Reverse Engineering Asked by black4 on September 30, 2021
I have this piece of code:
.text:00537FDE push offset a3Rrrrrrrrrrrrr ; "3L+ÐÐÐÐÐÐÐÐÐÐÐÐÐ+ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐøû9n"
.text:00537FE3 call sub_5606A0
Where offset a3Rrrrrrrrrrrrr is:
.text:005379B0 a3Rrrrrrrrrrrrr db '3L+ÐÐÐÐÐÐÐÐÐÐÐÐÐ+ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐøû9',0Ah,0
The bytes from Hex View of this string:
.text:005379B0 33 C0 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 3L+ÐÐÐÐÐÐÐÐÐÐÐÐÐ
.text:005379C0 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 +ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐ
.text:005379D0 E8 EB 39 0A 00 68 C0 79 53 00 68 80 56 6A 00 6A øû9.hLyS.hÀVj.j
And sub_5606A0:
.text:005606A0 sub_5606A0 proc near ; CODE XREF: WinMain(x,x,x,x)+223p
.text:005606A0
.text:005606A0 arg_0 = dword ptr 4
.text:005606A0
.text:005606A0 mov eax, [esp+arg_0]
.text:005606A4 mov dword_8478CC, eax
.text:005606A9 retn
.text:005606A9 sub_5606A0 endp
What can this encoded string mean?
.text:005379B0 a3Rrrrrrrrrrrrr db '3L+ÐÐÐÐÐÐÐÐÐÐÐÐÐ+ÐÐÐÐÐÐÐÐÐÐÐÐÐÐÐøû9',0Ah,0
Thanks in advance!
The Sequence of Bytes do not represent a string
please take note of the first 3 bytes 0x33,0xc0,0xc3
These are opcodes for xor eax,eax , retn basically return 0; in c / c++
0:000> eb . 33 c0 c3
0:000> u . l2
ntdll!LdrpDoDebuggerBreak+0x2c:
777a05a6 33c0 xor eax,eax
777a05a8 c3 ret
0:000>
this is probably a chunk of a function which has many return 0; statements
like if(!a)retun 0; do b= blah(); if(!b) return0; .......
here the compiler might have recognized the repetition
and must have split the part into a seperate piece/chunk as part of optimization.
that said 0x90 aka NOP is shown as some kind of D
.text:005379B0 33 C0 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 3L+ÐÐÐÐÐÐÐÐÐÐÐÐÐ
which indicates it is not probably a normal english locale encoding
Answered by blabb on September 30, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP