Results 1 to 6 of 6

Thread: Newbie trying to understand the code.

  1. #1

    Newbie trying to understand the code.

    Hi
    I'm working through a tutorial trying to understand the basics.
    The original code is this:-

    0003.71A8 75 57 JNE 7201
    0003.71AA 8B 46 FA MOV AX, BP-06

    This code is changed to :-

    0003.71A8 E9 8F JMP
    0003.71AA 00 68 00 PUSH 00

    What I've worked out so far:-
    .71A8 the first hex figure 75 is the op code (JNE) jump not equal to 7201

    the op code is at 71A8 and the 'offset' 57 is at 71A9 yet if you add 57 to 71A9 you get 7200 (1 less than what it should be -why is that?)

    The instruction at 71AA mov into AX (the lower half of EAX) what ever is stored in the memory location pointed to by BP-06
    This seems to be to do with the nag screen.

    The conditional jump JNE is changed to an always JMP presumably to 71A9 + 8F 7240

    In the changed code 71AA we are pushing (to the stack) value 00 when you compare this to the old code it does not seem to do anything is this just to keep the code length the same?

    Why is the op code 68 (push) preceeded by 00?

    Regards.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Several issues:

    1. Your tutor is using 16 bit code. This is not used anymore in general (Some specialized applications and legacy systems need to use 16 bit code, but that is another story).
    Tracing 16 bit code is tedious and almost useless in current day OS.
    2. The dissemble is wrong:
    You are changing a short jump 75 57 which is 2 bytes long (and jumps a distance that can be contained in one byte)
    to a long jump E9 XX XX XX XX which is 5 byte long, used to jump distances longer than one byte. Because you replace a 2 byte instruction with a larger instruction, the next opcode does not make sense.
    Hope this helps.

    the op code is at 71A8 and the 'offset' 57 is at 71A9 yet if you add 57 to 71A9 you get 7200 (1 less than what it should be -why is that?)
    Actually the "jump to" 57 offset is added is the address of the NEXT instruction (71AA + 57) == 7201.

    This has to do with the way the CPU works: When it reads an instruction, be it 2, 3 or 8 bytes long, the CPU immediately updates the instruction pointer register (IP) to the Next instruction, so when time comes to do a jump, it adds (with sign) the offset to the value stored in the IP, which is all there is to a jmp: modify the value of the IP .

  3. #3
    Thanks naides for the reply, I hope the question was not too dumb!!. The Tutorial dates from 1998 and uses Softice. Its at least 20 years since I messed with any of this stuff on an 8080 proc. Should the JMP have reference to a new code segment?
    BTW I'm now using it on Windows XP SP2 under VM.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    The new operating systems use a 32 bit plain memory address. the concept of code segment does not apply in the new OS anymore.
    In 16 bit code, arrghhh. I don't remember very well how the long jumps were implemented regarding segmented memory. Any of the old timers in here want to illuminate us?

  5. #5
    (Shakes cane in general direction)

    More than likely, all you need to do is to change the 75 to an EB, to make it a JMP to 7201.

    And you don't need to mess with the segments.

    Now, get the hell off my lawn! ;-)

  6. #6
    Thanks very much. Its possible it could be a typo I suppose.

Similar Threads

  1. piece of code i don't understand
    By simonzack in forum The Newbie Forum
    Replies: 8
    Last Post: January 5th, 2010, 09:26
  2. TEST EBP,EBP ;i don't understand this
    By tintino in forum OllyDbg Support Forums
    Replies: 3
    Last Post: June 16th, 2005, 10:54
  3. I can't understand this problem,who can help
    By prince in forum Plugins (General)
    Replies: 3
    Last Post: June 15th, 2004, 03:27
  4. to understand a break and a API
    By newbcrk in forum The Newbie Forum
    Replies: 2
    Last Post: May 30th, 2003, 12:56
  5. Newbie-Question: How to add code with WDASM or Code Snippet Creator?
    By Nat in forum Tools of Our Trade (TOT) Messageboard
    Replies: 22
    Last Post: August 26th, 2002, 17:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •