0

I'm totally new to assembly and I've been coding for about 2 weeks in Linux and able to output certain information on the terminal under Linux. However, today when I began coding under Windows, I ran into a problem, i'm unable to modify a byte in a string that I pass as a parameter to a function. I debugged the program in OllyDbg and it tells me that there's an access violation when writing to [address] - use Shift F7/F8/F9 to pass exception to program. I can't pass the exception to the program since there's no exception handler in the program. Is it illegal to modify a character in a string passed to a procedure? I have posted the code below.

section .bss
    var resb 6

section .text
    global _start
    _start:
        xor eax, eax                        ; empty all registers
        xor ebx, ebx
        xor ecx, ecx
        xor edx, edx
        jmp short get_library
    get_lib_addr:                           ; get_lib_addr(char *name)
        mov ecx, [esp+8]                    ; get the first parameter
        xor edx, edx                        ; zero out register
        mov byte [ecx+6], dl                ; add null terminating character to string
        jmp short fin                       ; go to end
    get_library:
        xor ecx, ecx
        mov ebx, var                        ; start address of var
        jmp start_loop                      ; start looping
    start_loop:
        cmp ecx, 5
        jge end_loop
        mov byte [ebx+ecx], 'h'
        inc ecx
        jmp start_loop
    end_loop:
        push dword var                      ; at this point - var = "hhhhh"
        call get_lib_addr                   ; call get_lib_addr("hhhhh")
    fin:
        xor eax, eax
        mov ebx, 0x750b4b80                 ; ExitProcess
        push eax                            ; eax = 0
        call ebx                            ; ExitProcess(0)

And a screenshot of the debugging in OllyDbg.

https://imgur.com/a/48RAXOw

2nd case Part of the code from Vivid Machines Shellcoding for Linux & Windows is copied below. When I try to use this syntax for passing parameters (assuming that's what is happening), I get an access violation trying to edit the string and adding a null terminating character in place of the N. I'm positive that the string is passed and ecx gets the correct string. Any reason this doesn't work?

LibraryReturn:
    pop ecx             ;get the library string
    mov [ecx + 10], dl      ;insert NULL - ***Access violation here***

;the N at the end of each string signifies the location of the NULL
;character that needs to be inserted

GetLibrary:
    call LibraryReturn
    db 'user32.dllN'

Screenshot of the debug information in the second scenario showing that N is indeed the value being edited.

https://imgur.com/a/W5vdR7d

simptri
  • 80
  • 9
  • 1
    Notice that you did a `push dword var` and then a `call get_lib_addr`, yet the `mov ecx, [esp+8]` at the start of `get_lib_addr` did not set `ecx` equal to the address of `var`. So something went wrong starting with the `push` and ending with the `mov`. That's only three instructions total - focus on those three instructions. – Raymond Chen Feb 17 '19 at 00:18
  • ah yes, of course..turns out the parameter is located at `[esp+4]` since i didn't do a `push ebp` to save the current base address..code exited successfully..thank you – simptri Feb 17 '19 at 01:31
  • just a final question about calls in assembly, i've edited the question in the end..if anyone could provide some insight on what's happening because..the access violation occurs in the second case.. – simptri Feb 17 '19 at 01:46
  • Do not morph questions. It invalidates previous discussion. But the same methodology applies. There are only three instructions. Some assumption is invalid. Figure out which one. Did the correct instructions execute? you get the correct address in `ecx`? Is the memory writable? – Raymond Chen Feb 17 '19 at 15:35
  • https://stackoverflow.com/questions/40263014/delphi-access-violation-when-try-to-overwrite-an-instruction-with-dll-injectio – Raymond Chen Feb 17 '19 at 15:46
  • sorry, i wasn't aware of the morphing case, i'll keep that in mind. i'm not sure if the memory is executable. but i'm not injecting any dll into a process. how can i tell if the memory is writable? i believe it's supposed to be writable since it's in the same program and i'm passing the parameter to the function..in addition, the debugger shows that [ecx+10] has 'N' which needs to be overwritten. could there be any reason why it's not writable? – simptri Feb 17 '19 at 16:31
  • and it feels like overkill going through `VirtualProtect` and `WriteProcessMemory` just to add a null terminating character. – simptri Feb 17 '19 at 16:34
  • 1
    The part of the answer that is relevant is "Code defaults to read-only." If you want something that defaults to read-write, put it in the data segment. – Raymond Chen Feb 17 '19 at 19:33
  • so, basically, this is not the correct syntax for passing a parameter to a function? especially when the parameter needs to be modified..since the parameter is being created in the `.text section and is therefore readonly? – simptri Feb 18 '19 at 14:39
  • It's certainly not conventional. It'll be suboptimal because it defeat's the processor's return address predictor. Trying to learn assembly language from shellcode is not a good idea. Shellcode intentionally does strange things. – Raymond Chen Feb 18 '19 at 20:21

0 Answers0