Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Code Sample Question

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
Locked
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Code Sample Question

Post by tutenKam »

Hello,

I have some code that I need help with. ( comment on each line what its doing )

I know I can get shift F1 help in ollydbg but I am not sure what they are doing with this code.

Is this the right place?



Also,

Some general questions:

I see references saying to search for fs:[30] in the dump but I can never get any search hits?

How do I display the memory location so I can use the offset data in PEid for example?



I am a newbie so bare with me.
I am doing this for fun, its what happens when the weather is -30 outsite.



Thanks for any help.

Code: Select all

CPU Disasm
Address   Hex dump          Command                                  Comments
6F5C4B91  /$  8BFF          MOV EDI,EDI                              ; test_exe.6F5C4B91(guessed Arg1)
6F5C4B93  |.  55            PUSH EBP
6F5C4B94  |.  8BEC          MOV EBP,ESP
6F5C4B96  |.  837D 08 00    CMP DWORD PTR SS:[EBP+8],0
6F5C4B9A  |.- 74 2D         JE SHORT 6F5C4BC9
6F5C4B9C  |.  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; /pMem
6F5C4B9F  |.  6A 00         PUSH 0                                   ; |Flags = 0
6F5C4BA1  |.  FF35 8C3A5F6F PUSH DWORD PTR DS:[6F5F3A8C]             ; |Heap = 043A0000
6F5C4BA7  |.  FF15 8C705D6F CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \KERNEL32.HeapFree
6F5C4BAD  |.  85C0          TEST EAX,EAX
6F5C4BAF  |.- 75 18         JNZ SHORT 6F5C4BC9
6F5C4BB1  |.  56            PUSH ESI
6F5C4BB2  |.  E8 E0120000   CALL 6F5C5E97
6F5C4BB7  |.  8BF0          MOV ESI,EAX
6F5C4BB9  |.  FF15 88705D6F CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
6F5C4BBF  |.  50            PUSH EAX                                 ; /Arg1
6F5C4BC0  |.  E8 90120000   CALL 6F5C5E55                            ; \test_exe.6F5C5E55
6F5C4BC5  |.  59            POP ECX
6F5C4BC6  |.  8906          MOV DWORD PTR DS:[ESI],EAX
6F5C4BC8  |.  5E            POP ESI
6F5C4BC9  |>  5D            POP EBP
6F5C4BCA  \.  C3            RETN
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Manually trying to decompile the easy part of that function gets

Code: Select all

void HeapFreeWrap(LPVOID lpMem)
{
    if(0 == lpMem)
        return;

    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        return;

    _asm{                  // Error logging
        CALL 6F5C5E97
        MOV ESI,EAX
        CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError
        PUSH EAX                                 ; /Arg1
        CALL 6F5C5E55                            ; \test_exe.6F5C5E55
        POP ECX
        MOV DWORD PTR DS:[ESI],EAX
    }
    return;
}
I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)

Code: Select all

void HeapFreeWrap(LPVOID lpMem)
{
    if(0 == lpMem)
        return;

    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return
        return;

    // Error logging
    int *pInt = sub_6F5C5E97()
    *pInt = sub_6F5C5E55(GetLastError());
    return;
}
The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
Can you explain why you chose to show this function?
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Post by tutenKam »

Thanks for the reply. I am a newbie and I am learning assembler slowly. I can compile code and I can make sense of what the code does. But when professors give code samples, they always ask the question "what function does the code do"? Anothewords, anyone can look up the instructions one line at a time but at the end of the day, you have to answer the question of what is the author trying to do?

I am getting better with normal code but references to kernel or user32 are the ones that stomp me and thats why I posted this.

Is there a quick tutorial on these two dlls? I am looking something for newbies, google gives to many hits and I find msdn useless most of the time.

Thank
Locked