PDA

View Full Version : Adding FF to a total


ice_cracked
April 5th, 2013, 23:18
greetings this is no doubt a basic question but buggered if I can find or figure it out.

When adding FF to an existing total eg. 189 hex or 393 decimal it is a simple matter of value -= 1 in C.

Now when the value is 8117D in hex after the operation now equals 8135.

hmm how can I do that in C ?

Unsigned or signed numbers is a the root of this but is there a simple way to do this in C.

Many thanks for your time reading this and thanks in advance for anyone who can show me the way on this it is quite annoying not being able to figure out the answer myself.

aqrit
April 8th, 2013, 03:14
If I wished to add 0xFF to BYTE 'value' in C, I would write...
Code:
value += 0xFF



You need to post something more coherent.

0x0008117D + 0xFFF86FB8 = 0x00008135 ???????

ice_cracked
April 8th, 2013, 04:18
Sorry I will try to be a bit more precise the below code shows the loop in question where the loop has ten rotations and the last rotation uses the value FF. The loop is keeping two totals in memory on each rotation adding to them on each rotation named Running_total and Running_Total_plus_8899 below.

Please note the highlighted section


.text:00401478 loc_401478: ; CODE XREF: _main+112j
.text:00401478 cmp [ebp+loop_counter], 9
.text:0040147C ja short loc_4014A4
.text:0040147E mov eax, ebp
.text:00401480 add eax, [ebp+loop_counter]
.text:00401483 sub eax, 8
.text:00401486 movzx eax, byte ptr [eax] ; Character name entered loop counter ninth char = ' x ' tenth char = ' FF '
.text:00401489 mov [ebp+Buffer_chars_moved_to_backwards], al
.text:0040148C movsx edx, [ebp+Buffer_chars_moved_to_backwards]
.text:00401490 lea eax, [ebp+Running_total]
.text:00401493 add [eax], edx <<<<<<<<<<<<<<<<<<<<<<<<<< HERE
.text:00401495 mov edx, [ebp+Running_total]
.text:00401498 lea eax, [ebp+Running_Total_plus_8899]
.text:0040149B add [eax], edx <<<<<<<<<<<<<<<<<<<<<<<<< HERE
.text:0040149D lea eax, [ebp+loop_counter]
.text:004014A0 inc dword ptr [eax]
.text:004014A2 jmp short loc_401478

On the tenth rotation of the loop Running_total = 189 and is decremented by one with the addition of FF so no problems Running_total -= 1 does the job.

Running_Total_plus_8899 contains the value of 8117D prior to the second addition as above and is added to the value contained in Running_total which is now 188 hex which results in a value of 8135 in IDA but whatever I try I end up with 81305 and I am buggered if I can duplicate what is going on. MOVSX is used not MOV so again signed and unsigned numbers are being used here I guess?

I really have to do some more reading up on this matter but if anyone can assist on this the rest of the key generator is a piece of cake and after struggling for a week over this I am basically annoyed at myself that I can't find the answer to this problem.

Appreciate your time if you read this thanks a lot.

aqrit
April 9th, 2013, 03:24
if at VA 0x0040149B
[eax] == 0x0008117D
edx == 0x00000188
then at VA 0x0040149D
[eax] must equal 0x00081305...

Try switching to OllyDbg with "remove the analysis from the module" and paste that disassembly here.
Also try stepping across the add instruction with OllyDbg and make sure those are really the values.


edit:
just-in-case your wondering:
char c = 0xFF;
DWORD zx = (unsigned char) c; // 0x000000FF ( zero extended )
DWORD sx = (signed char) c; // 0xFFFFFFFF ( sign extended )

char c = 'x'; // 0x78
DWORD zx = (unsigned char) c; // 0x00000078 ( zero extended )
DWORD sx = (signed char) c; // 0x00000078 ( sign extended )