PDA

View Full Version : Code Sample Question


tutenKam
January 9th, 2014, 21:03
Hello,

I have some code that I need help with. ( comment on each line what its doing )

I know I can get shift F1 help in ollydbg but I am not sure what they are doing with this code.

Is this the right place?



Also,

Some general questions:

I see references saying to search for fs:[30] in the dump but I can never get any search hits?

How do I display the memory location so I can use the offset data in PEid for example?



I am a newbie so bare with me.
I am doing this for fun, its what happens when the weather is -30 outsite.



Thanks for any help.

Code:
CPU Disasm
Address Hex dump Command Comments
6F5C4B91 /$ 8BFF MOV EDI,EDI ; test_exe.6F5C4B91(guessed Arg1)
6F5C4B93 |. 55 PUSH EBP
6F5C4B94 |. 8BEC MOV EBP,ESP
6F5C4B96 |. 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
6F5C4B9A |.- 74 2D JE SHORT 6F5C4BC9
6F5C4B9C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /pMem
6F5C4B9F |. 6A 00 PUSH 0 ; |Flags = 0
6F5C4BA1 |. FF35 8C3A5F6F PUSH DWORD PTR DS:[6F5F3A8C] ; |Heap = 043A0000
6F5C4BA7 |. FF15 8C705D6F CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \KERNEL32.HeapFree
6F5C4BAD |. 85C0 TEST EAX,EAX
6F5C4BAF |.- 75 18 JNZ SHORT 6F5C4BC9
6F5C4BB1 |. 56 PUSH ESI
6F5C4BB2 |. E8 E0120000 CALL 6F5C5E97
6F5C4BB7 |. 8BF0 MOV ESI,EAX
6F5C4BB9 |. FF15 88705D6F CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
6F5C4BBF |. 50 PUSH EAX ; /Arg1
6F5C4BC0 |. E8 90120000 CALL 6F5C5E55 ; \test_exe.6F5C5E55
6F5C4BC5 |. 59 POP ECX
6F5C4BC6 |. 8906 MOV DWORD PTR DS:[ESI],EAX
6F5C4BC8 |. 5E POP ESI
6F5C4BC9 |> 5D POP EBP
6F5C4BCA \. C3 RETN

niaren
January 10th, 2014, 03:16
Manually trying to decompile the easy part of that function gets

Code:

void HeapFreeWrap(LPVOID lpMem)
{
if(0 == lpMem)
return;

if(0 != HeapFree(globalHeapHandle, 0, lpMem) // if success just return
return;

_asm{ // Error logging
CALL 6F5C5E97
MOV ESI,EAX
CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
PUSH EAX ; /Arg1
CALL 6F5C5E55 ; \test_exe.6F5C5E55
POP ECX
MOV DWORD PTR DS:[ESI],EAX
}
return;
}


I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)

Code:

void HeapFreeWrap(LPVOID lpMem)
{
if(0 == lpMem)
return;

if(0 != HeapFree(globalHeapHandle, 0, lpMem) // if success just return
return;

// Error logging
int *pInt = sub_6F5C5E97()
*pInt = sub_6F5C5E55(GetLastError());
return;
}


The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
Can you explain why you chose to show this function?

tutenKam
January 12th, 2014, 09:46
Thanks for the reply. I am a newbie and I am learning assembler slowly. I can compile code and I can make sense of what the code does. But when professors give code samples, they always ask the question "what function does the code do"? Anothewords, anyone can look up the instructions one line at a time but at the end of the day, you have to answer the question of what is the author trying to do?

I am getting better with normal code but references to kernel or user32 are the ones that stomp me and thats why I posted this.

Is there a quick tutorial on these two dlls? I am looking something for newbies, google gives to many hits and I find msdn useless most of the time.

Thank