flat assembler
Message board for the users of flat assembler.
Index
> Windows > Need help converting ASM to programming language |
Author |
|
shoorick 17 Apr 2009, 05:26
asm is exactly a programming language (one of them)
_byte=_byte xor (3 + 2*(source+5)) ebp usually used to point not buffers in memory, but data in stack: local variables or function parameters, but of course, there could be a local buffer. looks like cryptor/decrytor. |
|||
17 Apr 2009, 05:26 |
|
vexusdev 17 Apr 2009, 05:35
shoorick wrote: asm is exactly a programming language (one of them) Hm you sure thats it? Where do you get * from |
|||
17 Apr 2009, 05:35 |
|
revolution 17 Apr 2009, 07:30
"add eax,eax" is the same as: eax=eax+eax ----> eax=eax*2
|
|||
17 Apr 2009, 07:30 |
|
vexusdev 17 Apr 2009, 14:41
Old code:
CODE:0046F8EB mov al, [eax+edx] CODE:0046F8EE mov [ebp+var_1A], al <--here is different CODE:0046F8F1 mov al, byte ptr [ebp+i] CODE:0046F8F4 add al, 5 CODE:0046F8F6 add eax, eax CODE:0046F8F8 add al, 3 CODE:0046F8FA xor [ebp+var_1A], al <--here is different My code makes: CODE:0044EF96 mov bl, [eax+edx] <--Missing that line from real code--> CODE:0044EF99 mov al, byte ptr [ebp+i] CODE:0044EF9C add al, 5 CODE:0044EF9E add eax, eax CODE:0044EFA0 add al, 3 CODE:0044EFA2 xor bl, al <--here is different from real code My actual code: ch := ch xor (((i+5)*2)+3); ch := ch xor (Byte(n4CEEF4) + Byte(n4CEEF4)); What is: mov [ebp+var_1A], al It seems its xoring with it too.. I can't figure it out. |
|||
17 Apr 2009, 14:41 |
|
LocoDelAssembly 17 Apr 2009, 14:44
Your new code uses an extra CPU register and hence the local variable is not needed anymore (because now it is stored in BL register).
|
|||
17 Apr 2009, 14:44 |
|
vexusdev 17 Apr 2009, 14:45
LocoDelAssembly wrote: Your new code uses an extra CPU register and hence the local variable is not needed anymore (because now it is stored in BL register). Can you elaborate a bit more? The codes slightly off.. so it wont encrypt correctly I can't figure out the problem. Also how do I stop it from using another cpu registery ? confused :X Also does anyone know what this function does? movzx eax, ax shr eax, 8 retn Thinking its loword,hiword,hibyte or lobyte? |
|||
17 Apr 2009, 14:45 |
|
Madis731 17 Apr 2009, 16:11
I haven't seen the full code, but its very dangerous to load/store only the lowest 8-bit part of eax (al), but one instruction acts on the whole register. You might have something off there...
|
|||
17 Apr 2009, 16:11 |
|
LocoDelAssembly 17 Apr 2009, 17:08
vexusdev, better put a more complete ASM dump since if this is supposed to encrypt/decrypt something then it looks somewhat incomplete (there are no loops there for instance).
And as for the more elaboration of my previous answer what occurred there was that the compiler decided to store one of the local variables in BL register rather than an stack variable (like [ebp+var_1A]). The compiler probably decided so because that way is faster and/or makes the code size smaller but it doesn't change the final result at all, only timing is affected. Also, I don't see the "ch := ch xor (Byte(n4CEEF4) + Byte(n4CEEF4));" line in your Assembly dump, if it would be there and "Byte(n4CEEF4)" means the byte at memory address 0x4CEEF4 then you should see something like this: Code: mov cl, [0x4CEEF4] add cl, cl ; or maybe add ecx, ecx xor al, cl |
|||
17 Apr 2009, 17:08 |
|
shoorick 17 Apr 2009, 18:41
movzx eax, ax
shr eax, 8 similar to movzx eax,ah such code which looks like not-wise is usually result of code obfuscating to make reversing harder |
|||
17 Apr 2009, 18:41 |
|
bitRAKE 18 Apr 2009, 15:55
vexusdev wrote: mov al, byte ptr [ebp+source] AH <= AH*2 AH <= 0x7A < AL < 0xFB ? AH+1 AL <= 2*(AL+5)+3 Remapping has values in the range [7B,FA] producing set bits in the lsb of AH. _________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
18 Apr 2009, 15:55 |
|
revolution 18 Apr 2009, 16:02
bitRAKE wrote: Without more code it is difficult to say if there is an intent to grab bits overflowing from AL in instruction ADD EAX,EAX. Maybe it is a valid assumption given later posts regarding contents of AH: Code: ch := ch xor (((i+5)*2)+3); |
|||
18 Apr 2009, 16:02 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.