Home > Archive > A86 Assembler > September 2006 > A couple of questions regarding registers etc...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
A couple of questions regarding registers etc...
|
|
| spamtrap@crayne.org 2006-09-01, 6:56 pm |
| Hi everyone,
I'm going through some disassembled code, and a couple of lines refer
to something like:
0043A4F6 MOV DWORD PTR SS:[ESP+10], EAX
Now, if ESP refers to the current location of the stack pointer, does
this mean that if I work backwards through the code, I can find the
data storied at ESP+2C eg
PUSH EAX ; 4 bytes
PUSH ECX ; 4 bytes
PUSH mycode.00490344 ; ascii "My codes" - 8 bytes
MOV DWORD ... ; ie the instruction above
Does this mean that ESP+10 refers to the first PUSH EAX instruction
above?
Also, I have seen the following code:
MOV ESI, 1
MOV ECX, DWORD PTRD SS:[ESP+C05C]
PUSH mycode.00490344 ; ASCII "SPIDERDATA"
PUSH EDI
CDQ
FLDLN2
IDIV ESI
The last line is a mystery! ESI has been loaded with 1, so does this
mean that EDX:EAX is divided by 1?
If not, what does it really mean?
TIA
Paul
| |
| Rod Pemberton 2006-09-02, 6:56 pm |
| <spamtrap@crayne.org> wrote in message
news:1157151764.567582.263470@74g2000cwt.googlegroups.com...
> Hi everyone,
>
> I'm going through some disassembled code, and a couple of lines refer
> to something like:
>
> 0043A4F6 MOV DWORD PTR SS:[ESP+10], EAX
>
> Now, if ESP refers to the current location of the stack pointer, does
> this mean that if I work backwards through the code, I can find the
> data storied at ESP+2C eg
>
> PUSH EAX ; 4 bytes
> PUSH ECX ; 4 bytes
> PUSH mycode.00490344 ; ascii "My codes" - 8 bytes
> MOV DWORD ... ; ie the instruction above
>
> Does this mean that ESP+10 refers to the first PUSH EAX instruction
> above?
>
The problem is that you claim 'PUSH mycode.00490344' is 8 bytes. It is more
likely 4 bytes. I've worked through some calculations for you below (taking
into account that POP increments ESP after retrieving a value from the stack
and PUSH decrements ESP prior to storing a value on the stack):
If 'PUSH mycode.00490344' is one dword (i.e., offset address 00490344, which
is 4 bytes not 8 bytes), ESP+8 would refer to the pushed EAX. ESP+4 would
refer to the pushed ECX.
If 'PUSH mycode.00490344' is pushing only eight bytes total, then ESP+8 is
the pushed ECX and ESP+12 is the pushed EAX. So, ESP+10 is the two bytes of
the high word of ECX and the two bytes of low word of EAX not in a useable
byte order...(this doesn't make sense to me from the posted snippet).
If 'PUSH mycode.00490344' is pushing eight dwords, then ESP+10 is in the
string somewhere. Once again, it doesn't appear to be aligned with the
data...(this doesn't make sense to me from the posted snippet).
> Also, I have seen the following code:
>
> MOV ESI, 1
> MOV ECX, DWORD PTRD SS:[ESP+C05C]
> PUSH mycode.00490344 ; ASCII "SPIDERDATA"
> PUSH EDI
> CDQ
> FLDLN2
> IDIV ESI
>
> The last line is a mystery! ESI has been loaded with 1, so does this
> mean that EDX:EAX is divided by 1?
> If not, what does it really mean?
>
I'm not very familiar with these instructions, but this is my take on what
is happening.
My first thoughts are that a few things seem to be missing, such as the
initial value of EAX and/or a possible loop/branch using ESI or EDX. The
code which concerns the 'IDIV ESI' appears to be:
MOV ESI, 1
CDQ ; this converts EAX to signed EDX:EAX
IDIV ESI ; this is a signed division of EDX:EAX by ESI, quotient in EAX,
remainder in EDX
Since the division is signed and ESI is one, I would guess that EDX is a
signed zero (no remainder) where the sign came from EAX. Of course, you
didn't show what EAX was so we don't know the sign. EAX divided by ESI
which is currently 1 should just be EAX (with sign). So, this appears to me
to do nothing except set the sign bit of EDX from the sign bit of EAX. Are
you sure this isn't in a loop? Perhaps, some code uses EDX or ESI for a
branch...
HTH,
Rod Pemberton
| |
| Tim Roberts 2006-09-03, 3:56 am |
| spamtrap@crayne.org wrote:
>
>I'm going through some disassembled code, and a couple of lines refer
>to something like:
>
>0043A4F6 MOV DWORD PTR SS:[ESP+10], EAX
>
>Now, if ESP refers to the current location of the stack pointer, does
>this mean that if I work backwards through the code, I can find the
>data storied at ESP+2C eg
>
>PUSH EAX ; 4 bytes
>PUSH ECX ; 4 bytes
>PUSH mycode.00490344 ; ascii "My codes" - 8 bytes
This is pushing the ADDRESS of the string, not the string itself. It's 4
bytes.
>MOV DWORD ... ; ie the instruction above
As Rod said, this is referring to the dword just before those pushes.
>Also, I have seen the following code:
>
>MOV ESI, 1
>MOV ECX, DWORD PTRD SS:[ESP+C05C]
>PUSH mycode.00490344 ; ASCII "SPIDERDATA"
>PUSH EDI
>CDQ
>FLDLN2
>IDIV ESI
>
>The last line is a mystery! ESI has been loaded with 1, so does this
>mean that EDX:EAX is divided by 1?
>If not, what does it really mean?
What it likely means is that this is not code, but data. Those are unusual
instructions to be seen together.
--
- Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
| |
| Bjarni Juliusson 2006-09-03, 6:56 pm |
| Rod Pemberton wrote:
> If 'PUSH mycode.00490344' is pushing only eight bytes total, then ESP+8 is
> the pushed ECX and ESP+12 is the pushed EAX. So, ESP+10 is the two bytes of
> the high word of ECX and the two bytes of low word of EAX not in a useable
> byte order...(this doesn't make sense to me from the posted snippet).
You forget the numbers were in hexadecimal.
Bjarni
--
INFORMATION WANTS TO BE FREE
| |
| spamtrap@crayne.org 2006-09-03, 6:56 pm |
| Thanks - you're right about the "8 bytes", it should be 4 bytes as you
said.
As for what EAX contains, I am not too sure! I have been given the task
of going through disassembled code; since the original developer left
many years ago, the source code for that dll has gone missing. All I
have is the disassembly - it involves calculating half lives, thats why
there is a log(e) function in there. Its hard going through the code
and finding what is ESP+x on the stack !
TIA
Paul
| |
| spamtrap@crayne.org 2006-09-03, 6:56 pm |
| By the way, I'm using OllyDbg as a disassembler. Its tough, as the code
steps into ntdll and freezes; I can't return, or step on from then on!
| |
| Rod Pemberton 2006-09-03, 6:56 pm |
| ----- Original Message -----
From: "Bjarni Juliusson" <spamtrap@crayne.org>
Newsgroups: comp.lang.asm.x86
Sent: Sunday, September 03, 2006 10:11 AM
Subject: Re: A couple of questions regarding registers etc...
"Bjarni Juliusson" <spamtrap@crayne.org> wrote in message
news:edenqs$e3i$1@Tempo.Update.UU.SE...
> Rod Pemberton wrote:
is[color=darkred]
bytes of[color=darkred]
useable[color=darkred]
>
> You forget[sic,forgot] the numbers were in hexadecimal.
Yes, I did. Thanks for the correction.
Correction:
If 'PUSH mycode.00490344' is pushing only eight bytes total, then ESP+8 is
the pushed ECX and ESP+C is the pushed EAX. So, ESP+10 is the 4 bytes or
dword pushed before EAX. This could make sense depending on the missing
code.
Rod Pemberton
|
|
|
|
|