Reverse Engineering Asked on December 10, 2020
Assembler code from data segment:
.data:006A5038 dword_6A5038 dd 0
.data:006A5038
.data:006A503C ; char *off_6A503C
.data:006A503C off_6A503C dd offset aOption0
.data:006A503C
.data:006A503C
.data:006A5040 dword_6A5040 dd 1
.data:006A5040
.data:006A5044 dd offset aOption1
.data:006A5048 db 2
.data:006A5049 db 0
.data:006A504A db 0
.data:006A504B db 0
.data:006A504C dd offset aOption2
.data:006A5050 db 3
.data:006A5051 db 0
.data:006A5052 db 0
.data:006A5053 db 0
.data:006A5054 dd offset aOption3
.data:006A5058 db 4
..................................................
.data:006A5294 dd offset aOption4bh
.data:006A5298 db 4Ch ; L
.data:006A5299 db 0
.data:006A529A db 0
.data:006A529B db 0
.data:006A529C dd offset aOption4ch
.data:006A52A0 db 0FFh
.data:006A52A1 db 0FFh
.data:006A52A2 db 0FFh
.data:006A52A3 db 0FFh
Assembler code of code segment, it piece of code below is loop, and during this loop checks eax with value 0xffffffff for end of loop; every step of loop to do some opertion with compare this strings named "options". i.e. there is string, and string’s numeric indefiner, and for end of loop checks eax if 0xffffffff.
.text:005334DF mov eax, dword_6A5040[edi*8]
.text:005334E6 inc edi
.text:005334E7 cmp eax, 0FFFFFFFFh
.text:005334EA jnz loc_533433
Question- how this data from data segment (strings and numeric indefiners) might look in high-level languages like c++? May be is it structures, how arranged this structures? It like global variables, because placed in data segment. Thanks in advance!
.text:005334DF mov eax, dword_6A5040[edi*8]
0*8 = 0,1*8 = 8,2*8=16,.....n*8 =8n,....arrays and pointers are represented in x86 assembly with square brackets
this 6A5040[edi*8] denotes Array Access so
.data:006A5040 dword_6A5040 dd 1
will be the first member of array
in a higher language this will look like
*int eax = *(int *)6a5040* or
int eax = foo[i]
where foo is an array of some type
int foo[] = { {1,ptr} , {2,ptr} ,{3.ptr}, ...... ,{n ,ptr} };
inc edi here index is increased this will be like i++;
cmp and jnz will map to a conditional like
if (eax != val) {do something}
or
while (eax!=val) {do something}
putting all this together one can derive a higher levelcode that would yield similar work flowlike below
#include <stdio.h>
typedef struct _FOO
{
unsigned int a;
unsigned int *b;
}Foo,*PFoo;
unsigned int mint[] = {0,1,2,3,4,5,6,7,8,0xffffffff};
Foo myfoo[] =
{
{mint[ 0],&(mint[ 0])},
{mint[ 1],&(mint[ 1])},
{mint[ 2],&(mint[ 2])},
{mint[10],&(mint[10])}
};
int main (void)
{
int i =0;
while(myfoo[i].a != 0xffffffff)
{
printf("%ut%pn", myfoo[i].a, myfoo[i].b);
i++;
}
return 0;
}
and disassembly wouldbe like
0:000> uf .
foo!main:
013410a0 55 push ebp
013410a1 8bec mov ebp,esp
013410a3 51 push ecx
013410a4 c745fc00000000 mov dword ptr [ebp-4],0
foo!main+0xb:
013410ab 8b45fc mov eax,dword ptr [ebp-4]
013410ae 833cc5f8993801ff cmp dword ptr foo!myfoo (013899f8)[eax*8],0FFFFFFFFh
013410b6 742e je foo!main+0x46 (013410e6)
foo!main+0x18:
013410b8 8b4dfc mov ecx,dword ptr [ebp-4]
013410bb 8b14cdfc993801 mov edx,dword ptr foo!myfoo+0x4 (013899fc)[ecx*8]
013410c2 52 push edx
013410c3 8b45fc mov eax,dword ptr [ebp-4]
013410c6 8b0cc5f8993801 mov ecx,dword ptr foo!myfoo (013899f8)[eax*8]
013410cd 51 push ecx
013410ce 6890013801 push offset foo!__xt_z+0x4 (01380190)
013410d3 e858000000 call foo!printf (01341130)
013410d8 83c40c add esp,0Ch
013410db 8b55fc mov edx,dword ptr [ebp-4]
013410de 83c201 add edx,1
013410e1 8955fc mov dword ptr [ebp-4],edx
013410e4 ebc5 jmp foo!main+0xb (013410ab)
foo!main+0x46:
013410e6 33c0 xor eax,eax
013410e8 8be5 mov esp,ebp
013410ea 5d pop ebp
013410eb c3 ret
0:000>
Correct answer by blabb on December 10, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP