Results 1 to 15 of 17

Thread: Reversing SHR EAX,1F

Hybrid View

  1. #1

    Question Reversing SHR EAX,1F

    OK maybe this was too hard, or stupid or something, got several views but no help so moderator feel free to delete?
    ------


    I'm trying to figure out what some lines of assembly language would look like in a higher level language such as C but also understand the WHY the compiler optimizer would code it like this verses something more direct.

    Code:
    IMUL ECX <- EDX:EAX = EAX * ECX
    SAR EDX, 5 <- EDX / 32
    MOV EAX, EDX 
    SHR EAX, 1F <--- 1F being 31 doesn't this always just clear out the register?
    ADD EAX, EDX <- so basically 0 + EDX
    CDQ <- wipes out EDX extends EAX so EDX:EAX?
    I'm finding one of the best ways to figure this stuff out is to put the code to a test? Take values and plug them in and see what happens?

    SO I try to take the extremes
    EAX = 7FFFFFFF
    ECX = 7FFFFFFF

    3FFFFFFF00000001

    3FFFFFFF S
    EDX:EAX = 3FFFFFFF00000001
    EDX = 3FFFFFFF / 20(32 Decimal)

    SAR, 5 = 1FFFFFF

    SHR EAX, 1F (so 0)
    ADD EAX, EDX
    EAX = 1FFFFFF
    CDQ -- EDX = 00000000 EAX = 01FFFFFF

    however negative makes it a bit tricky.... worst case the SHR seems to leave a 1 in EAX
    SO
    EAX = 80000000
    ECX = 7FFFFFFF

    EDX:EAX = EDX:C0000000 EAX:80000000
    SAR EDX, 5 - EDX:FE000000
    MOV EAX, EDX
    SHR EAX, 1F EAX = 1

    EAX = FE000001

    CDQ creates
    EDX:EAX = FFFFFFFF:FE000001

    So it's not any kinda absolute function or anything? I hope someone has worked this one out before or can figure it out.
    Last edited by captcpsc; May 2nd, 2012 at 13:28.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    Look at the SIGN bit

    Without going into a step by step, this piece of code is isolating the sign bit of a 32 bit variable and "sticking" it into the result. Think: how do you assure that: ( -3) * (-4) == (+12)?

  3. #3
    Quote Originally Posted by naides View Post
    Without going into a step by step, this piece of code is isolating the sign bit of a 32 bit variable and "sticking" it into the result. Think: how do you assure that: ( -3) * (-4) == (+12)?
    I'm kinda a newbie to assembly so I think in this case some step by step would help? See when I take your example and apply it,

    Code:
    	mov eax, -3
    	mov ecx, -4
    	imul ecx
    	sar edx, 5
    	shr eax, 1fh
    	add eax, edx
    	cdq
    	retn
    after the imul instruction

    EDX: 00000000
    EAX: 0000000C

    the sar instruction then is useless on edx, then the shr basically empties eax, because it's not negative then the add is 0 + 0... CDQ just extends EAX which again will result in no change because EDX is already 0? I'm not sure what you are saying?

  4. #4
    the SAR instruction preserves your sign.
    make +a*-b/+c, where +c is a power of 2 (>32)
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  5. #5
    Quote Originally Posted by Maximus View Post
    the SAR instruction preserves your sign.
    make +a*-b/+c, where +c is a power of 2 (>32)

    Are you sure you don't mean the SHR instruction preserves your sign? If I do

    Code:
    .code
    start:
    	mov eax, 3
    	mov ecx, -4
    	imul ecx
    	sar edx, 5
    	shr eax, 1fh
    	add eax, edx
    	cdq
    	retn	
    
    end start
    So A = 3, B = (-4) C = 5 which is 32 (decimal) after executing the SAR instruction EDX is still FFFFFFFF
    "The sar instruction shifts all the bits in the destination operand to the right one bit, replicating the H.O. bit'

    so FFFFFFFF is of course 11111111111111111111111111111111 (32 of em) so SAR EDX, 5 is still going to be 11111111111111111111111111111111 or FFFFFFFF.

  6. #6
    Try to divide by 2 a negative number with SHR.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

Similar Threads

  1. DOS/4GW , DOS/16M Reversing Help !
    By visions_of_eden in forum The Newbie Forum
    Replies: 6
    Last Post: December 1st, 2010, 07:49
  2. InTether Protection System Reversing...Reversing Kernel Code
    By tHE mUTABLE in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 20th, 2007, 10:48
  3. Reversing VMs
    By Maximus in forum Mini Project Area
    Replies: 17
    Last Post: August 22nd, 2006, 10:38
  4. About Reversing
    By Joda in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: July 11th, 2001, 13:28
  5. Reversing
    By A_m_A in forum Advanced Reversing and Programming
    Replies: 11
    Last Post: May 3rd, 2001, 14:43

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •