mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
That code, and the one below (only difference a MessageBox added) I am getting different results. ***?
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 24
#define _dwDiff 28
_asm
{
push ebp
mov ebp,esp
sub esp,8
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
OMG... I removed the comparison handling code, it wasn't working with it, and I forgot to put it back in! ARG.
TheCPUWizard
May 3rd, 2008, 12:55 AM
Have you checked the registers before and after the MessageBox code??
Also are you sure that _lpMem1[dbp] and _lpMem2[ebp] properly point to (reasonable length) NULL terminated strings???
Those are the two first things I would look at.....
je ExitFunction ; if zero, exit
; HERE....
push MB_OK
push DWORD PTR _lpMem1[ebp]
push DWORD PTR _lpMem2[ebp]
push 0
call DWORD PTR MessageBoxA
; AND HERE....
cmp eax,ecx ; compare the lengths
JamesSchumacher
May 3rd, 2008, 11:08 AM
The message box is not the code in question. They are null terminated. The issue is that I get a return value from my function that varies if the MessageBox is there. The only reason the message box is there was to make sure that the comparison of the lengths was working correctly.
I ended up forgetting to put the comparison handling code back in before I posted... I had removed it to try and track where the bug was.
What happened? Last night, I removed the comparison handling code to track a bug earlier in the code, I never put it back in. I was so frustrated last night I couldn't see I did not put the handler code back in after finding a problem. Also a problem with always putting the value of _dwDiff into eax was an issue as well. That should only be done in the case of comparison values 0 when exiting out of loop.
Here is the final code.
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 24
_asm
{
push ebp
mov ebp,esp
sub esp,4
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[ebp],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[ebp],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[ebp],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
push ebx ; store ebx, Windows requires you restore EBX
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
pop ebx ; restore EBX
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[ebp] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
The message box is not the code in question. They are null terminated. The issue is that I get a return value from my function that varies if the MessageBox is there. The only reason the message box is there was to make sure that the comparison of the lengths was working correctly.
IF (as we now now to not be true), the one piece of code worked, and the simple act of adding the message box changed the behavior. (Whih is how I understood your post), then either:
1) The parameters were not being passed properly.
2) The message box was altering state
3) your code was "working" because of side effects.
Any rational person reading your post, would have concludd that you ran the exact same code with the message box commented our, then put back in then commented out, etc. fbefore posting:
(only difference a MessageBox added)
Also I scrolled through your posted code three times, and I did not see and code missing (granted it is possible I missed it).
Or... is it possible that you did NOT really post the "original" working code (before you removed the comparision) and simply took a shortcut of posting the current code with and without the message box????
I ended up forgetting to put the comparison handling code back in before I posted... I had removed it to try and track where the bug was.
What happened? Last night, I removed the comparison handling code to track a bug earlier in the code, I never put it back in. I was so frustrated last night I couldn't see I did not put the handler code back in after finding a problem. Also a problem with always putting the value of _dwDiff into eax was an issue as well. That should only be done in the case of comparison values 0 when exiting out of loop.
Here is the final code.
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 24
_asm
{
push ebp
mov ebp,esp
sub esp,4
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[ebp],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[ebp],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[ebp],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
push ebx ; store ebx, Windows requires you restore EBX
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
pop ebx ; restore EBX
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[ebp] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
Ah, then you did not see the issue with the original wrong posting.
FunctionCompare:
push ebx
mov edx,DWORD PTR _lpMem1[ebp]
mov ebx,DWORD PTR _lpMem2[ebp]
mov al,BYTE PTR[edx+ecx]
cmp al,BYTE PTR[ebx+ecx]
pop ebx
jne ExitFunction ; WHERE IS THE HANDLER for less or greater?
FunctionCompare:
push ebx ; store ebx, Windows requires you restore EBX
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
pop ebx ; restore EBX
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[ebp] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
However, I would like to point out my thread about locals, and then take this function into account. When I changed the way the local was accessed.
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 4
_asm
{
push ebp
mov ebp,esp
sub esp,4
push ebx ; store ebx, Windows requires you restore EBX
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[esp-4],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[esp-4],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[esp-4],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[esp-4] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
ExitFunction:
pop ebx ; restore EBX
add esp,4
pop ebp
ret 20
}
Now THIS CODE does cause a stack corruption. So, what is the deal then? What is going on?
TheCPUWizard
May 3rd, 2008, 01:25 PM
I will not be responding to any more of your posts as you persist in going back and editing previous posts.... This practice has been reported to the moderators...
[Moderator] please feel free to delete this post, if the thread has been restored to it's original state...Thanx!
JamesSchumacher
May 3rd, 2008, 03:48 PM
I figured it out. Microsoft is obfuscating in the assembly listing of their code. That is why they do a SUB from esp. This would cause ESP to be invalid in previous data. That is why that code I posted before that said crashed did so. If you were not to use OBSFUCATED calculations with ESP, you should just use EBP and ADD to ESP to make room for the locals.
Here is the correct code (I am sure of it, 99% anyways) (However, this doesn't explain the reverse argument issue. Unless the compiler/assembler has a 'push stack' before the call, an analyzer to which ones are pushed... A PUSH DOWN stack would have last closer to base (if pushed first).
There is screwiness in MS's assembly generation (or atleast the listing).
Or maybe it was supposed to be sub? WTH?
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 24
_asm
{
push ebp
mov ebp,esp
sub esp,4 ; make room for the locals
push ebx
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[ebp],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[ebp],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[ebp],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[ebp] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
Okay, someone has got to clear this up... Why does 'backwards' of EBP cause a crash, when passing the args the other direction work fine?
Nevermind, I figured it out.
JamesSchumacher
May 3rd, 2008, 04:08 PM
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _dwCompareLen 4
_asm
{
push ebp
mov ebp,esp
sub esp,4 ; make room for the locals
push ebx ; ebx pushed to top of stack, subs 4 - add of _dwCompareLen back to local ESP
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[esp],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[esp],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[esp],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[esp] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out
The solution I came up with? A _LOCAL_ESP constant.
__declspec(naked) long __stdcall MemCompare(const void * lpMem1,unsigned long dwSize1,const void * lpMem2,unsigned long dwSize2)
{
#define _lpMem1 8
#define _dwSize1 12
#define _lpMem2 16
#define _dwSize2 20
#define _LOCAL_ESP 4
#define _dwCompareLen 0
_asm
{
push ebp
mov ebp,esp
sub esp,_LOCAL_ESP ; make room for the locals
push ebx
mov eax,DWORD PTR _dwSize1[ebp] ; load size1
cmp eax,0 ; check for zero
je ExitFunction ; if zero, exit
mov ecx,DWORD PTR _dwSize2[ebp] ; load size2
cmp ecx,0 ; test for zero
je ExitFunction ; if zero, exit
cmp eax,ecx ; compare the lengths
ja GreaterThan ; EAX > ECX size1 > size2
je EqualTo ; EAX == ECX size1 == size2
mov DWORD PTR _dwCompareLen[ebp-_LOCAL_ESP],eax ; store compare length in local
jmp FunctionCore ; jmp to the core function (which is broken down)
EqualTo:
mov DWORD PTR _dwCompareLen[ebp-_LOCAL_ESP],eax ; set the comparison length
jmp FunctionCore ; jmp to the core function
GreaterThan:
mov DWORD PTR _dwCompareLen[ebp-_LOCAL_ESP],ecx ; set the comparison length
FunctionCore:
xor eax,eax ; zero eax
xor ecx,ecx ; zero ecx
FunctionCompare:
mov edx,DWORD PTR _lpMem1[ebp] ; load the memory buffer
mov ebx,DWORD PTR _lpMem2[ebp] ; load the other memory buffer
mov al,BYTE PTR[edx+ecx] ; get the byte value from the current index
cmp al,BYTE PTR[ebx+ecx] ; compare it to the other buffer's byte at that position
ja HandleGreater ; if the comparison was greater, jump
jb HandleLower ; if the comparision was lower, jump
inc ecx ; increment counter
cmp ecx,DWORD PTR _dwCompareLen[ebp-_LOCAL_ESP] ; compare to the comparison length
jb FunctionCompare ; compare if we continue
;HandleEqual: Will fall through to here if compare is not below
mov eax,DWORD PTR _dwSize1[ebp] ; get the size1
mov ecx,DWORD PTR _dwSize2[ebp] ; get the size2
cmp eax,ecx ; compare
jb HandleLower ; handler for less jump
ja HandleGreater ; handler for greater than jump
xor eax,eax ; fall through case, zero for equality
jmp ExitFunction ; exit out