Code Sample Question

[tutenKam]

Hello,

I have some code that I need help with. ( comment on each line what its doing )

I know I can get shift F1 help in ollydbg but I am not sure what they are doing with this code.

Is this the right place?



Also,

Some general questions:

I see references saying to search for fs:[30] in the dump but I can never get any search hits?

How do I display the memory location so I can use the offset data in PEid for example?



I am a newbie so bare with me.
I am doing this for fun, its what happens when the weather is -30 outsite.



Thanks for any help.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
6F5C4B91  /$  8BFF          MOV EDI,EDI                              ; test_exe.6F5C4B91(guessed Arg1)
6F5C4B93  |.  55            PUSH EBP
6F5C4B94  |.  8BEC          MOV EBP,ESP
6F5C4B96  |.  837D 08 00    CMP DWORD PTR SS:[EBP+8],0
6F5C4B9A  |.- 74 2D         JE SHORT 6F5C4BC9
6F5C4B9C  |.  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; /pMem
6F5C4B9F  |.  6A 00         PUSH 0                                   ; |Flags = 0
6F5C4BA1  |.  FF35 8C3A5F6F PUSH DWORD PTR DS:[6F5F3A8C]             ; |Heap = 043A0000
6F5C4BA7  |.  FF15 8C705D6F CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \KERNEL32.HeapFree
6F5C4BAD  |.  85C0          TEST EAX,EAX
6F5C4BAF  |.- 75 18         JNZ SHORT 6F5C4BC9
6F5C4BB1  |.  56            PUSH ESI
6F5C4BB2  |.  E8 E0120000   CALL 6F5C5E97
6F5C4BB7  |.  8BF0          MOV ESI,EAX
6F5C4BB9  |.  FF15 88705D6F CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
6F5C4BBF  |.  50            PUSH EAX                                 ; /Arg1
6F5C4BC0  |.  E8 90120000   CALL 6F5C5E55                            ; \test_exe.6F5C5E55
6F5C4BC5  |.  59            POP ECX
6F5C4BC6  |.  8906          MOV DWORD PTR DS:[ESI],EAX
6F5C4BC8  |.  5E            POP ESI
6F5C4BC9  |>  5D            POP EBP
6F5C4BCA  \.  C3            RETN

[niaren]

Manually trying to decompile the easy part of that function gets

Code:

void HeapFreeWrap(LPVOID lpMem)
{
    if(0 == lpMem)
        return;

    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        return;

    _asm{                  // Error logging
        CALL 6F5C5E97
        MOV ESI,EAX
        CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
        PUSH EAX                                 ; /Arg1
        CALL 6F5C5E55                            ; \test_exe.6F5C5E55
        POP ECX
        MOV DWORD PTR DS:[ESI],EAX
    }
    return;
}

I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)

Code:

void HeapFreeWrap(LPVOID lpMem)
{
    if(0 == lpMem)
        return;

    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        return;

    // Error logging
    int *pInt = sub_6F5C5E97()
    *pInt = sub_6F5C5E55(GetLastError());
    return;
}

The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
Can you explain why you chose to show this function?

[tutenKam]

Thanks for the reply. I am a newbie and I am learning assembler slowly. I can compile code and I can make sense of what the code does. But when professors give code samples, they always ask the question "what function does the code do"? Anothewords, anyone can look up the instructions one line at a time but at the end of the day, you have to answer the question of what is the author trying to do?

I am getting better with normal code but references to kernel or user32 are the ones that stomp me and thats why I posted this.

Is there a quick tutorial on these two dlls? I am looking something for newbies, google gives to many hits and I find msdn useless most of the time.

Thank