Need help in a piece of assembly code

[giacometti]

Well, i am just a novice in assembler language. What I am trying to do is to get some strings from registes, in this case eax. It will be clear what I mean in the following code:

Code:

...
push eax  <---- here, eax contains a pointer to the string that I want
lea ecx,[ebx+04]
...

and this is what i am trying to do (injecting some code):

Code:

...
push eax
mov [0x004f1460], eax  <---- Here, 004f1460 is the location of my CodeCave for storing the pointer
mov eax, [eax]
mov [0x004f1470], eax  <-- and in this 4f1470 cave is the place that I want to put the string
mov eax, [0x004f1460]  Getting back the pointer to eax, as if i didnt touched it
lea ecx,[ebx+04]
...

Well, the problem arises when i check the string it just have the first 4 chars of the string... I think thats because eax is a 32 bit (so 4 bytes) register right? how could i make that works? how can retrieve a chain of chars to the place i want?

any help or tip is very welcome.


edit: changed title for better description
edit2: Solutions is at post #8

[anantasia]

EAX = 32 bit register
AL = 8 bit register

[giacometti]

so anantasia do you suggest to me to use AL register and make a loop and retrive char by char of the string? how could i know the size of the string..? cause its not a fixed size..

[anantasia]

Here is my guide

Quote:

...
push eax
mov [0x004f1460], eax <---- Here, 004f1460 is the location of my CodeCave for storing the pointer
change to push eax <---- if you only one time use that string pointer just use push / pop to return eax
mov eax, [eax]
change to mov al, [eax]
mov [0x004f1470], eax <-- and in this 4f1470 cave is the place that I want to put the string
change to mov [0x004f1470],al
mov eax, [0x004f1460] Getting back the pointer to eax, as if i didnt touched it
change to pop eax
lea ecx,[ebx+04]
...

From above guide if you wanna copy string you need to know stop char string. Most using 00 (byte).
I think you must use more register to do that and you may reuse call procedure may be it's define in program to copy string location.
Here is sample from SV :P using IDA 4.5

Quote:

; wchar_t *__cdecl wcscpy(wchar_t *,const wchar_t *)
.text:0040F397 _wcscpy proc near ; CODE XREF: CDataSourceControl::CopyColumnID(tagDBCOLUMNID *,tagDBCOLUMNID const *)+5Cp
.text:0040F397
.text:0040F397 arg_0 = dword ptr 4 ; address of destination to copy string
.text:0040F397 arg_4 = dword ptr 8 ; address of original string
.text:0040F397
.text:0040F397 mov ecx, [esp+arg_4]
.text:0040F39B mov eax, [esp+arg_0]
.text:0040F39F push esi
.text:0040F3A0 mov dx, [ecx]
.text:0040F3A3 lea esi, [eax+2]
.text:0040F3A6 mov [eax], dx
.text:0040F3A9
.text:0040F3A9 loc_40F3A9: ; CODE XREF: _wcscpy+21j
.text:0040F3A9 inc ecx
.text:0040F3AA inc ecx
.text:0040F3AB test dx, dx
.text:0040F3AE jz short loc_40F3BA
.text:0040F3B0 mov dx, [ecx]
.text:0040F3B3 mov [esi], dx
.text:0040F3B6 inc esi
.text:0040F3B7 inc esi
.text:0040F3B8 jmp short loc_40F3A9
.text:0040F3BA ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
.text:0040F3BA
.text:0040F3BA loc_40F3BA:
.text:0040F3BA pop esi
.text:0040F3BB retn
.text:0040F3BB _wcscpy endp

[Sk0rPi0n]

i cant believe it, thats coding?! looks really hard to understand :P

[giacometti]

Ty anantasia, your post help me a lot, the extra "push eax" simplifies a lot the algorithm
I tried adapting the sv code you posted but i was unsuccesfull. It seems it copy 2 chars at a row, cause of the "dx"... how does the "test dx,dx" work? i couldnt understand how it determines the null end char of the string...

well, i tryed to do my own loop, but after running it,it make conquer crash (i debug it step by step and it execute the code but it goes to someplace dark after all - maybe cause i change some registers, but i thought i had remove them)

this is what i tried (i will coment each line so anyone that want to help sees what i am trying to do):

Quote:

...
4F1430 push eax (original code)
4F1431 push eax <--- an extra eax, cause i am going to use it and modify it
4F1432 push ecx <--- i want this as a variable that contains the start location of the string
4F1433 mov ecx, 00471470 string will be copy at 471470 address

this is the loop for copying the chars
4F1438 mov al, [eax] copy to AL the 1st char
4F143A mov [ecx], al copy to destination the 1st char
4F143C cmp al,00 check if the char is the end char (00)
4F143E je 004f1444 and if it is jump out of the loop
4F1440 inc eax sums 1 in the source address
4F1441 inc ecx sums 1 in the destination address
4F1442 jmp 004f1438 and do all again...

4F1444 pop ecx deleting this temporary "variable"
4F1445 pop eax same as above
4F1446 lea ecx,[ebx+04] (original code)
...

is there something badly wrong in this piece of code? should i use another register in the place of the ecx, like esi? i just dont know about these registers... i just have an idea of eax and esp because of coder62 tutorial...

edit: now i understood why you use quote tag instead of code colors doenst work in code tag

<hr>Append on Apr 13 2007, 19:29<hr> oh, suddently come to my mind that the problem may be at the cmp command. It should be assigning the result to something that was not to be touched... where does the cmp command store the result of the comparison? in a register? which one?

[anantasia]

Quote:

Originally posted by giacometti@Apr 14 2007, 01:08
Ty anantasia, your post help me a lot, the extra "push eax" simplifies a lot the algorithm
I tried adapting the sv code you posted but i was unsuccesfull. It seems it copy 2 chars at a row, cause of the "dx"... how does the "test dx,dx" work? i couldnt understand how it determines the null end char of the string...

well, i tryed to do my own loop, but after running it,it make conquer crash (i debug it step by step and it execute the code but it goes to someplace dark after all - maybe cause i change some registers, but i thought i had remove them)

this is what i tried (i will coment each line so anyone that want to help sees what i am trying to do):

Quote:

is there something badly wrong in this piece of code? should i use another register in the place of the ecx, like esi? i just dont know about these registers... i just have an idea of eax and esp because of coder62 tutorial...

edit: now i understood why you use quote tag instead of code colors doenst work in code tag

<hr>Append on Apr 13 2007, 19:29<hr> oh, suddently come to my mind that the problem may be at the cmp command. It should be assigning the result to something that was not to be touched... where does the cmp command store the result of the comparison? in a register? which one?

Above program is design for copy double byte character (Unicode).

"TEST DX,DX" is meaning that checking dx is 0? if yes register flag will set and next command is "JZ xxxxxxxx" that mean checking register flag and go to xxxxxxxx address.

I don't know what point of program that you inject. May be you should save register flag also. Using command "PUSHFD" to push register flag in to stack and "POPFD" to pop stack to register flag.

For more info about push/pop. Help on cheatengine is best guide.

PUSHFD = Push register flag
POPFD = Pop register flag
PUSHAD = Push all general purpose register
POPAD = Pop all general purpose register
REPNE PUSH EAX = Push double word in to stack
PUSH XX = Push value XX (1 byte) to stack
PUSH XXXXXXXX = Push value XXXXXXXX (4 bytes) to stack

CMP is same thing to TEST. It's use to compare then set flag register.

[giacometti]

Woow!!! dam, it was a mystype! in my code, 4th line, it should be

Quote:

4F1433 mov ecx, 004F1470 instead of
4F1433 mov ecx, 00471470

dam!!! thats why it was crashing! i wonder how many times this kind of thing happen in a life of a real programmer as job..

but somehow its is not getting the right string now :S I will have another look at code again. Ty for all your efforts on helping me anantasia! and sorry if i made you lose some time here

<hr>Append on Apr 13 2007, 22:13<hr> I notice it just get the 1st char right. the string is usually more then 30 chars.... and it just get about 4-5 chars (and just the 1st is right). Well, the problem certanly is in the loop chain.

<hr>Append on Apr 14 2007, 07:56<hr> Finally it works! i dunno why but the problem was with AL register. When I changed to 16bit register DX it work wonderfully! here is the final code if it matters for someone:

Quote:

...
???????? push eax (original code)
???????? push eax eax contains the pointer to address of the string we want to copy
???????? push ecx we are going to use ecx to define the destination address of the string
???????? push dx dx will be a variable that will carry the char in the loop
???????? mov ecx, 004f1470

start of the loop
004f143A mov dx, [eax]
???????? mov [ecx], dx
???????? cmp dx,00
???????? je 004f144A
???????? inc eax
???????? inc ecx
???????? jmp 004f143A
end of the loop

004f144A pop ecx pop will remove from stack the trash that we used above,
???????? pop eax so in this way the stack will be just as if we didnt touched it
???????? pop dx and the original code doenst get affected.
???????? lea ecx,[ebx+04] (original code)
...

Big thank you for you anantasia! I dont think i would had done it without your help! Thank you!