PDA

View Full Version : question about line of code DASM


r3v3rs43l
August 20th, 2013, 20:12
i got a line of code like this

push ff
push 0
push 0
push offset "this is a test"
push offset "Hello world!" hex: 48656C6C6F20776F726C6421
push 0
CALL FUNCTION 1



750AFB28 /$ 8BFF MOV EDI,EDI
750AFB2A |. 55 PUSH EBP
750AFB2B |. 8BEC MOV EBP,ESP
750AFB2D |. 51 PUSH ECX
750AFB2E |. 51 PUSH ECX
750AFB2F |. 56 PUSH ESI
750AFB30 |. 57 PUSH EDI
750AFB31 |. 33FF XOR EDI,EDI
750AFB33 |. 83CE FF OR ESI,FFFFFFFF
750AFB36 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
750AFB39 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
750AFB3C |. 397D 0C CMP DWORD PTR SS:[EBP+0C],EDI
750AFB3F |.- 74 19 JE SHORT 750AFB5A




PUSH EBP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI ; will clear the edi register, it's zero now
OR ESI,FFFFFFFF ; i'm assuming here esi result is FFFFFFFF, since esi got no value stored, sets some flag
MOV DWORD PTR SS:[EBP-4],EDI ; copies edi to ecx
MOV DWORD PTR SS:[EBP-8],EDI ; copies edi to esi

now heres the part i dont get

CMP DWORD PTR SS:[EBP+0C],EDI

it's comparing edi which has a value of zero to ?

push offset "Hello world!" 48656C6C6F20776F726C6421

its comparing what? this value 48656C6C with zero? and then the JE command states jump is taken. whats not adding up here...

o btw it jumps to the following command


750AFB5A |> 397D 10 CMP DWORD PTR SS:[EBP+10],EDI ; is comparing it now to the second string "this is a test"
750AFB5D |.- 74 27 JE SHORT 750AFB86 ; takes a jump again

blabberer
August 21st, 2013, 01:26
CMP DWORD PTR SS:[EBP+0C],EDI

it is checking if the dword that is contained in [ebp+0x0c] is zero or not

(if *(DWORD *) somevar == 0)

in this exact case it it checking if the second argument to the function is zero or not
if it is zero it checks if the third argument is zero or not and jumps again based on result

some pseudo code

int foo (char * a , char * b,int,....)
{
if (a == null) \\ will hold "hello "
{
jmp to hell() your je
}
if (b == null) \\ will hold "this is test"
{
jump to other hell(); your other je
}
both string available for use lets do something here
{
}
}

foo("hello","this is blah",0,......)

aqrit
August 21st, 2013, 01:32
push offset "string" puts a pointer to the string on the stack

so esp is a pointer to a memory location
and that memory location points to a pointer to "string"

so
mov ebp, esp // this is the address of the top of the stack // ebp is now the same as esp
mov eax, [ebp] // dereferences ebp // this is the value at the top of the stack // eax is not the same as ebp
mov ecx, [eax] // this is the first four bytes of the string


this is what your func1 is doing...
Code:

void func1( char* str1, char* str2 ){
if( str1 != NULL ){
if( str2 != NULL ){
;// do something
}
}
}

not ( as you seem to think )
Code:

void func1( char* str1, char* str2 ){
if( *str1 != NULL ){
if( *str2 != NULL ){
;// do something
}
}
}

r3v3rs43l
August 21st, 2013, 03:33
to the first reply above, you state it's checking if zero is equal to the dword, well i'm aware of that, but my point was how is the dword equal to 0 it's not, how is push offset "Hello world!" hex: 48656C6C6F20776F726C6421 == 0
the command JE SHORT 750AFB5A, jump if equal is taken. i hope you see what i'm getting at

e.g.

0 equals 0
16 equals 16
sometext equals sometext
sometext does not equal 0

you get what i'm saying? thats all i'm trying to find out how ascii string is the same as 0

as for the second reply i'm not quite following you, there is no eax register in my command.

o and btw if possible could we keep strictly debugger format in asm

blabberer
August 21st, 2013, 04:00
cmp = comparison operator

after comparison it sets flags they are bits in a status register called EFLAGS in x32

google "name of x86 flag register" the first Wikipedia hit will show you all the the flag names from 16bit to 64 bit machine


if 0 = 0 zero flag is set to 0 by the cmp operator
if 16 = 0 zero flag is set to 1 by the cmp operator

the je operator checks the zero flag and will decide whether to jump or not
if zero flag == 1 it jumps
if zero flag == 0 it does not jump

cmp operator has this kind of logic

apple in one hand
x in other hand
see by eyes
if x = orange then apple != orange so set zero flag to one and move on
if x = apple then apple == apple so set zero flag to zero and move on or select the next x for comaprison

some one down the line will see the result and do something based on the result

r3v3rs43l
August 21st, 2013, 23:14
Guess what guys JUMP IS NOT TAKEN after all, like i said, when i was jumping to different functions i was pressing enter and apparently didnt pass parameters, i this time pressed f7 which passed them and now olly states jump is not taken so.... i guess that was the problem :S appreciate the input anyways, i guess it's a good thing i didnt listen to any of your advise :S, in this matter, knew it didnt make sense, i dont know how you guys believe it did though :S

Aimless
August 21st, 2013, 23:55
Quote:
[Originally Posted by r3v3rs43l;95303] i guess it's a good thing i didnt listen to any of your advise :S, in this matter, knew it didnt make sense, i dont know how you guys believe it did though :S


It made sense AND the guys above believed it BECAUSE that was the ONLY information you provided. You did not mention, as you do in your last post, about ENTER vs F7 in Ollydbg. So, between the incompleteness of the info you provided, and what you later corrected, what they mentioned was pretty accurate.

A simple suggestion here: We don't expect sacrificial virgins and domestic animals as payment in kind, but it makes sense NOT to antagonize people who are trying to assist you, with half-baked info YOU have supplied, by making statements such as these. It will alienate people faster.

I get it you appreciate the involvement and are confused. But chances are the next time a fewer people will be ready to help you.

Have Phun

Woodmann
August 22nd, 2013, 20:56
The end!