ASM: ASM (assembly language) to machine code via FASM (flat assembler)

Posted: 26 May 2018, 16:56
by jeeswg
tl;dr 1 when the ASM is converted to an exe, how do I tell where the relevant machine code starts and ends
tl;dr 2 how to convert the example ASM below from x32 to x64
tl;dr 3 people are welcome to comment generally about AutoHotkey, machine code, and FASM

- I have seen one example on the forums so far of ASM to machine code.
InBuf function currently 32-bit only (machine code binary buffer searching) - AutoHotkey Community
- Do share any others.
- ASM code is converted to machine code, and the machine code is used with DllCall to perform an action. For this particular example, it searches binary data for a binary needle, in a similar way to the InStr function.
- This example works on AHK x32 only:



q:: ;test InBuf function
VarSetCapacity(vData, 100, 0)
VarSetCapacity(vDataN, 4, 0)
NumPut(0x12345678, &vData, 90, "UInt")
NumPut(0x12345678, &vDataN, 0, "UInt")
MsgBox, % InBuf(&vData, &vDataN, 100, 4) ;90

InBuf(haystackAddr, needleAddr, haystackSize, needleSize, StartOffset=0)
{   Static fun
      ( LTrim join
      Loop % StrLen(h)//2
         NumPut("0x" . SubStr(h,2*A_Index-1,2), fun, A_Index-1, "Char")
   Return DllCall(&fun
      , "uint",haystackAddr, "uint",needleAddr
      , "uint",haystackSize, "uint",needleSize
      , "uint",StartOffset)
- How to generate the machine code used in the function:
- First we copy the ASM code to a file, let's call it InBuf.asm.



format PE GUI 4.0
entry start

include ''

section '.data' data readable writeable

  hayStack db '1111111122222111111'
  Needle db '22222'

section '.code' code readable executable


	push	0 5 19 Needle hayStack
	call	InBuf
	push	-1 5 19 Needle hayStack
	call	InBufRev
	invoke	ExitProcess,0

proc InBuf stdcall uses ebx ecx edx esi edi, hayStack,Needle,hayStackSize,NeedleSize,StartOffset
	local	lNeedleRemDwords:DWORD	;(NeedleSize-4)>>2
	local	lNeedleRemTail:DWORD	;Needle remainder byte count (NeedleSize-4) mod 4 -> (0..3)
	local	lNeedleRemPtr4:DWORD	;&Needle[4]


	mov	ebx,[NeedleSize]
	cmp	ebx,0
	jle	.NotFound
	mov	ecx,[hayStackSize]
	mov	eax,[StartOffset]
	sub	ecx,eax
	sub	ecx,ebx
	inc	ecx	;repetitions=hayStackSize-StartOffset-NeedleSize+1
	jle	.NotFound

	mov	edi,[hayStack]
	add	edi,eax ;edi=&(hayStack[StartOffset])

	;load Needle FirstByte
	mov	esi,[Needle]
	xor	eax,eax
	lodsb	; AL=Needle[0], keep EAX now!

	;decide on needle length
	dec	ebx
	jz	.NeedleLenIs1
	dec	ebx
	jz	.NeedleLenIs2
	dec	ebx
	jz	.NeedleLenIs3
	dec	ebx
	jz	.NeedleLenIs4
	dec	ebx
	jnz	.NeedleLenIsLong

	xchg	eax,ebx
	lodsd		;AL=Needle[0]
	xchg	eax,ebx ;EBX=bytes 1..5 of Needle

	repne	scasb
	jne	.NotFound
	cmp	[edi],ebx
	jne	.ScanNeedleLenIs5
	jmp	.Found

	dec	esi
	lodsd	;EAX=first 4 bytes of Needle
	repne	scasb
	jne	.NotFound
	cmp	[edi-1],eax
	jne	.ScanNeedleLenIs4
	jmp	.Found

	repne	scasb
	jne	.NotFound
	jmp	.Found

	mov	ah,[esi]
	repne	scasb
	jne	.NotFound
	cmp	[edi],ah
	jne	.ScanNeedleLenIs2
	jmp	.Found

	xchg	ebx,eax
	xchg	ebx,eax
	repne	scasb
	jne	.NotFound
	cmp	[edi],bx
	jne	.ScanNeedleLenIs3
	jmp	.Found

	; get (needleSize-1)//4, (needleSize-1) mod 4
	dec	esi	;ESI=&(Needle[0])
	inc	ebx	;EBX=NeedleSize-4
	lodsd	;EAX=first 4 bytes of Needle
	mov	[lNeedleRemPtr4],esi
	mov	edx,ebx
	shr	ebx,2
	mov	[lNeedleRemDwords],ebx
	and	edx,3
	mov	[lNeedleRemTail],edx

	xchg	ebx,edi ;EBX=save EDI buf ptr for scasb
	xchg	edx,ecx ;EDX=save ECX counter for scasb

	xchg	edi,ebx ;load saved buf ptr
	xchg	ecx,edx ;load saved counter
	repne	scasb
	jne	.NotFound

	;check all 4 bytes
	cmp	[edi-1],eax
	jne	.ScanNeedleLenIsLongJustScan

	;check up to Needle's tail
	mov	ebx,edi
	mov	edx,ecx
	add	edi,3
	mov	esi,[lNeedleRemPtr4]
	mov	ecx,[lNeedleRemDwords]
	test	ecx,ecx
	jz	.ScanNeedleLenIsLongTail
	repe	cmpsd
	jne	.ScanNeedleLenIsLong
	mov	ecx,[lNeedleRemTail]
	test	ecx,ecx
	jz	.ScanNeedleLenIsLongFound
	repe	cmpsb
	jne	.ScanNeedleLenIsLong
	mov	edi,ebx ;FOUND!

	dec	edi
	mov	eax,edi
	sub	eax,[hayStack]
	xor	eax,eax
	not	eax
	jmp	.popOut


proc InBufRev stdcall uses ebx ecx edx esi edi, hayStack,Needle,hayStackSize,NeedleSize,StartOffsetOfLastByte
	local	lNeedleRemDwords:DWORD	;(NeedleSize-4)>>2
	local	lNeedleRemTail:DWORD	;Needle remainder byte count (NeedleSize-4) mod 4 -> (0..3)
	local	lNeedleRemPtr4:DWORD	;&Needle[4]


	mov	ebx,[NeedleSize]
	cmp	ebx,0
	jle	.NotFound
	mov	eax,[hayStackSize]
	dec	eax
	mov	ecx,[StartOffsetOfLastByte]
	cmp	ecx,-1
	cmovE	ecx,eax
	cmp	eax,ecx
	cmovL	ecx,eax
	sub	ecx,ebx
	mov	edi,ecx
	inc	ecx	;repetitions=min(hayStackSize-1,StartOffsetOfLastByte)-NeedleSize+2
	jle	.NotFound

	add	edi,[hayStack]	;edi=&(hayStack[min(hayStackSize-1,StartOffsetOfLastByte)-NeedleSize+1])

	;load Needle FirstByte
	mov	esi,[Needle]
	and	eax,0
	lodsb	; AL=Needle[0], keep EAX now!

	;decide on needle length
	dec	ebx
	jz	.NeedleLenIs1
	dec	ebx
	jz	.NeedleLenIs2
	dec	ebx
	jz	.NeedleLenIs3
	dec	ebx
	jz	.NeedleLenIs4
	dec	ebx
	jnz	.NeedleLenIsLong

	xchg	eax,ebx
	lodsd		;AL=Needle[0]
	xchg	eax,ebx ;EBX=bytes 1..4 of Needle (0-based)

	repne	scasb
	jne	.NotFound
	cmp	[edi+2],ebx
	jne	.ScanNeedleLenIs5
	jmp	.Found

	repne	scasb
	jne	.NotFound
	jmp	.Found

	mov	ah,[esi]	;AH=Needle[1]
	repne	scasb
	jne	.NotFound
	cmp	[edi+2],ah
	jne	.ScanNeedleLenIs2
	jmp	.Found

	xchg	ebx,eax
	xchg	ebx,eax
	repne	scasb
	jne	.NotFound
	cmp	[edi+2],bx
	jne	.ScanNeedleLenIs3
	jmp	.Found

	dec	esi
	lodsd	;EAX=first 4 bytes of Needle
	repne	scasb
	jne	.NotFound
	cmp	[edi+1],eax
	jne	.ScanNeedleLenIs4
	jmp	.Found

	; get (needleSize-1)//4, (needleSize-1) mod 4
	dec	esi	;ESI=&(Needle[0])
	inc	ebx	;EBX=NeedleSize-4
	lodsd	;EAX=first 4 bytes of Needle
	mov	[lNeedleRemPtr4],esi
	mov	edx,ebx
	shr	ebx,2
	mov	[lNeedleRemDwords],ebx
	and	edx,3
	mov	[lNeedleRemTail],edx

	xchg	ebx,edi ;EBX=save EDI buf ptr for scasb
	xchg	edx,ecx ;EDX=save ECX counter for scasb

	xchg	edi,ebx ;load saved buf ptr
	xchg	ecx,edx ;load saved counter
	repne	scasb
	jne	.NotFound

	;check all 4 bytes
	cmp	[edi+1],eax
	jne	.ScanNeedleLenIsLongJustScan

	;check up to Needle's tail
	mov	ebx,edi
	mov	edx,ecx
	add	edi,5
	mov	esi,[lNeedleRemPtr4]
	mov	ecx,[lNeedleRemDwords]
	test	ecx,ecx
	jz	.ScanNeedleLenIsLongTail
	repe	cmpsd
	jne	.ScanNeedleLenIsLong
	mov	ecx,[lNeedleRemTail]
	test	ecx,ecx
	jz	.ScanNeedleLenIsLongFound
	repe	cmpsb
	jne	.ScanNeedleLenIsLong
	mov	edi,ebx ;FOUND!

	inc	edi
	mov	eax,edi
	sub	eax,[hayStack]
	xor	eax,eax
	not	eax
	jmp	.popOut

data import

library kernel32,'KERNEL32.DLL'
import kernel32,ExitProcess,'ExitProcess'

end data
- We then use FASM to create an exe file based on the asm file.
flat assembler
- (When I first tried to compile the asm to exe, it said that is was missing include files, I moved FASM.EXE to the INCLUDE folder and it worked.)
- I compiled simply by doing: Run, "%vPathFASM%" "%vPathAsm%"
- I read the contents of the exe file as a hex string. The required hex string used in the function was in the exe file, however I would not have known which bytes to copy and paste into the function.
- The resulting exe was 2048 bytes in size: 1074+224+750, the required code of 224 bytes began at 1074 bytes.



[start of file]

[hex for InBuf]

[hex for InBufRev]

[end of file]
- Two things I don't know:
- How to identify where the machine code starts/ends.
- How to convert the asm above to 64-bit.

- There are various links here. There is also a note re. converting exe to asm via OllyDbg.
InBuf function currently 32-bit only (machine code binary buffer searching) - AutoHotkey Community ... 17#p219717

Re: ASM: ASM (assembly language) to machine code via FASM (flat assembler)

Posted: 26 May 2018, 22:46
by nnnik
Assembly code is different for 32 and 64 bit PCs.
I tried with Assembler before - in one of my encryptions - but it didn't work out.
Also its very difficult to load the function from an .exe if you use an Assembly compiler try to get some debugging format to do the work for you.

Re: ASM: ASM (assembly language) to machine code via FASM (flat assembler)

Posted: 28 May 2018, 06:35
by YMP2
jeeswg wrote:1 when the ASM is converted to an exe, how do I tell where the relevant machine code starts and ends
You don't have to know that. Let the exe do all the work for you. That is, you compile it, then run it and it converts the machine code of your function into hex and puts in on the clipboard or saves it to a file. That's how I've done it in GoAsm. Unfortunately I am not familiar with FASM and can't write the conversion and output code in it.

The start of the machine code will be your function's label, and you can put another label right after its end. So the exe will read all that's between them.