flat assembler
Message board for the users of flat assembler.

Index > Windows > Need help converting ASM to programming language

Author
Thread Post new topic Reply to topic
vexusdev



Joined: 17 Apr 2009
Posts: 4
vexusdev
mov al, byte ptr [ebp+source]
add al, 5
add eax, eax
add al, 3
xor [ebp+_byte], al


_byte:=Integer(source[bufpos])+5 xor Integer(source[bufpos])+3;


Please if you know how this should be in code please tell me.
Post 17 Apr 2009, 05:08
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1605
Location: Ukraine
shoorick
asm is exactly a programming language (one of them)

_byte=_byte xor (3 + 2*(source+5))

ebp usually used to point not buffers in memory, but data in stack: local variables or function parameters, but of course, there could be a local buffer. looks like cryptor/decrytor.
Post 17 Apr 2009, 05:26
View user's profile Send private message Visit poster's website Reply with quote
vexusdev



Joined: 17 Apr 2009
Posts: 4
vexusdev
shoorick wrote:
asm is exactly a programming language (one of them)

_byte=_byte xor (3 + 2*(source+5))

ebp usually used to point not buffers in memory, but data in stack: local variables or function parameters, but of course, there could be a local buffer. looks like cryptor/decrytor.


Hm you sure thats it? Where do you get * from
Post 17 Apr 2009, 05:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17252
Location: In your JS exploiting you and your system
revolution
"add eax,eax" is the same as: eax=eax+eax ----> eax=eax*2
Post 17 Apr 2009, 07:30
View user's profile Send private message Visit poster's website Reply with quote
vexusdev



Joined: 17 Apr 2009
Posts: 4
vexusdev
Old code:
CODE:0046F8EB mov al, [eax+edx]
CODE:0046F8EE mov [ebp+var_1A], al <--here is different
CODE:0046F8F1 mov al, byte ptr [ebp+i]
CODE:0046F8F4 add al, 5
CODE:0046F8F6 add eax, eax
CODE:0046F8F8 add al, 3
CODE:0046F8FA xor [ebp+var_1A], al <--here is different

My code makes:
CODE:0044EF96 mov bl, [eax+edx]
<--Missing that line from real code-->
CODE:0044EF99 mov al, byte ptr [ebp+i]
CODE:0044EF9C add al, 5
CODE:0044EF9E add eax, eax
CODE:0044EFA0 add al, 3
CODE:0044EFA2 xor bl, al <--here is different from real code


My actual code:
ch := ch xor (((i+5)*2)+3);
ch := ch xor (Byte(n4CEEF4) + Byte(n4CEEF4));


What is:
mov [ebp+var_1A], al


It seems its xoring with it too.. I can't figure it out.
Post 17 Apr 2009, 14:41
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Your new code uses an extra CPU register and hence the local variable is not needed anymore (because now it is stored in BL register).
Post 17 Apr 2009, 14:44
View user's profile Send private message Reply with quote
vexusdev



Joined: 17 Apr 2009
Posts: 4
vexusdev
LocoDelAssembly wrote:
Your new code uses an extra CPU register and hence the local variable is not needed anymore (because now it is stored in BL register).



Can you elaborate a bit more?

The codes slightly off.. so it wont encrypt correctly I can't figure out the problem.

Also how do I stop it from using another cpu registery ? confused :X

Also does anyone know what this function does?
movzx eax, ax
shr eax, 8
retn

Thinking its loword,hiword,hibyte or lobyte?
Post 17 Apr 2009, 14:45
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2141
Location: Estonia
Madis731
I haven't seen the full code, but its very dangerous to load/store only the lowest 8-bit part of eax (al), but one instruction acts on the whole register. You might have something off there...
Post 17 Apr 2009, 16:11
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
vexusdev, better put a more complete ASM dump since if this is supposed to encrypt/decrypt something then it looks somewhat incomplete (there are no loops there for instance).

And as for the more elaboration of my previous answer what occurred there was that the compiler decided to store one of the local variables in BL register rather than an stack variable (like [ebp+var_1A]). The compiler probably decided so because that way is faster and/or makes the code size smaller but it doesn't change the final result at all, only timing is affected.

Also, I don't see the "ch := ch xor (Byte(n4CEEF4) + Byte(n4CEEF4));" line in your Assembly dump, if it would be there and "Byte(n4CEEF4)" means the byte at memory address 0x4CEEF4 then you should see something like this:

Code:
mov cl, [0x4CEEF4]
add cl, cl ; or maybe add ecx, ecx
xor al, cl    
Post 17 Apr 2009, 17:08
View user's profile Send private message Reply with quote
shoorick



Joined: 25 Feb 2005
Posts: 1605
Location: Ukraine
shoorick
movzx eax, ax
shr eax, 8

similar to

movzx eax,ah

such code which looks like not-wise is usually result of code obfuscating to make reversing harder
Post 17 Apr 2009, 18:41
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2906
Location: [RSP+8*5]
bitRAKE
vexusdev wrote:
mov al, byte ptr [ebp+source]
add al, 5
add eax, eax
add al, 3
xor [ebp+_byte], al
Without more code it is difficult to say if there is an intent to grab bits overflowing from AL in instruction ADD EAX,EAX. Maybe it is a valid assumption given later posts regarding contents of AH:

AH <= AH*2
AH <= 0x7A < AL < 0xFB ? AH+1
AL <= 2*(AL+5)+3

Remapping has values in the range [7B,FA] producing set bits in the lsb of AH.

_________________
¯\(°_o)/¯ unlicense.org
Post 18 Apr 2009, 15:55
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17252
Location: In your JS exploiting you and your system
revolution
bitRAKE wrote:
Without more code it is difficult to say if there is an intent to grab bits overflowing from AL in instruction ADD EAX,EAX. Maybe it is a valid assumption given later posts regarding contents of AH:
The code was given above:
Code:
ch := ch xor (((i+5)*2)+3);    
So AH is not used and is ignored.
Post 18 Apr 2009, 16:02
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.