PDA

View Full Version : ASM routine


steel
April 24th, 2008, 22:35
Hi,

I need a little help figuring out what's going on in this routine:

I've figured out a couple things. First I will list the asm:



003E4110 /$ 81EC 98010000 SUB ESP,198
003E4116 |. 53 PUSH EBX
003E4117 |. 55 PUSH EBP
003E4118 |. 56 PUSH ESI
003E4119 |. 57 PUSH EDI
003E411A |. BF 08000000 MOV EDI,8
003E411F |. BE 06000000 MOV ESI,6
003E4124 |. 33DB XOR EBX,EBX
003E4126 |. BA 04000000 MOV EDX,4
003E412B |. BD 01000000 MOV EBP,1
003E4130 |. B9 09000000 MOV ECX,9
003E4135 |. B8 07000000 MOV EAX,7
003E413A |. C78424 0801000>MOV DWORD PTR SS:[ESP+108],3
003E4145 |. 89BC24 0C01000>MOV DWORD PTR SS:[ESP+10C],EDI
003E414C |. C78424 1001000>MOV DWORD PTR SS:[ESP+110],2
003E4157 |. 89B424 1401000>MOV DWORD PTR SS:[ESP+114],ESI
003E415E |. 899C24 1801000>MOV DWORD PTR SS:[ESP+118],EBX
003E4165 |. C78424 1C01000>MOV DWORD PTR SS:[ESP+11C],5
003E4170 |. 899424 2001000>MOV DWORD PTR SS:[ESP+120],EDX
003E4177 |. 89AC24 2401000>MOV DWORD PTR SS:[ESP+124],EBP
003E417E |. 898C24 2801000>MOV DWORD PTR SS:[ESP+128],ECX
003E4185 |. 898424 2C01000>MOV DWORD PTR SS:[ESP+12C],EAX
003E418C |. C78424 3001000>MOV DWORD PTR SS:[ESP+130],3
003E4197 |. 89BC24 3401000>MOV DWORD PTR SS:[ESP+134],EDI
003E419E |. C78424 3801000>MOV DWORD PTR SS:[ESP+138],2
003E41A9 |. 89B424 3C01000>MOV DWORD PTR SS:[ESP+13C],ESI
003E41B0 |. 899C24 4001000>MOV DWORD PTR SS:[ESP+140],EBX
003E41B7 |. C78424 4401000>MOV DWORD PTR SS:[ESP+144],5
003E41C2 |. 899424 4801000>MOV DWORD PTR SS:[ESP+148],EDX
003E41C9 |. 89AC24 4C01000>MOV DWORD PTR SS:[ESP+14C],EBP
003E41D0 |. 898C24 5001000>MOV DWORD PTR SS:[ESP+150],ECX
003E41D7 |. 898424 5401000>MOV DWORD PTR SS:[ESP+154],EAX
003E41DE |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
003E41E2 |. 895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
003E41E6 |. C74424 20 0500>MOV DWORD PTR SS:[ESP+20],5
003E41EE |. C74424 24 0300>MOV DWORD PTR SS:[ESP+24],3
003E41F6 |. 897C24 28 MOV DWORD PTR SS:[ESP+28],EDI
003E41FA |. 895C24 2C MOV DWORD PTR SS:[ESP+2C],EBX
003E41FE |. 894C24 30 MOV DWORD PTR SS:[ESP+30],ECX
003E4202 |. 896C24 34 MOV DWORD PTR SS:[ESP+34],EBP
003E4206 |. 897424 38 MOV DWORD PTR SS:[ESP+38],ESI
003E420A |. C74424 3C 0200>MOV DWORD PTR SS:[ESP+3C],2
003E4212 |. 894424 40 MOV DWORD PTR SS:[ESP+40],EAX
003E4216 |. 895424 44 MOV DWORD PTR SS:[ESP+44],EDX
003E421A |. C74424 48 0500>MOV DWORD PTR SS:[ESP+48],5
003E4222 |. C74424 4C 0300>MOV DWORD PTR SS:[ESP+4C],3
003E422A |. 897C24 50 MOV DWORD PTR SS:[ESP+50],EDI
003E422E |. 895C24 54 MOV DWORD PTR SS:[ESP+54],EBX
003E4232 |. 894C24 58 MOV DWORD PTR SS:[ESP+58],ECX
003E4236 |. 896C24 5C MOV DWORD PTR SS:[ESP+5C],EBP
003E423A |. 897424 60 MOV DWORD PTR SS:[ESP+60],ESI
003E423E |. C74424 64 0200>MOV DWORD PTR SS:[ESP+64],2
003E4246 |. C74424 68 0200>MOV DWORD PTR SS:[ESP+68],2
003E424E |. 895424 6C MOV DWORD PTR SS:[ESP+6C],EDX
003E4252 |. 895C24 70 MOV DWORD PTR SS:[ESP+70],EBX
003E4256 |. C74424 74 0500>MOV DWORD PTR SS:[ESP+74],5
003E425E |. 897424 78 MOV DWORD PTR SS:[ESP+78],ESI
003E4262 |. 894C24 7C MOV DWORD PTR SS:[ESP+7C],ECX
003E4266 |. 89AC24 8000000>MOV DWORD PTR SS:[ESP+80],EBP
003E426D |. C78424 8400000>MOV DWORD PTR SS:[ESP+84],3
003E4278 |. 898424 8800000>MOV DWORD PTR SS:[ESP+88],EAX
003E427F |. 89BC24 8C00000>MOV DWORD PTR SS:[ESP+8C],EDI
003E4286 |. C78424 9000000>MOV DWORD PTR SS:[ESP+90],2
003E4291 |. 899424 9400000>MOV DWORD PTR SS:[ESP+94],EDX
003E4298 |. 899C24 9800000>MOV DWORD PTR SS:[ESP+98],EBX
003E429F |. C78424 9C00000>MOV DWORD PTR SS:[ESP+9C],5
003E42AA |. 89B424 A000000>MOV DWORD PTR SS:[ESP+A0],ESI
003E42B1 |. 898C24 A400000>MOV DWORD PTR SS:[ESP+A4],ECX
003E42B8 |. 89AC24 A800000>MOV DWORD PTR SS:[ESP+A8],EBP
003E42BF |. C78424 AC00000>MOV DWORD PTR SS:[ESP+AC],3
003E42CA |. 898424 B000000>MOV DWORD PTR SS:[ESP+B0],EAX
003E42D1 |. 89BC24 B400000>MOV DWORD PTR SS:[ESP+B4],EDI
003E42D8 |. 899424 B800000>MOV DWORD PTR SS:[ESP+B8],EDX
003E42DF |. 898C24 BC00000>MOV DWORD PTR SS:[ESP+BC],ECX
003E42E6 |. 89AC24 C000000>MOV DWORD PTR SS:[ESP+C0],EBP
003E42ED |. C78424 C400000>MOV DWORD PTR SS:[ESP+C4],5
003E42F8 |. 89BC24 C800000>MOV DWORD PTR SS:[ESP+C8],EDI
003E42FF |. 89B424 CC00000>MOV DWORD PTR SS:[ESP+CC],ESI
003E4306 |. 898424 D000000>MOV DWORD PTR SS:[ESP+D0],EAX
003E430D |. C78424 D400000>MOV DWORD PTR SS:[ESP+D4],3
003E4318 |. 899C24 D800000>MOV DWORD PTR SS:[ESP+D8],EBX
003E431F |. C78424 DC00000>MOV DWORD PTR SS:[ESP+DC],2
003E432A |. 898424 F800000>MOV DWORD PTR SS:[ESP+F8],EAX
003E4331 |. 898424 7001000>MOV DWORD PTR SS:[ESP+170],EAX
003E4338 |. 898424 9801000>MOV DWORD PTR SS:[ESP+198],EAX
003E433F |. A0 B99A3F00 MOV AL,BYTE PTR DS:[3F9AB9]
003E4344 |. 891D A07A3F00 MOV DWORD PTR DS:[3F7AA0],EBX
003E434A |. A2 A07A3F00 MOV BYTE PTR DS:[3F7AA0],AL
003E434F |. A0 B79A3F00 MOV AL,BYTE PTR DS:[3F9AB7]
003E4354 |. 899424 E000000>MOV DWORD PTR SS:[ESP+E0],EDX
003E435B |. A2 A37A3F00 MOV BYTE PTR DS:[3F7AA3],AL
003E4360 |. A0 B19A3F00 MOV AL,BYTE PTR DS:[3F9AB1]
003E4365 |. 898C24 E400000>MOV DWORD PTR SS:[ESP+E4],ECX
003E436C |. 899424 5801000>MOV DWORD PTR SS:[ESP+158],EDX
003E4373 |. 898C24 6801000>MOV DWORD PTR SS:[ESP+168],ECX
003E437A |. 899424 8001000>MOV DWORD PTR SS:[ESP+180],EDX
003E4381 |. 8A15 B59A3F00 MOV DL,BYTE PTR DS:[3F9AB5]
003E4387 |. 898C24 9001000>MOV DWORD PTR SS:[ESP+190],ECX
003E438E |. 8A0D B39A3F00 MOV CL,BYTE PTR DS:[3F9AB3]
003E4394 |. 53 PUSH EBX
003E4395 |. 50 PUSH EAX
003E4396 |. 89AC24 F000000>MOV DWORD PTR SS:[ESP+F0],EBP
003E439D |. C78424 F400000>MOV DWORD PTR SS:[ESP+F4],5
003E43A8 |. 89BC24 F800000>MOV DWORD PTR SS:[ESP+F8],EDI
003E43AF |. 89B424 FC00000>MOV DWORD PTR SS:[ESP+FC],ESI
003E43B6 |. C78424 0401000>MOV DWORD PTR SS:[ESP+104],3
003E43C1 |. 899C24 0801000>MOV DWORD PTR SS:[ESP+108],EBX
003E43C8 |. C78424 0C01000>MOV DWORD PTR SS:[ESP+10C],2
003E43D3 |. C78424 6401000>MOV DWORD PTR SS:[ESP+164],2
003E43DE |. 89B424 6801000>MOV DWORD PTR SS:[ESP+168],ESI
003E43E5 |. 89BC24 6C01000>MOV DWORD PTR SS:[ESP+16C],EDI
003E43EC |. C78424 7401000>MOV DWORD PTR SS:[ESP+174],3
003E43F7 |. 899C24 7C01000>MOV DWORD PTR SS:[ESP+17C],EBX
003E43FE |. C78424 8001000>MOV DWORD PTR SS:[ESP+180],5
003E4409 |. 89AC24 8401000>MOV DWORD PTR SS:[ESP+184],EBP
003E4410 |. C78424 8C01000>MOV DWORD PTR SS:[ESP+18C],2
003E441B |. 89B424 9001000>MOV DWORD PTR SS:[ESP+190],ESI
003E4422 |. 89BC24 9401000>MOV DWORD PTR SS:[ESP+194],EDI
003E4429 |. C78424 9C01000>MOV DWORD PTR SS:[ESP+19C],3
003E4434 |. 899C24 A401000>MOV DWORD PTR SS:[ESP+1A4],EBX
003E443B |. C78424 A801000>MOV DWORD PTR SS:[ESP+1A8],5
003E4446 |. 89AC24 AC01000>MOV DWORD PTR SS:[ESP+1AC],EBP
003E444D |. 880D A17A3F00 MOV BYTE PTR DS:[3F7AA1],CL
003E4453 |. 8815 A27A3F00 MOV BYTE PTR DS:[3F7AA2],DL
003E4459 |. A2 A47A3F00 MOV BYTE PTR DS:[3F7AA4],AL
003E445E |. E8 CDF0FFFF CALL app.003E3530
003E4463 |. 83C4 04 ADD ESP,4
003E4466 |. 50 PUSH EAX
003E4467 |. E8 B4F1FFFF CALL app.003E3620
003E446C |. 8A0D B29A3F00 MOV CL,BYTE PTR DS:[3F9AB2]
003E4472 |. 83C4 08 ADD ESP,8
003E4475 |. 50 PUSH EAX
003E4476 |. 51 PUSH ECX
003E4477 |. E8 B4F0FFFF CALL app.003E3530
003E447C |. 83C4 04 ADD ESP,4
003E447F |. 50 PUSH EAX
003E4480 |. E8 9BF1FFFF CALL app.003E3620
003E4485 |. 8A15 B39A3F00 MOV DL,BYTE PTR DS:[3F9AB3]
003E448B |. 83C4 08 ADD ESP,8
003E448E |. 50 PUSH EAX
003E448F |. 52 PUSH EDX
003E4490 |. E8 9BF0FFFF CALL app.003E3530
003E4495 |. 83C4 04 ADD ESP,4
003E4498 |. 50 PUSH EAX
003E4499 |. E8 82F1FFFF CALL app.003E3620
003E449E |. 83C4 08 ADD ESP,8
003E44A1 |. 50 PUSH EAX
003E44A2 |. A0 B49A3F00 MOV AL,BYTE PTR DS:[3F9AB4]
003E44A7 |. 50 PUSH EAX
003E44A8 |. E8 83F0FFFF CALL app.003E3530
003E44AD |. 83C4 04 ADD ESP,4
003E44B0 |. 50 PUSH EAX
003E44B1 |. E8 6AF1FFFF CALL app.003E3620
003E44B6 |. 8A0D B59A3F00 MOV CL,BYTE PTR DS:[3F9AB5]
003E44BC |. 83C4 08 ADD ESP,8
003E44BF |. 50 PUSH EAX
003E44C0 |. 51 PUSH ECX
003E44C1 |. E8 6AF0FFFF CALL app.003E3530
003E44C6 |. 83C4 04 ADD ESP,4
003E44C9 |. 50 PUSH EAX
003E44CA |. E8 51F1FFFF CALL app.003E3620
003E44CF |. 83C4 08 ADD ESP,8
003E44D2 |. 50 PUSH EAX
003E44D3 |. 8A15 B69A3F00 MOV DL,BYTE PTR DS:[3F9AB6]
003E44D9 |. 52 PUSH EDX
003E44DA |. E8 51F0FFFF CALL app.003E3530
003E44DF |. 83C4 04 ADD ESP,4
003E44E2 |. 50 PUSH EAX
003E44E3 |. E8 38F1FFFF CALL app.003E3620
003E44E8 |. 83C4 08 ADD ESP,8
003E44EB |. 50 PUSH EAX
003E44EC |. A0 B79A3F00 MOV AL,BYTE PTR DS:[3F9AB7]
003E44F1 |. 50 PUSH EAX
003E44F2 |. E8 39F0FFFF CALL app.003E3530
003E44F7 |. 83C4 04 ADD ESP,4
003E44FA |. 50 PUSH EAX
003E44FB |. E8 20F1FFFF CALL app.003E3620
003E4500 |. 8A0D B89A3F00 MOV CL,BYTE PTR DS:[3F9AB8]
003E4506 |. 83C4 08 ADD ESP,8
003E4509 |. 50 PUSH EAX
003E450A |. 51 PUSH ECX
003E450B |. E8 20F0FFFF CALL app.003E3530
003E4510 |. 83C4 04 ADD ESP,4
003E4513 |. 50 PUSH EAX
003E4514 |. E8 07F1FFFF CALL app.003E3620
003E4519 |. 8A15 B99A3F00 MOV DL,BYTE PTR DS:[3F9AB9]
003E451F |. 83C4 08 ADD ESP,8
003E4522 |. 50 PUSH EAX
003E4523 |. 52 PUSH EDX
003E4524 |. E8 07F0FFFF CALL app.003E3530
003E4529 |. 83C4 04 ADD ESP,4
003E452C |. 50 PUSH EAX
003E452D |. E8 EEF0FFFF CALL app.003E3620
003E4532 |. 83C4 08 ADD ESP,8
003E4535 |. 50 PUSH EAX
003E4536 |. A0 B09A3F00 MOV AL,BYTE PTR DS:[3F9AB0]
003E453B |. 50 PUSH EAX
003E453C |. E8 EFEFFFFF CALL app.003E3530
003E4541 |. 83C4 04 ADD ESP,4
003E4544 |. 50 PUSH EAX
003E4545 |. E8 D6F0FFFF CALL app.003E3620
003E454A |. 8A0D D0933F00 MOV CL,BYTE PTR DS:[3F93D0]
003E4550 |. 8BF0 MOV ESI,EAX
003E4552 |. 51 PUSH ECX
003E4553 |. E8 D8EFFFFF CALL app.003E3530
003E4558 |. 8A15 D1933F00 MOV DL,BYTE PTR DS:[3F93D1]
003E455E |. 8BF8 MOV EDI,EAX
003E4560 |. 52 PUSH EDX
003E4561 |. E8 CAEFFFFF CALL app.003E3530
003E4566 |. 8BE8 MOV EBP,EAX
003E4568 |. A0 D2933F00 MOV AL,BYTE PTR DS:[3F93D2]
003E456D |. 50 PUSH EAX
003E456E |. E8 BDEFFFFF CALL app.003E3530
003E4573 |. 8A0D D3933F00 MOV CL,BYTE PTR DS:[3F93D3]
003E4579 |. 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
003E457D |. 51 PUSH ECX
003E457E |. E8 ADEFFFFF CALL app.003E3530
003E4583 |. 8A15 D4933F00 MOV DL,BYTE PTR DS:[3F93D4]
003E4589 |. 8BD8 MOV EBX,EAX
003E458B |. 52 PUSH EDX
003E458C |. E8 9FEFFFFF CALL app.003E3530
003E4591 |. 03FE ADD EDI,ESI
003E4593 |. 83C4 1C ADD ESP,1C
003E4596 |. 83FF 0A CMP EDI,0A
003E4599 |. 7C 03 JL SHORT app.003E459E
003E459B |. 83EF 0A SUB EDI,0A
003E459E |> 03EE ADD EBP,ESI
003E45A0 |. 83FD 0A CMP EBP,0A
003E45A3 |. 7C 03 JL SHORT app.003E45A8
003E45A5 |. 83ED 0A SUB EBP,0A
003E45A8 |> 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
003E45AC |. 03CE ADD ECX,ESI
003E45AE |. 83F9 0A CMP ECX,0A
003E45B1 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
003E45B5 |. 7C 07 JL SHORT app.003E45BE
003E45B7 |. 83E9 0A SUB ECX,0A
003E45BA |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
003E45BE |> 03DE ADD EBX,ESI
003E45C0 |. 83FB 0A CMP EBX,0A
003E45C3 |. 7C 03 JL SHORT app.003E45C8
003E45C5 |. 83EB 0A SUB EBX,0A
003E45C8 |> 03C6 ADD EAX,ESI
003E45CA |. 83F8 0A CMP EAX,0A
003E45CD |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
003E45D1 |. 7C 07 JL SHORT app.003E45DA
003E45D3 |. 83E8 0A SUB EAX,0A
003E45D6 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
003E45DA |> E8 F1CCFFFF CALL app.003E12D0
003E45DF |. 85C0 TEST EAX,EAX
003E45E1 |. 74 08 JE SHORT app.003E45EB
003E45E3 |. 6A 01 PUSH 1 ; /ExitCode = 1
003E45E5 |. FF15 30303F00 CALL DWORD PTR DS:[<&KERNEL32.ExitProces>; \ExitProcess
003E45EB |> 33F6 XOR ESI,ESI
003E45ED |> 8A86 A07A3F00 /MOV AL,BYTE PTR DS:[ESI+3F7AA0]
003E45F3 |. 50 |PUSH EAX
003E45F4 |. E8 37EFFFFF |CALL app.003E3530
003E45F9 |. 8B8CBC 0C01000>|MOV ECX,DWORD PTR SS:[ESP+EDI*4+10C]
003E4600 |. 51 |PUSH ECX
003E4601 |. 50 |PUSH EAX
003E4602 |. E8 19F0FFFF |CALL app.003E3620
003E4607 |. 50 |PUSH EAX
003E4608 |. E8 B3EFFFFF |CALL app.003E35C0
003E460D |. 8B7CAC 28 |MOV EDI,DWORD PTR SS:[ESP+EBP*4+28]
003E4611 |. 50 |PUSH EAX
003E4612 |. 8886 A07A3F00 |MOV BYTE PTR DS:[ESI+3F7AA0],AL
003E4618 |. E8 13EFFFFF |CALL app.003E3530
003E461D |. 8B5424 24 |MOV EDX,DWORD PTR SS:[ESP+24]
003E4621 |. 8B4C94 7C |MOV ECX,DWORD PTR SS:[ESP+EDX*4+7C]
003E4625 |. 51 |PUSH ECX
003E4626 |. 50 |PUSH EAX
003E4627 |. E8 F4EFFFFF |CALL app.003E3620
003E462C |. 50 |PUSH EAX
003E462D |. E8 8EEFFFFF |CALL app.003E35C0
003E4632 |. 8B949C D800000>|MOV EDX,DWORD PTR SS:[ESP+EBX*4+D8]
003E4639 |. 50 |PUSH EAX
003E463A |. 8886 A07A3F00 |MOV BYTE PTR DS:[ESI+3F7AA0],AL
003E4640 |. 895424 34 |MOV DWORD PTR SS:[ESP+34],EDX
003E4644 |. E8 E7EEFFFF |CALL app.003E3530
003E4649 |. 8B4C24 38 |MOV ECX,DWORD PTR SS:[ESP+38]
003E464D |. 8B948C 7C01000>|MOV EDX,DWORD PTR SS:[ESP+ECX*4+17C]
003E4654 |. 52 |PUSH EDX
003E4655 |. 50 |PUSH EAX
003E4656 |. E8 C5EFFFFF |CALL app.003E3620
003E465B |. 50 |PUSH EAX
003E465C |. E8 5FEFFFFF |CALL app.003E35C0
003E4661 |. 6A 03 |PUSH 3
003E4663 |. 55 |PUSH EBP
003E4664 |. 8886 A07A3F00 |MOV BYTE PTR DS:[ESI+3F7AA0],AL
003E466A |. E8 B1EFFFFF |CALL app.003E3620
003E466F |. 6A 02 |PUSH 2
003E4671 |. 53 |PUSH EBX
003E4672 |. 8BE8 |MOV EBP,EAX
003E4674 |. E8 A7EFFFFF |CALL app.003E3620
003E4679 |. 83C4 40 |ADD ESP,40
003E467C |. 8BD8 |MOV EBX,EAX
003E467E |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
003E4682 |. 6A 01 |PUSH 1
003E4684 |. 50 |PUSH EAX
003E4685 |. E8 96EFFFFF |CALL app.003E3620
003E468A |. 83C4 08 |ADD ESP,8
003E468D |. 46 |INC ESI
003E468E |. 83FE 05 |CMP ESI,5
003E4691 |. 894424 14 |MOV DWORD PTR SS:[ESP+14],EAX
003E4695 |.^0F8C 52FFFFFF \JL app.003E45ED
003E469B |. 5F POP EDI
003E469C |. 5E POP ESI
003E469D |. 5D POP EBP
003E469E |. C605 A57A3F00 >MOV BYTE PTR DS:[3F7AA5],0
003E46A5 |. 5B POP EBX
003E46A6 |. 81C4 98010000 ADD ESP,198
003E46AC \. C3 RETN




The beginning, movs I have no idea what their purpose is, maybe allocating memory of some sort . Then, starting from:
0057433F |. A0 B99A5800 MOV AL,BYTE PTR DS:[589AB9]

I kinda get what it's doing. In dump at 598AB9 is the following:

00589AA9 00 33 37 34 34 39 38 38 31 39 .374498819
00589AB9 31 33 31 131


with 589AB9 being the '1' from the '131'.
(note: I copied these lines from a different instance of the running app (actually dll), but the offsets are the same )


Basically what I gathered is it is moving the following into a new part in memory: '14817' compiled from the above string of digits.

I also look at the call 003E3530, It's a routine that changes a digit from its ascii representation to an actual number. So if i pass one, (31) it returns 1. etc.. also 003E35C0 does the opposite.(goes from integer to ascii)


as for 003E12D0, its just a debugger check.

Now 003E3620 is as follows:

00573620 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00573624 |. 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
00573628 |. 03C1 ADD EAX,ECX
0057362A |. 83F8 09 CMP EAX,9
0057362D |. 7E 03 JLE SHORT app.00573632
0057362F |. 83E8 0A SUB EAX,0A
00573632 \> C3 RETN


If anyone can please help me 'translate' this routine to C, or at least guide me towards doing this, it will be greatley appreciated.

Thank you


sorry for the long code snippet, it was the best I could do

naides
April 25th, 2008, 08:08
Quote:
[Originally Posted by steel;74213]


If anyone can please help me 'translate' this routine to C, or at least guide me towards doing this, it will be greatley appreciated.



Ilfak's new IDA plug-in: Hex-Rays, if you are able to buy it, find it, download it or make it work, supposedly will translate asm into C-like code.

That decompiling it will take you any closer to understand what this code (snippet is an understatement) is doing, that is a whole different story. . .

steel
April 25th, 2008, 14:14
Hi,


Ok, so I followed your advice and was able to get most of it working, I am still having trouble with the following loop:


Code:

005745ED |> 8A86 A07A5800 /MOV AL,BYTE PTR DS:[ESI+587AA0]
005745F3 |. 50 |PUSH EAX
005745F4 |. E8 37EFFFFF |CALL app.00573530
005745F9 |. 8B8CBC 0C01000>|MOV ECX,DWORD PTR SS:[ESP+EDI*4+10C]
00574600 |. 51 |PUSH ECX
00574601 |. 50 |PUSH EAX
00574602 |. E8 19F0FFFF |CALL app.00573620
00574607 |. 50 |PUSH EAX
00574608 |. E8 B3EFFFFF |CALL app.005735C0
0057460D |. 8B7CAC 28 |MOV EDI,DWORD PTR SS:[ESP+EBP*4+28]
00574611 |. 50 |PUSH EAX
00574612 |. 8886 A07A5800 |MOV BYTE PTR DS:[ESI+587AA0],AL
00574618 |. E8 13EFFFFF |CALL app.00573530
0057461D |. 8B5424 24 |MOV EDX,DWORD PTR SS:[ESP+24]
00574621 |. 8B4C94 7C |MOV ECX,DWORD PTR SS:[ESP+EDX*4+7C]
00574625 |. 51 |PUSH ECX
00574626 |. 50 |PUSH EAX
00574627 |. E8 F4EFFFFF |CALL app.00573620
0057462C |. 50 |PUSH EAX
0057462D |. E8 8EEFFFFF |CALL app.005735C0
00574632 |. 8B949C D800000>|MOV EDX,DWORD PTR SS:[ESP+EBX*4+D8]
00574639 |. 50 |PUSH EAX
0057463A |. 8886 A07A5800 |MOV BYTE PTR DS:[ESI+587AA0],AL
00574640 |. 895424 34 |MOV DWORD PTR SS:[ESP+34],EDX
00574644 |. E8 E7EEFFFF |CALL app.00573530
00574649 |. 8B4C24 38 |MOV ECX,DWORD PTR SS:[ESP+38]
0057464D |. 8B948C 7C01000>|MOV EDX,DWORD PTR SS:[ESP+ECX*4+17C]
00574654 |. 52 |PUSH EDX
00574655 |. 50 |PUSH EAX
00574656 |. E8 C5EFFFFF |CALL app.00573620
0057465B |. 50 |PUSH EAX
0057465C |. E8 5FEFFFFF |CALL app.005735C0
00574661 |. 6A 03 |PUSH 3
00574663 |. 55 |PUSH EBP
00574664 |. 8886 A07A5800 |MOV BYTE PTR DS:[ESI+587AA0],AL
0057466A |. E8 B1EFFFFF |CALL app.00573620
0057466F |. 6A 02 |PUSH 2
00574671 |. 53 |PUSH EBX
00574672 |. 8BE8 |MOV EBP,EAX
00574674 |. E8 A7EFFFFF |CALL app.00573620
00574679 |. 83C4 40 |ADD ESP,40
0057467C |. 8BD8 |MOV EBX,EAX
0057467E |. 8B4424 14 |MOV EAX,DWORD PTR SS:[ESP+14]
00574682 |. 6A 01 |PUSH 1
00574684 |. 50 |PUSH EAX
00574685 |. E8 96EFFFFF |CALL app.00573620
0057468A |. 83C4 08 |ADD ESP,8
0057468D |. 46 |INC ESI
0057468E |. 83FE 05 |CMP ESI,5
00574691 |. 894424 14 |MOV DWORD PTR SS:[ESP+14],EAX
00574695 |.^0F8C 52FFFFFF \JL app.005745ED


For these operations :
MOV ECX,DWORD PTR SS:[ESP+EDI*4+10C]
00574600 |. 51 |PUSH ECX
00574601 |. 50 |PUSH EAX
00574602 |. E8 19F0FFFF |CALL app.00573620

Hex-Rays gives me :
v58 = sub_10003620(v57, *(&v66 + v3));

which doesn't make sense. I've traced through, step by step I understand what the application is doing, but I'm not sure how to do it. Any help is greatly appreciated.

Thanks

naides
April 25th, 2008, 16:35
Quote:
[Originally Posted by steel;74223]
Disclaimers: 1. Hex-Rays sometimes screws up and produces non nonsensical code. 2: some of the action is taking place somewhere else in the code, You and Hex-Rays can see it, I cannot



The code is getting ready to call the function app.00573620 in the Olly list,
IDA?HexRays list : sub_10003620.

The second parameter of sub_10003620 is : *(&v66 + v3), a dereferenced pointer to and structure based on and pointed at by ESP+10C, which would be variable 66 (V66). EDI holds the variable displacement V3 in pointer arithmetics. (That is why is multiplied by 4). The result of this dereferenced pointer is pre-load into ECX.

The first parameter, v57 Somewhat, automagically got loaded in EAX. When???? Perhaps is the return value of function app.00573530???

I don't see how and when EAX got loaded with the variable 57 (V57) in this huge function. unless Hex overlooks call 00573530 and pretends that [ESI+587AA0] still holds the value of V57. dunno.






For these operations :
MOV ECX,DWORD PTR SS:[ESP+EDI*4+10C]
00574600 |. 51 |PUSH ECX
00574601 |. 50 |PUSH EAX
00574602 |. E8 19F0FFFF |CALL app.00573620

Hex-Rays gives me :
v58 = sub_10003620(v57, *(&v66 + v3));

which doesn't make sense. I've traced through, step by step I understand what the application is doing, but I'm not sure how to do it. Any help is greatly appreciated.

Thanks


Or, I am babbling

steel
April 25th, 2008, 16:48
Hi,

My bad for not listing more code:

here is the loop generated by Hex-Rays

Code:

v10 = 0;
do
{
LOBYTE(result) = Str2[v10];
v57 = sub_10003530(result);
v58 = sub_10003620(v57, *(&v66 + v3));
LOBYTE(v59) = sub_100035C0(v58);
v3 = *(&v86 + v5);
Str2[v10] = v59;
v60 = sub_10003530(v59);
v61 = sub_10003620(v60, *(&v106 + v166));
LOBYTE(v62) = sub_100035C0(v61);
v63 = *(&v126 + v7);
Str2[v10] = v62;
v166 = v63;
v64 = sub_10003530(v62);
v65 = sub_10003620(v64, *(&v141 + v167));
Str2[v10] = sub_100035C0(v65);
v5 = sub_10003620(v5, 3);
v7 = sub_10003620(v7, 2);
result = sub_10003620(v167, 1);
++v10;
v167 = result;
}
while ( v10 < 5 );
byte_10017AA5 = 0;
return result;
}


My issue isn't with anything but the pointer arithmetic. In assembly, there is awareness of where the memory for the next value is allocated ( I am talking about the second parameter passed to sub_10003620 ) that's why we can add an offset to it and get the next value ) but the way hex-rays decompiled it, each was an individual integer. This would only be possibly if we were dealing with an array. Would it be likely that hex-rays was unable to recognize the creating of an array of integers and instead defined invididual variables? if that is the case, would it be possible to point me in the right direction regarding what's going on inside the loop with the array, and based on the beginning of the function, SUB ESP, 198.. an idea of what the structure of the array would look like ?

Thanks

naides
April 25th, 2008, 23:19
I think I understand where the confusion may be:

There is not an ordered, one to one correspondence, left to right linear correspondence between
[ESP+EDI*4+10C]
and
*(&v66 + v3))

I don't pretend to know it either, decompiling is a shaky terrain. But, remember that addition is associative, commutative, and that disassembly has some rules in the order of representation that do not directly translate into decompiling language.

Meaning, in a disassembled expression that includes registers and direct constants, the registers (ESP, EDI) are written first, to the left of the expression, then the constants 10C at the end. On the other hand, Hex-rays reorders it to fit its interpretation: ESP+10C, a stack variable, is named v66, EDI*4 a register representing V3, a structure offset, goes next.

I propose you do some experimentation:

Change the code of this instruction:
MOV ECX,DWORD PTR SS:[ESP+EDI*4+10C]

to

MOV ECX,DWORD PTR SS:[ESP+10C]
in the original file code, then disassemble and decompile. . .

the resulting code may not run or produce some weird results, but IDA and Hex-rays should analyze it it just fine.

Find out what the construct [ESP+10C] decompiles into C- pseudocode. My bet, v66. ( besides some dereferencing stuff)

By trial and error you may figure out what the ASM representation of V66 ends up being. . .

After reading your answer more carefully:
I agree that Hex Rays may have missed an array created in the stack, and instead is referencing to a huge collection of individual DWORD variables (v14 to v67). A complicating issue is that this is a ESP based stack frame. But the theoretical Base of such array is not defined:
The constant added to ESP varies wildly from 28 to 17C in this code snippet, and the extra displacement (EDI*4) is often the result of a previous operation.

The only real way to really figure this out is to watch it operate live with the debugger, keeping track of the actual contents of the stack

steel
April 27th, 2008, 20:03
Thanks naides,

I figured It out, and was able to write what I need. I was correct in thinking it was an array, and it made things a lot easier!

naides
April 27th, 2008, 20:16
Now you got me curious:

What and where was the array?

steel
April 28th, 2008, 12:06
this is what the loop ended up looking like (it can be simplified a great deal, but this serves the purpose of doing what is needed)

Code:

for(int i = 0; i < 5; i++)
{
result = Str2[I];
int eax26 = sub_10003530(result);
int eax27 = sub_10003620(eax26, integers[sum1 + 66]);
int eax28 = sub_100035C0(eax27);
Str2[I] = eax28;
sum1 = integers[sum2 + 6];
int eax29 = sub_10003530(eax28);
int eax30 = sub_10003620(eax29,integers[integers[4]+26]);
int eax31 = sub_100035C0(eax30);
Str2[I] = eax31;
integers[4] = integers[sum4+46];
int eax32 = sub_10003530(eax31);
int eax33 = sub_10003620(eax32, integers[integers[5] + 86]);
int eax34 = sub_100035C0(eax33);
Str2[I] = eax34;
sum2 = sub_10003620(sum2, 3);
sum4 = sub_10003620(sum4, 2);
integers[5] = sub_10003620(integers[5], 1);
}


where integers is the loong array full of ints defined in the very beginning.

When the memory was being allocatd for the array, I found the base at 0012E944, and since the stack pointer, ESP is being wound/unwound as we make the calls to the cdecl functions, I also kept track of the offset it would be from the original base. It keeps on changing, but near the end of the loop:
00574679 |. 83C4 40 |ADD ESP,40

it resets itself to the origin. So the array offsets are consistently the same, varying by the values used in sum1, sum2 and the integers array.