I am experimenting with basic XOR functions and I am trying to xor a hex string input by a user i.e. 0x43424143 against a key of 0x41.
I have written code that works but I am a little curious about some weird results that are getting returned. The code written below is for NASM and it will compile and run on Windows (I am using external C library functions scanf and printf).
I have a couple of versions, one which takes the hex string as input and another where it is hard coded, this second version was just to keep things simple while figuring out some other things.
Both versions give the same weird output which I am pretty sure is wrong. I am just curious if I have missed anything obvious in how I have gone about things, I am still a pretty big noob with assembly and reverse engineering. This is a little obscure so if theres no obvious places I am going wrong then I'll happily keep poking at it until I find whats wrong.
section .data ;Constant Variable declared here
msg db "Prompt: ", 0
msg2: db 'RESULT: %x : %x ,10,0
fmt db "%s", 0
section .bss ;Reserve data for modifiable variables declared here, i.e. resb in NASM = reserve bytes
inpt resb 155
section .text ;Executable code here
extern _printf ;Calling external C lib function printf, scanf
extern _scanf
global _main ;Main function
_main:
push ebp
mov ebp, esp ;Set up the stack frame to set up the main function
push msg ;The initial prompt
call _printf
add esp, 4
push inpt ;Get user input
push fmt
call _scanf
add esp, 8
xor eax, eax ;Clean things up, ensure that there is no garbage in eax before we start to XOR things
push eax
;push DWORD(0x70757573) ;An old local variable when I was hard coding what I was xoring.
push inpt
push esp
pop esi
mov edi,esi
mov edx,edi
cld ;Clearing th3e direction flag
mov ecx,0x80
mov ebx,0x41 ;hardcoded our key to XOR the input with
mov eax, inpt
xor eax,ebx ;XOR the value in EAX with the x41 Value in EBX
stosb ;Store the result in EDI.
push edi ;Push EDI to be printed, Result shoudl be stored here via the stosb instruction
push msg2 ;Push the result print message
call _printf ;call the print function
add esp, 20 ;This cleans up the stack. We pushed 5 things onto the stack each were 4 bytes long.
mov esp, ebp ;Destroy the stack frame after the function has finished
pop ebp
ret
Simplified and shorter version of code, no prompt:
section .data ;Constant Variable declared here
msg: db 'RESULT: %x ',10,0
var1: dw 0x70757573 ;hex string to be XOR'd
var2: db 0x41 ;Xor key to use
section .text ;Executable code here
extern _printf ;Calling external C lib function printf
global _main ;Main function
_main:
push ebp ;Set up the stack frame to set up the main function
mov ebp, esp ;
sub esp, 4 ;Reserve space for a 32 bit variable. [4 bytes = 8*4=32]
mov eax, [var1] ;Variable 1 to be XOR'd
mov ebx, [var2] ;Variable 2, The key to xor var1 with
xor eax, ebx ;The XOR function
push eax ;Push eax which should contain the result
push msg ;push the result message
call _printf ;call the print function
add esp, 8 ;clean up the stack
mov esp, ebp ;Destroy the stack frame after the function has finished
pop ebp
ret
mov eax, inpt xor eax,ebx
You don't actually use the input you got through using call _scanf! With NASM you need to use square brackets to fetch memory content. Without them you just get the address of inpt in the EAX register.
mov eax, [inpt]
xor eax, ebx
push esp pop esi
This really is just mov esi, esp.
add esp, 20 ;This cleans up the stack. We pushed 5 things onto the stack each were 4 bytes long.
Wrong! Your code only has 16 bytes on the stack. You removed the 5th thing push esp immediately after with pop esi.
Finally to display the single number result, change the format string accordingly and use:
msg2: db 'RESULT: %x ',10,0
...
mov eax, [inpt]
xor eax, ebx
push eax ;Push EAX to be printed
push msg2 ;Push the result print message
call _printf ;call the print function
add esp, 4
A last advice: Don't leave old code in your program! You've first tried it with an hardcoded number (0x70757573) and later switched to inputting but you didn't remove some previously relevant instructions. Doing so produced an hard to read program with multiple errors.
xor eax, eax ???
push eax ???
;push DWORD(0x70757573) ???
push inpt ???
push esp ???
pop esi ???
mov edi,esi ???
mov edx,edi ???
cld ???
mov ecx,0x80 ???
mov ebx,0x41
mov eax, inpt
xor eax,ebx
stosb ???