S
S
SKEPTIC2019-03-31 18:11:26
assembler
SKEPTIC, 2019-03-31 18:11:26

What is the code for FASM?

This is the FASM code

format PE64 GUI
sub rsp,8*5
mov r9,0
lea r8,[_caption]
lea rdx,[_message]
mov rcx,0
call [MessageBoxA]
add rsp,40
sub rsp,16
mov ecx,eax
call [ExitProcess]
_caption db 'Win64 assembly program',0
_message db 'Hello World!',0
section '.idata' import data readable writeable
dd 0,0,0,RVA kernel_name,RVA kernel_table
dd 0,0,0,RVA user_name,RVA user_table
kernel_table:
ExitProcess dq RVA _ExitProcess
dq 0
user_table:
MessageBoxA dq RVA _MessageBoxA
dq 0
kernel_name db 'KERNEL32.DLL',0
user_name db 'USER32.DLL',0
_ExitProcess dw 0
db 'ExitProcess',0
_MessageBoxA dw 0
db 'MessageBoxA',0

I need to understand what these commands and parameters are
. Basically, I'm interested in these lines:
1)
sub rsp,8*5
add rsp,40
sub rsp,16

I know it's a stack backup and restore, but why is this necessary?
2) Why are the registers r9, r8, rdx, rcx used in the program, I tried with other registers, it did not work, the program simply did not start.
3)
section '.idata' import data readable writeable
dd 0,0,0,RVA kernel_name,RVA kernel_table
dd 0,0,0,RVA user_name,RVA user_table
kernel_table:
ExitProcess dq RVA _ExitProcess
dq 0

What it is? What does dd mean? What does RV mean?
4)
ExitProcess dq RVA _ExitProcess
dq 0

_ExitProcess dw 0
db 'ExitProcess',0

What are these lines?
Do not send to Google or Yandex, I have already been there and did not find anything specific.
I took this code from the site, it displays "Hello World", the author of the article does not specifically comment on what he is responsible for.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
J
jcmvbkbc, 2019-03-31
@pro100chel

sub rsp,8*5
add rsp,40
sub rsp,16

I know it's a stack backup and restore, but why is this necessary?

I'm not great with Windows ABIs, but I suspect that space should be reserved on the stack for all function parameters, even those passed through registers. Judging by this , this is how it is. It was possible to immediately reserve the required maximum (4 * 8) and not drive rsp back and forth.
Read here , register usage.
dd == data double word, RVA == relative virtual address.
Everything that goes in this section is needed to link the functions called by the program by name with the definitions of the MessageBox and ExitProcess functions in the libraries. To understand the format of this section, you need to dive into this .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question