive ]
Winasm Download from WinAsm Studio 5.1.5.0 Full package
Back to top
