Reverse Engineering Asked by Bhavya Singh on November 10, 2020
I have the following disassembly of winload!CmpFindNlsData function and I need to check the output parameters of this function.
P.S.: CmpFindNLSData(int a1<eax>, int a2, PUNICODE_STRING pAnsiFileName, PUNICODE_STRING pOemFileName, PUNICODE_STRING pustrDefaultLanguage, PUNICODE_STRING pustrOemHalFontName)
could be the declaration of this function. This is my first attempt at reverse engineering, could someone please guide through the steps I could take up to define the algorithm of this function.
winload!CmpFindNLSData:
00893c10 8bff mov edi,edi
00893c12 55 push ebp
00893c13 8bec mov ebp,esp
00893c15 83ec40 sub esp,40h
00893c18 53 push ebx
00893c19 56 push esi
00893c1a 57 push edi
00893c1b 8d45e0 lea eax,[ebp-20h]
00893c1e 8bf1 mov esi,ecx
00893c20 50 push eax
00893c21 33db xor ebx,ebx
00893c23 8975ec mov dword ptr [ebp-14h],esi
00893c26 83cfff or edi,0FFFFFFFFh
00893c29 895dcc mov dword ptr [ebp-34h],ebx
00893c2c 52 push edx
00893c2d 56 push esi
00893c2e 897dc8 mov dword ptr [ebp-38h],edi
00893c31 897dd0 mov dword ptr [ebp-30h],edi
00893c34 895dd4 mov dword ptr [ebp-2Ch],ebx
00893c37 897de0 mov dword ptr [ebp-20h],edi
00893c3a 895de4 mov dword ptr [ebp-1Ch],ebx
00893c3d 897dc0 mov dword ptr [ebp-40h],edi
00893c40 895dc4 mov dword ptr [ebp-3Ch],ebx
00893c43 895de8 mov dword ptr [ebp-18h],ebx
00893c46 ff5604 call dword ptr [esi+4]
00893c49 85c0 test eax,eax
00893c4b 0f845d010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c51 8d4df4 lea ecx,[ebp-0Ch]
00893c54 8bd0 mov edx,eax
00893c56 51 push ecx
00893c57 68b8208e00 push offset winload!CmpControlString (008e20b8)
00893c5c 8bce mov ecx,esi
00893c5e e869510000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893c63 8d45e0 lea eax,[ebp-20h]
00893c66 50 push eax
00893c67 56 push esi
00893c68 ff5608 call dword ptr [esi+8]
00893c6b 397df4 cmp dword ptr [ebp-0Ch],edi
00893c6e 0f843a010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c74 8d45e0 lea eax,[ebp-20h]
00893c77 50 push eax
00893c78 ff75f4 push dword ptr [ebp-0Ch]
00893c7b 56 push esi
00893c7c ff5604 call dword ptr [esi+4]
00893c7f 85c0 test eax,eax
00893c81 0f8427010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c87 8d4df4 lea ecx,[ebp-0Ch]
00893c8a 8bd0 mov edx,eax
00893c8c 51 push ecx
00893c8d 68f8208e00 push offset winload!CmpNlsString (008e20f8)
00893c92 8bce mov ecx,esi
00893c94 e833510000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893c99 8d45e0 lea eax,[ebp-20h]
00893c9c 50 push eax
00893c9d 56 push esi
00893c9e ff5608 call dword ptr [esi+8]
00893ca1 397df4 cmp dword ptr [ebp-0Ch],edi
00893ca4 0f8404010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893caa 8d45e0 lea eax,[ebp-20h]
00893cad 50 push eax
00893cae ff75f4 push dword ptr [ebp-0Ch]
00893cb1 56 push esi
00893cb2 ff5604 call dword ptr [esi+4]
00893cb5 85c0 test eax,eax
00893cb7 0f84f1000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893cbd 8d4df4 lea ecx,[ebp-0Ch]
00893cc0 8bd0 mov edx,eax
00893cc2 51 push ecx
00893cc3 6808218e00 push offset winload!CmpCodePageString (008e2108)
00893cc8 8bce mov ecx,esi
00893cca e8fd500000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893ccf 8d45e0 lea eax,[ebp-20h]
00893cd2 50 push eax
00893cd3 56 push esi
00893cd4 ff5608 call dword ptr [esi+8]
00893cd7 397df4 cmp dword ptr [ebp-0Ch],edi
00893cda 0f84ce000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893ce0 8d45e0 lea eax,[ebp-20h]
00893ce3 50 push eax
00893ce4 ff75f4 push dword ptr [ebp-0Ch]
00893ce7 56 push esi
00893ce8 ff5604 call dword ptr [esi+4]
00893ceb 85c0 test eax,eax
00893ced 0f84bb000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893cf3 6870228e00 push offset winload!CmpAcpString (008e2270)
00893cf8 8bd0 mov edx,eax
00893cfa 8bce mov ecx,esi
00893cfc e885330000 call winload!CmpFindValueByName (00897086)
00893d01 8bf8 mov edi,eax
00893d03 8d45e0 lea eax,[ebp-20h]
00893d06 50 push eax
00893d07 56 push esi
00893d08 ff5608 call dword ptr [esi+8]
00893d0b 83ffff cmp edi,0FFFFFFFFh
00893d0e 0f849a000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893d14 8d45d0 lea eax,[ebp-30h]
00893d17 50 push eax
00893d18 57 push edi
00893d19 56 push esi
00893d1a ff5604 call dword ptr [esi+4]
00893d1d 85c0 test eax,eax
00893d1f 0f8489000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893d25 8d4dc8 lea ecx,[ebp-38h]
00893d28 8bd7 mov edx,edi
00893d2a 51 push ecx
00893d2b 8d4df8 lea ecx,[ebp-8]
00893d2e 51 push ecx
00893d2f 50 push eax
00893d30 8bce mov ecx,esi
00893d32 e8c7340000 call winload!CmpValueToData (008971fe)
00893d37 8bf8 mov edi,eax
00893d39 8d45d0 lea eax,[ebp-30h]
00893d3c 50 push eax
00893d3d 56 push esi
00893d3e 897ddc mov dword ptr [ebp-24h],edi
00893d41 ff5608 call dword ptr [esi+8]
00893d44 85ff test edi,edi
00893d46 7466 je winload!CmpFindNLSData+0x19e (00893dae)
00893d48 8b55f8 mov edx,dword ptr [ebp-8]
00893d4b 33c9 xor ecx,ecx
00893d4d 33c0 xor eax,eax
00893d4f 668955da mov word ptr [ebp-26h],dx
00893d53 66894dd8 mov word ptr [ebp-28h],cx
00893d57 c745f002000000 mov dword ptr [ebp-10h],2
00893d5e 663bc2 cmp ax,dx
00893d61 731d jae winload!CmpFindNLSData+0x170 (00893d80)
00893d63 8b75f0 mov esi,dword ptr [ebp-10h]
00893d66 0fb7c1 movzx eax,cx
00893d69 d1e8 shr eax,1
00893d6b 66391c47 cmp word ptr [edi+eax*2],bx
00893d6f 740c je winload!CmpFindNLSData+0x16d (00893d7d)
00893d71 6603ce add cx,si
00893d74 66894dd8 mov word ptr [ebp-28h],cx
00893d78 663bca cmp cx,dx
00893d7b 72e9 jb winload!CmpFindNLSData+0x156 (00893d66)
00893d7d 8b75ec mov esi,dword ptr [ebp-14h]
00893d80 8b5d08 mov ebx,dword ptr [ebp+8]
00893d83 6a36 push 36h
00893d85 58 pop eax
00893d86 663907 cmp word ptr [edi],ax
00893d89 750c jne winload!CmpFindNLSData+0x187 (00893d97)
00893d8b c745e801000000 mov dword ptr [ebp-18h],1
00893d92 e992000000 jmp winload!CmpFindNLSData+0x219 (00893e29)
00893d97 8d45e0 lea eax,[ebp-20h]
00893d9a 50 push eax
00893d9b ff75f4 push dword ptr [ebp-0Ch]
00893d9e 56 push esi
00893d9f ff5604 call dword ptr [esi+4]
00893da2 85c0 test eax,eax
00893da4 7513 jne winload!CmpFindNLSData+0x1a9 (00893db9)
00893da6 8d45c8 lea eax,[ebp-38h]
00893da9 50 push eax
00893daa 56 push esi
00893dab ff5608 call dword ptr [esi+8]
00893dae 32c0 xor al,al
00893db0 5f pop edi
00893db1 5e pop esi
00893db2 5b pop ebx
00893db3 8be5 mov esp,ebp
00893db5 5d pop ebp
00893db6 c20c00 ret 0Ch
00893db9 8d4dd8 lea ecx,[ebp-28h]
00893dbc 8bd0 mov edx,eax
00893dbe 51 push ecx
00893dbf 8bce mov ecx,esi
00893dc1 e8c0320000 call winload!CmpFindValueByName (00897086)
00893dc6 8bf8 mov edi,eax
00893dc8 8d45c8 lea eax,[ebp-38h]
00893dcb 50 push eax
00893dcc 56 push esi
00893dcd ff5608 call dword ptr [esi+8]
00893dd0 33c0 xor eax,eax
00893dd2 8945dc mov dword ptr [ebp-24h],eax
00893dd5 8d45e0 lea eax,[ebp-20h]
00893dd8 50 push eax
00893dd9 56 push esi
00893dda ff5608 call dword ptr [esi+8]
00893ddd 83ffff cmp edi,0FFFFFFFFh
00893de0 74cc je winload!CmpFindNLSData+0x19e (00893dae)
00893de2 8d45d0 lea eax,[ebp-30h]
00893de5 50 push eax
00893de6 57 push edi
00893de7 56 push esi
00893de8 ff5604 call dword ptr [esi+4]
00893deb 85c0 test eax,eax
00893ded 74bf je winload!CmpFindNLSData+0x19e (00893dae)
00893def 8d4dc0 lea ecx,[ebp-40h]
00893df2 8bd7 mov edx,edi
00893df4 51 push ecx
00893df5 8d4df8 lea ecx,[ebp-8]
00893df8 51 push ecx
00893df9 50 push eax
00893dfa 8bce mov ecx,esi
00893dfc e8fd330000 call winload!CmpValueToData (008971fe)
00893e01 894304 mov dword ptr [ebx+4],eax
00893e04 85c0 test eax,eax
00893e06 7408 je winload!CmpFindNLSData+0x200 (00893e10)
00893e08 8d45c0 lea eax,[ebp-40h]
00893e0b 50 push eax
00893e0c 56 push esi
00893e0d ff5608 call dword ptr [esi+8]
00893e10 8d45d0 lea eax,[ebp-30h]
00893e13 50 push eax
00893e14 56 push esi
00893e15 ff5608 call dword ptr [esi+8]
00893e18 33c0 xor eax,eax
00893e1a 394304 cmp dword ptr [ebx+4],eax
00893e1d 748f je winload!CmpFindNLSData+0x19e (00893dae)
00893e1f 8b45f8 mov eax,dword ptr [ebp-8]
00893e22 66894302 mov word ptr [ebx+2],ax
00893e26 668903 mov word ptr [ebx],ax
00893e29 8d45e0 lea eax,[ebp-20h]
00893e2c 50 push eax
00893e2d ff75f4 push dword ptr [ebp-0Ch]
00893e30 56 push esi
00893e31 ff5604 call dword ptr [esi+4]
00893e34 85c0 test eax,eax
00893e36 0f8472ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e3c 6848228e00 push offset winload!CmpOemCpString (008e2248)
00893e41 8bd0 mov edx,eax
00893e43 8bce mov ecx,esi
00893e45 e83c320000 call winload!CmpFindValueByName (00897086)
00893e4a 8bf8 mov edi,eax
00893e4c 8d45e0 lea eax,[ebp-20h]
00893e4f 50 push eax
00893e50 56 push esi
00893e51 ff5608 call dword ptr [esi+8]
00893e54 83ffff cmp edi,0FFFFFFFFh
00893e57 0f8451ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e5d 8d45d0 lea eax,[ebp-30h]
00893e60 50 push eax
00893e61 57 push edi
00893e62 56 push esi
00893e63 ff5604 call dword ptr [esi+4]
00893e66 85c0 test eax,eax
00893e68 0f8440ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e6e 8d4dc8 lea ecx,[ebp-38h]
00893e71 8bd7 mov edx,edi
00893e73 51 push ecx
00893e74 8d4df8 lea ecx,[ebp-8]
00893e77 51 push ecx
00893e78 50 push eax
00893e79 8bce mov ecx,esi
00893e7b e87e330000 call winload!CmpValueToData (008971fe)
00893e80 8bf8 mov edi,eax
00893e82 8d45d0 lea eax,[ebp-30h]
00893e85 50 push eax
00893e86 56 push esi
00893e87 897ddc mov dword ptr [ebp-24h],edi
00893e8a ff5608 call dword ptr [esi+8]
00893e8d 85ff test edi,edi
00893e8f 0f8419ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e95 8b55f8 mov edx,dword ptr [ebp-8]
00893e98 33c9 xor ecx,ecx
00893e9a 33c0 xor eax,eax
00893e9c 668955da mov word ptr [ebp-26h],dx
00893ea0 66894dd8 mov word ptr [ebp-28h],cx
00893ea4 663bc2 cmp ax,dx
00893ea7 7322 jae winload!CmpFindNLSData+0x2bb (00893ecb)
00893ea9 8b75f0 mov esi,dword ptr [ebp-10h]
00893eac 33db xor ebx,ebx
00893eae 0fb7c1 movzx eax,cx
00893eb1 d1e8 shr eax,1
00893eb3 66391c47 cmp word ptr [edi+eax*2],bx
00893eb7 740c je winload!CmpFindNLSData+0x2b5 (00893ec5)
00893eb9 6603ce add cx,si
00893ebc 66894dd8 mov word ptr [ebp-28h],cx
00893ec0 663bca cmp cx,dx
00893ec3 72e9 jb winload!CmpFindNLSData+0x29e (00893eae)
00893ec5 8b75ec mov esi,dword ptr [ebp-14h]
00893ec8 8b5d08 mov ebx,dword ptr [ebp+8]
00893ecb 6a36 push 36h
00893ecd 58 pop eax
00893ece 663907 cmp word ptr [edi],ax
00893ed1 8b7d0c mov edi,dword ptr [ebp+0Ch]
00893ed4 0f8496000000 je winload!CmpFindNLSData+0x360 (00893f70)
00893eda 8d45e0 lea eax,[ebp-20h]
00893edd 50 push eax
00893ede ff75f4 push dword ptr [ebp-0Ch]
00893ee1 56 push esi
00893ee2 ff5604 call dword ptr [esi+4]
00893ee5 85c0 test eax,eax
00893ee7 0f84b9feffff je winload!CmpFindNLSData+0x196 (00893da6)
00893eed 8d4dd8 lea ecx,[ebp-28h]
00893ef0 8bd0 mov edx,eax
00893ef2 51 push ecx
00893ef3 8bce mov ecx,esi
00893ef5 e88c310000 call winload!CmpFindValueByName (00897086)
00893efa 894508 mov dword ptr [ebp+8],eax
00893efd 8d45c8 lea eax,[ebp-38h]
00893f00 50 push eax
00893f01 56 push esi
00893f02 ff5608 call dword ptr [esi+8]
00893f05 8d45e0 lea eax,[ebp-20h]
00893f08 50 push eax
00893f09 56 push esi
00893f0a ff5608 call dword ptr [esi+8]
00893f0d 8b4508 mov eax,dword ptr [ebp+8]
00893f10 83f8ff cmp eax,0FFFFFFFFh
00893f13 0f8495feffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f19 8d4dd0 lea ecx,[ebp-30h]
00893f1c 51 push ecx
00893f1d 50 push eax
00893f1e 56 push esi
00893f1f ff5604 call dword ptr [esi+4]
00893f22 85c0 test eax,eax
00893f24 0f8484feffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f2a 8b5508 mov edx,dword ptr [ebp+8]
00893f2d 8d4dc0 lea ecx,[ebp-40h]
00893f30 51 push ecx
00893f31 8d4df8 lea ecx,[ebp-8]
00893f34 51 push ecx
00893f35 50 push eax
00893f36 8bce mov ecx,esi
00893f38 e8c1320000 call winload!CmpValueToData (008971fe)
00893f3d 894704 mov dword ptr [edi+4],eax
00893f40 85c0 test eax,eax
00893f42 7408 je winload!CmpFindNLSData+0x33c (00893f4c)
00893f44 8d45c0 lea eax,[ebp-40h]
00893f47 50 push eax
00893f48 56 push esi
00893f49 ff5608 call dword ptr [esi+8]
00893f4c 8d45d0 lea eax,[ebp-30h]
00893f4f 50 push eax
00893f50 56 push esi
00893f51 ff5608 call dword ptr [esi+8]
00893f54 33c9 xor ecx,ecx
00893f56 394f04 cmp dword ptr [edi+4],ecx
00893f59 0f844ffeffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f5f 8b45f8 mov eax,dword ptr [ebp-8]
00893f62 66894702 mov word ptr [edi+2],ax
00893f66 668907 mov word ptr [edi],ax
00893f69 394de8 cmp dword ptr [ebp-18h],ecx
00893f6c 7412 je winload!CmpFindNLSData+0x370 (00893f80)
00893f6e eb02 jmp winload!CmpFindNLSData+0x362 (00893f72)
00893f70 33c9 xor ecx,ecx
00893f72 33c0 xor eax,eax
00893f74 894b04 mov dword ptr [ebx+4],ecx
00893f77 668903 mov word ptr [ebx],ax
00893f7a 894f04 mov dword ptr [edi+4],ecx
00893f7d 668907 mov word ptr [edi],ax
00893f80 8b4d10 mov ecx,dword ptr [ebp+10h]
00893f83 b001 mov al,1
00893f85 6a14 push 14h
00893f87 5a pop edx
00893f88 c741044c1a8e00 mov dword ptr [ecx+4],offset winload!`string' (008e1a4c)
00893f8f 66895102 mov word ptr [ecx+2],dx
00893f93 668911 mov word ptr [ecx],dx
00893f96 e915feffff jmp winload!CmpFindNLSData+0x1a0 (00893db0)
00893f9b cc int 3
The function's Disassembly Does Not Match the prototype
This function takes only 3 arguments which can be ascertained with the first/multiple failure Exits
if(!foo) { return false;}
00893c49 85c0 test eax,eax <<<< if(!foo)
00893c4b 0f845d010000 je winload!CmpFindNLSData+0x19e (00893dae)
|
00893dae 32c0 xor al,al <<<<<<< bool False
00893db0 5f pop edi
00893db1 5e pop esi
00893db2 5b pop ebx
00893db3 8be5 mov esp,ebp
00893db5 5d pop ebp
00893db6 c20c00 ret 0Ch <<<<<<<<<< pops 3 arguments
we can also confirm the arguments Access in x86 by looking for ebp+ patterns (beware FPO )
copy pasting the disassembly from your query and grepping for ebp+8
yields only access to (ebp + [0x8,0xc,0x10]) so this function definitely takes only 3 arguments or 5 if this is _fastcall (ecx,edx)
:>wc -l nlsdatadis.txt
350 nlsdatadis.txt
:>grep ebp+ nlsdatadis.txt
00893d80 8b5d08 mov ebx,dword ptr [ebp+8] <<<
00893ec8 8b5d08 mov ebx,dword ptr [ebp+8]
00893ed1 8b7d0c mov edi,dword ptr [ebp+0Ch] <<<
00893efa 894508 mov dword ptr [ebp+8],eax
00893f0d 8b4508 mov eax,dword ptr [ebp+8]
00893f2a 8b5508 mov edx,dword ptr [ebp+8]
00893f80 8b4d10 mov ecx,dword ptr [ebp+10h] <<<<
we can infer that the last/3rd argument is a PUNICODE_STRING by looking at the Disassembly that Accesses [ebp+10]
00893f80 8b4d10 mov ecx,dword ptr [ebp+10h]
00893f83 b001 mov al,1 <<<<<<< bool TRUE
00893f85 6a14 push 14h <<<< str length
00893f87 5a pop edx
00893f88 c741044c1a8e00 mov dword ptr [ecx+4],offset winload!`string' (008e1a4c)
<<< pointer to Buffer
00893f8f 66895102 mov word ptr [ecx+2],dx << (max len)
00893f93 668911 mov word ptr [ecx],dx << (len)
00893f96 e915feffff jmp winload!CmpFindNLSData+0x1a0 (00893db0) << again
jumps to Exit that is described above with True as Return)
2nd Argument is also PUNICODE_STRING (ebp+0c,edi) ist Argument is Some function pointer or the this call convention's this
as ebp+8 is modified several times by mov
Correct answer by blabb on November 10, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP