3

I'm trying to understand the basics of the addressing in the PE files, and i made a simple application with a couple of functions that call malloc linked statically against msvcr110 library. So i took my produced executable opened it in the ida pro, and found the offset of the malloc function which is not imported, added the base address and tried to call it like so:

 HMODULE hCurrentModule = GetModuleHandle(NULL); // get current module base addres
    DWORD_PTR hMallocAddr = (0x0048AD60 + (DWORD_PTR)hCurrentModule); 
    char *pointer;
    __asm  //calling malloc
    {
        push 80
        mov eax,dword ptr[static_addr]
        call eax
        add esp,2
        mov [pointer],eax
    }

I then checked re-builded programm in IDA pro to make sure that the malloc offset remains the same and it's still the 0x0048AD60. So the problem is the offset+hCurrentModule gives me incorrect address, and crash after i call this address. For example the result of mine hMallocAddr is 0x0186AD60 but in the MSVC debug session in the disassembly window malloc address is at 0x0146AD60. What is wrong here?

Vanya
  • 411
  • 1
  • 5
  • 21
  • Are you tracing through the assembly language instructions one at a time ? More to the point, can you stop your execution before `call eax` with your debugger ? If so, what is the next *instruction* which executes after you `call eax` ? My immediate question is: What is the instruction to be executed, *just before* the crash occurs ? – User.1 Aug 07 '14 at 18:18
  • @User.1 there is no instructions disassembled in the debugger on the address that i calculated, there is like, the questions all over the the window `0186AD60 ??` etc. so i assume the address is incorrect. – Vanya Aug 07 '14 at 18:24
  • What is the instruction that is executed just before the app crashes ? – User.1 Aug 07 '14 at 18:25
  • @User.1 i can't really see that, but if i do step into, i get the error `Unable to step, Operation not supported. Unknown error 0x92330010`, on the first line at address `0x0146AD60` – Vanya Aug 07 '14 at 18:33
  • `"...but if i do step into..."` into what ? Where is your debugger when you try to step into that ? Which instruction ? – User.1 Aug 07 '14 at 18:35
  • @User.1 on the `call eax` – Vanya Aug 07 '14 at 18:47
  • Okay, can you single step into the next instruction ? i.e., can you see the instruction at `0x0146AD60` ? – User.1 Aug 07 '14 at 18:49
  • @User.1 the 500 - Internal Server Error answer fixed it, thanks for help anyway. I cant see the instruction at `0x0146AD60` it's like the frame there is not disassembled. – Vanya Aug 07 '14 at 18:52

2 Answers2

2

0x0048AD60 is not the offset of malloc but the actual address of the function when the EXE is loaded at its default load address of 0x00400000. Subtract this value to get the offset from the start of the image.

500 - Internal Server Error
  • 28,327
  • 8
  • 59
  • 66
1

I see one thing that I don't understand, the first instruction; you push a value, but never pop it. When you add 2 to esp, are you trying to fix the stack ? Could the compiler be "helping" you to optimize that as an 8 bit value ?

No guarantee, but those are the things I see from a first glance; but again, I'm not there and can't see the debug screen 

{
    push 80                           ;Where do you pop this ?
    mov eax,dword ptr[static_addr]
    call eax
    add esp,2                         ;Is this the "pop" ? Possible bug, is "80" a 16 bit value ?
    mov [pointer],eax
}

Along this same line, I'm not totally certain how your app is structured, but are you safe in using Eax without pushing before and popping afterward ? No clue if that makes a difference, it's just something from a cursory look at the code.

User.1
  • 2,562
  • 3
  • 33
  • 40
  • 1
    about `eax` it's just returns the pointer from the function where the code snippet is, so it's fine. About the `push` you are right, actually that push decreases the esp to 4 bytes, so i should add there 4 bytes not 2. I will be using the registers better, to push the apropriate values, ah,al etc. I'm kinda new to asm. – Vanya Aug 07 '14 at 19:00