Results 1 to 3 of 3

Thread: Code Sample Question

  1. #1

    Code Sample Question


    I have some code that I need help with. ( comment on each line what its doing )

    I know I can get shift F1 help in ollydbg but I am not sure what they are doing with this code.

    Is this the right place?


    Some general questions:

    I see references saying to search for fs:[30] in the dump but I can never get any search hits?

    How do I display the memory location so I can use the offset data in PEid for example?

    I am a newbie so bare with me.
    I am doing this for fun, its what happens when the weather is -30 outsite.

    Thanks for any help.

    CPU Disasm
    Address   Hex dump          Command                                  Comments
    6F5C4B91  /$  8BFF          MOV EDI,EDI                              ; test_exe.6F5C4B91(guessed Arg1)
    6F5C4B93  |.  55            PUSH EBP
    6F5C4B94  |.  8BEC          MOV EBP,ESP
    6F5C4B96  |.  837D 08 00    CMP DWORD PTR SS:[EBP+8],0
    6F5C4B9A  |.- 74 2D         JE SHORT 6F5C4BC9
    6F5C4B9C  |.  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; /pMem
    6F5C4B9F  |.  6A 00         PUSH 0                                   ; |Flags = 0
    6F5C4BA1  |.  FF35 8C3A5F6F PUSH DWORD PTR DS:[6F5F3A8C]             ; |Heap = 043A0000
    6F5C4BA7  |.  FF15 8C705D6F CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \KERNEL32.HeapFree
    6F5C4BAD  |.  85C0          TEST EAX,EAX
    6F5C4BAF  |.- 75 18         JNZ SHORT 6F5C4BC9
    6F5C4BB1  |.  56            PUSH ESI
    6F5C4BB2  |.  E8 E0120000   CALL 6F5C5E97
    6F5C4BB7  |.  8BF0          MOV ESI,EAX
    6F5C4BB9  |.  FF15 88705D6F CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
    6F5C4BBF  |.  50            PUSH EAX                                 ; /Arg1
    6F5C4BC0  |.  E8 90120000   CALL 6F5C5E55                            ; \test_exe.6F5C5E55
    6F5C4BC5  |.  59            POP ECX
    6F5C4BC6  |.  8906          MOV DWORD PTR DS:[ESI],EAX
    6F5C4BC8  |.  5E            POP ESI
    6F5C4BC9  |>  5D            POP EBP
    6F5C4BCA  \.  C3            RETN

  2. #2
    Manually trying to decompile the easy part of that function gets

    void HeapFreeWrap(LPVOID lpMem)
        if(0 == lpMem)
        if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        _asm{                  // Error logging
            CALL 6F5C5E97
            MOV ESI,EAX
            CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
            PUSH EAX                                 ; /Arg1
            CALL 6F5C5E55                            ; \test_exe.6F5C5E55
            POP ECX
            MOV DWORD PTR DS:[ESI],EAX
    I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)

    void HeapFreeWrap(LPVOID lpMem)
        if(0 == lpMem)
        if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        // Error logging
        int *pInt = sub_6F5C5E97()
        *pInt = sub_6F5C5E55(GetLastError());
    The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
    Can you explain why you chose to show this function?

  3. #3
    Thanks for the reply. I am a newbie and I am learning assembler slowly. I can compile code and I can make sense of what the code does. But when professors give code samples, they always ask the question "what function does the code do"? Anothewords, anyone can look up the instructions one line at a time but at the end of the day, you have to answer the question of what is the author trying to do?

    I am getting better with normal code but references to kernel or user32 are the ones that stomp me and thats why I posted this.

    Is there a quick tutorial on these two dlls? I am looking something for newbies, google gives to many hits and I find msdn useless most of the time.


Similar Threads

  1. LINK: Grafting Compiled Code: The Ultimate in Code Reuse
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 10th, 2007, 03:40
  2. VB P-Code
    By Spencer in forum The Newbie Forum
    Replies: 14
    Last Post: April 23rd, 2004, 18:53
  3. Replies: 10
    Last Post: November 9th, 2002, 04:50
  4. Newbie-Question: How to add code with WDASM or Code Snippet Creator?
    By Nat in forum Tools of Our Trade (TOT) Messageboard
    Replies: 22
    Last Post: August 26th, 2002, 17:16
  5. Any CD-COPS 32 Sample ?
    By un4giv3n in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: October 20th, 2001, 04:47


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts