Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Wednesday, November 30 2022 @ 09:10 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

a silly question about asm of a very newbie

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing
View previous topic :: View next topic  
Author Message
bacsi
New to the board
New to the board


Joined: 05 Jul 2005
Posts: 2

PostPosted: Tue Jul 05, 2005 5:19 am    Post subject: a silly question about asm of a very newbie Reply with quote

i just started self-learning asm today n here is a lildo code which i dont understand, somebody please explain the code for me, thank you very much Embarassed

i already wrote some explanations, plz correct me if any of them is incorrect

Code:
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object CODE **************
Program Entry Point = 00401000 (C:\patchme.EXE File Offset:00001800)



//******************** Program Entry Point ********
:00401000 B800104000              mov eax, 00401000      ; 00401000 = 4198400 [in decimal]
:00401005 B95F104000              mov ecx, 0040105F      ; 0040105F = 4198495 [in decimal]
:0040100A 2BC8                    sub ecx, eax         ; => 4198495 - 4198400 = 95
:0040100C 49                      dec ecx         ; 95 + 1
:0040100D 803890                  cmp byte ptr [eax], 90   ; < i got confused at this line
:00401010 7402                    je 00401014         ; jump to the address 00401014 if equal...
:00401012 EB07                    jmp 0040101B         ; jump to the address 0040101B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:


cmp byte ptr [eax], 90 , could somebody plz explain this for me Razz , n i just thought in order of the code flow how come its not ecx instead of eax...

thank y'all!
Back to top
View user's profile Send private message
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Tue Jul 05, 2005 7:51 am    Post subject: Reply with quote

cmp byte ptr [eax], 90 ; compare the byte eax points to with 90h.

eax holds an address of some memory place, if you check what is on that address ('follow in dump' if you use olydbg), you should see what the 90h is compared to.

In your piece of code, 00401000 till 0040105F is being scanned for the byte 90h. ECX is the counter with the remaining bytes to scan.
If 90h is found the algo jumps out of the loop. (je 00401014)
Since the memory we scan is the memory we are executing, you can be pretty sure it is checking if you nopped out code. (patched with 90h)

I think you got confused by the intel argument order :

Quote:

:00401000 B800104000 mov eax, 00401000 ; 00401000 = 4198400 [in decimal]


Its rather like this :
Code:

mov eax, 00401000      ; eax = 00401000

_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
bengunn
Regular
Regular


Joined: 15 Apr 2005
Posts: 118

PostPosted: Tue Jul 05, 2005 8:16 am    Post subject: Reply with quote

deleted post, detten posted a second earlier
Back to top
View user's profile Send private message
bacsi
New to the board
New to the board


Joined: 05 Jul 2005
Posts: 2

PostPosted: Sun Jul 17, 2005 8:55 am    Post subject: Reply with quote

is it wrong when i changed the value into decimal so i can understand the code better?

Quote:
:00401000 B800104000 mov eax, 00401000 ; 00401000 = 4198400 [in decimal]
:00401005 B95F104000 mov ecx, 0040105F ; 0040105F = 4198495 [in decimal]
:0040100A 2BC8 sub ecx, eax ; => 4198495 - 4198400 = 95


:0040100A 2BC8 sub ecx, eax ; => 4198495 - 4198400 = 95 => so i could do the math

what should i do in this case?

cmp byte ptr [eax], 90 ; -> this means it takes a bye of EAX and compare it with 90 [90 here is in decimal form right?], i just wonder how could i find out what exactly is the value of byte ptr [eax] ?

thank you for your help Smile
Back to top
View user's profile Send private message
BoR0
Regular
Regular


Joined: 28 Feb 2005
Posts: 105
Location: Europe

PostPosted: Sun Jul 17, 2005 10:19 am    Post subject: Reply with quote

Don't convert values to decimal, trust me. Reading in HEX and memory is easier. Decimal will only double your work.

Code:
:00401000 B800104000              mov eax, 00401000


EAX is set to 00401000 hex. That means memory at 00401000.

What
Code:
:0040100D 803890                  cmp byte ptr [eax], 90

does is compare if on address 00401000 there's a NOP instruction (90h).

So it compares
Code:
:00401000 B800104000              mov eax, 00401000


At byte ptr [00401000] (eax) we dont have 90h, but we have 0B8h instead. So your conditional jump won't jump, meaning it always jumps with that other JMP.

That's all, pretty simple huh? Wink
Back to top
View user's profile Send private message Visit poster's website
parabytes
Frequent poster
Frequent poster


Joined: 14 Apr 2005
Posts: 92
Location: Israel

PostPosted: Sat Jul 23, 2005 2:29 pm    Post subject: Reply with quote

Heyyyy.... That's one of my first crackmes Very Happy
_________________
thoughts roam free and endless..
Back to top
View user's profile Send private message Visit poster's website
Koffee
New to the board
New to the board


Joined: 10 Sep 2005
Posts: 10

PostPosted: Mon Sep 12, 2005 11:05 am    Post subject: Reply with quote

bacsi -

if you are coming from a C/C++ background it may be easier to think of eax and ecx used as pointers. when registers are wrapped with the square bracket it does the same thing as the * operator in C. Get me the contents of this memory address.

Code:

cmp byte ptr[eax], 90

OR

if (*somePtr == 90h)



as a general question I wonder why the output does not specify this number is in hex (by either appending h to it or prefixing it with 0x) it seems a much more clean way to see the difference immediately.
Back to top
View user's profile Send private message
ColdWinterWind
New to the board
New to the board


Joined: 30 Jun 2005
Posts: 5

PostPosted: Fri Dec 02, 2005 7:12 am    Post subject: Reply with quote

Quote:
s a general question I wonder why the output does not specify this number is in hex (by either appending h to it or prefixing it with 0x) it seems a much more clean way to see the difference immediately.


Well, nobody's ever explained it to me this way, but I suspect it's because:
A) It takes fewer bytes to represent the equivalent value - FF=255 = smaller file size.; Imagine old mainframe where 1 kilobyte was HUGE memory.

B) Since everything else in programming is represented in hex, why bother with the processing overhead of reading a hex byte, then converting it to base 10 and displaying it? Already it can take vast amounts of time to disassemble a prog, why make it take longer?

C) Since the default/de facto standard is to use hex, why bother berating the obvious by marking with 0xnn or nn (h)?

There are some progs that still use 0xnn when displaying bytes, but I really have no idea why. The only time it would really be necessary is if the program were to have the ability to display values using differently based numbering systems - such as some hex editors, which can show hex, decimal, octal, etc.

That's my two-cents anyway...
Back to top
View user's profile Send private message
parabytes
Frequent poster
Frequent poster


Joined: 14 Apr 2005
Posts: 92
Location: Israel

PostPosted: Fri Dec 02, 2005 4:35 pm    Post subject: Reply with quote

Hex was chosen simply because it's a power of 2...

It's easier to convert binary and hex because it's the same logic behind them, being both power of 2. If you might have noticed or not, a nibble (one hex number) is 4 bits, octal digits (for the matter) are 3 bits...

Which is why both were chosen, and that's the reason why base64 was next in line (using 32 was redundant.)

Easier transformation for us, humans. But still, we have 10 fingers and 10 toes, so we can count to 10. That's why everything in our lives has a sense of decimal base in them. Arabic, Japanese, Indians, Europeans. Everyone used the decimal base because that is our limit, we can only count upto 10 fingers. Unless we're disfigured and got an extra toe/finger/etc.. Smile


IDA, Olly, real disassembling engines, use hex purely (unless stated or requested otherwise.) while VS debugger is using decimal because many people are still trapped in a cage of 10 fingers.

That's why it will always stay this way. It's human nature.

_________________
thoughts roam free and endless..
Back to top
View user's profile Send private message Visit poster's website
ColdWinterWind
New to the board
New to the board


Joined: 30 Jun 2005
Posts: 5

PostPosted: Sat Dec 03, 2005 5:52 am    Post subject: Reply with quote

Nicely said, parabytes!
Back to top
View user's profile Send private message
w0uter
New to the board
New to the board


Joined: 20 Nov 2005
Posts: 1

PostPosted: Sun Dec 04, 2005 12:34 am    Post subject: Reply with quote

isnt

dec ecx ; 95 + 1

95 - 1
Back to top
View user's profile Send private message
parabytes
Frequent poster
Frequent poster


Joined: 14 Apr 2005
Posts: 92
Location: Israel

PostPosted: Sun Dec 04, 2005 12:54 am    Post subject: Reply with quote

It is, it's probably a mistake.

I believe this code is one of my first works, written in TASM... the only NOP seeker I've ever saw is there Wink

Correct me if I'm wrong... :]

_________________
thoughts roam free and endless..
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2022 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.92 seconds