Junk Code or important?

Index > Windows > Junk Code or important?

Author

Thread

blacky

Joined: 06 Apr 2006
Posts: 32
Location: JA

blacky 07 Apr 2006, 15:22

Hey. i was going through some threads testing out some examples.. debugging them etc.. and i came up to this code here from a thread.

Code:

format PE GUI 4.0
entry start 

include 'win32ax.inc'

section '.data' data readable writeable 
winclass        db 'TestClass',0 
hPopupMenu      dd 0 
ButtonRect      RECT
button.h        dd ?

wc WNDCLASS 0,WindowProc,0,0,0,0,0,COLOR_BTNFACE+1,0,winclass 
msg MSG 


section '.code' code readable executable 
start: 
        invoke  GetModuleHandle,0 
                mov  [wc.hInstance],eax 

        invoke  LoadCursor,0,IDC_ARROW 
                mov  [wc.hCursor],eax 

        invoke  RegisterClass,wc 

        invoke  LoadMenu,[wc.hInstance],0 

        invoke  CreateWindowEx,WS_EX_OVERLAPPEDWINDOW,winclass,'Test',WS_VISIBLE+WS_OVERLAPPEDWINDOW,100,100,200,200,0,eax,[wc.hInstance],0 

msg_loop: 
        invoke  GetMessage,msg,0,0,0 
        or      eax,eax 
        jz      end_loop 
        invoke  TranslateMessage,msg 
        invoke  DispatchMessage,msg 
        jmp     msg_loop 

end_loop: 
        invoke  ExitProcess,[msg.wParam] 


proc WindowProc hwnd,wmsg,wparam,lparam 
        push    ebx esi edi 
        cmp     [wmsg],WM_CREATE 
        je      wmcreate 
        cmp     [wmsg],WM_DESTROY 
        je      wmdestroy 
        cmp     [wmsg],WM_CLOSE 
        je      wmdestroy 
        cmp     [wmsg],WM_COMMAND 
        je      wmcommand 

defwndproc: 
        invoke  DefWindowProc,[hwnd],[wmsg],[wparam],[lparam] 
        jmp     finish 

wmcreate: 
        invoke  CreateWindowEx,0,'BUTTON','TestButton',WS_CHILD+WS_VISIBLE,10,10,100,24,[hwnd],200,[wc.hInstance],0 
                mov  [button.h],eax
        invoke  CreatePopupMenu 
        mov     [hPopupMenu],eax 
        invoke  AppendMenu,[hPopupMenu],MF_STRING,300,'Item &1' 
        invoke  AppendMenu,[hPopupMenu],MF_STRING,301,'Item &2' 

        xor     eax,eax 
        jmp     finish 

wmdestroy: 
        invoke  PostQuitMessage,0 
        xor     eax,eax 
        jmp     finish 

wmcommand: 
        mov     eax,[wparam] 
        cmp     eax,200 
        je      ChannelButtonCommand 
        jmp     wmcommandend 

    ChannelButtonCommand: 
        ;invoke  GetWindowRect,200,ButtonRect 
        invoke  GetWindowRect,[button.h],ButtonRect      ; we get screen cordinate in ButtonRect
                ; assume u want TPM_LEFTALIGN + TPM_TOPALIGN
                mov  eax,[ButtonRect.left]
                mov  edx,[ButtonRect.bottom]
        invoke  TrackPopupMenu,[hPopupMenu],TPM_LEFTALIGN+TPM_TOPALIGN,eax,edx,0,[button.h],0 
        jmp     wmcommandend 

wmcommandend: 
        xor     eax,eax 
        jmp     finish 

finish: 
        pop     edi esi ebx 
        ret 
endp 


section '.idata' import data readable writeable 
library kernel32,'KERNEL32.DLL',user32,'USER32.DLL'
include '\apia\kernel32.inc'
include '\apia\user32.inc'

It seems to produce alot of 'junk' code? Fire this program in olly and take a look.

Code:

004020A9      55            DB      55                               ;  CHAR 'U'
004020AA      89            DB      89
004020AB      E5            DB      E5
004020AC      53            DB      53                               ;  CHAR 'S'
004020AD      56            DB      56                               ;  CHAR 'V'
004020AE      57            DB      57                               ;  CHAR 'W'
004020AF      83            DB      83
004020B0      7D            DB      7D                               ;  CHAR '}'
004020B1      0C            DB      0C
004020B2      01            DB      01
004020B3      74            DB      74                               ;  CHAR 't'
004020B4      38            DB      38                               ;  CHAR '8'
004020B5      83            DB      83
004020B6      7D            DB      7D                               ;  CHAR '}'
004020B7      0C            DB      0C
004020B8      02            DB      02
004020B9      0F            DB      0F
004020BA      84            DB      84
004020BB   .  C3            RETN
004020BC      00            DB      00
004020BD      00            DB      00
004020BE      00            DB      00
004020BF      83            DB      83
004020C0      7D            DB      7D                               ;  CHAR '}'
004020C1      0C            DB      0C
004020C2      10            DB      10
004020C3      0F            DB      0F
004020C4      84            DB      84
004020C5      B9            DB      B9
004020C6      00            DB      00
004020C7      00            DB      00
004020C8      00            DB      00

etc...

There a reason for this? And can it be removed to strip down exe size?

07 Apr 2006, 15:22

Ivan2k2

Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk

Ivan2k2 08 Apr 2006, 02:58

hi blacky
it's not junk code, it's buggy ollydbg =)

e.g.:

"push ebx esi edi" is equal to next 3 lines

Code:

004020AC      53            DB      53                               ;  CHAR 'S' 
004020AD      56            DB      56                               ;  CHAR 'V' 
004020AE      57            DB      57                               ;  CHAR 'W'

and so on...

08 Apr 2006, 02:58

Madis731

Joined: 25 Sep 2003
Posts: 2139
Location: Estonia

Madis731 08 Apr 2006, 09:05

Maybe its the configuration of the Olly, because mine is OK. The only problem is that it doesn't recognize the structure:

Code:

invoke  CreateWindowEx,WS_EX_OVERLAPPEDWINDOW,winclass,'Test',WS_VISIBLE+WS_OVERLAPPEDWINDOW,100,100,200,200,0,eax,[wc.hInstance],0
;Instead, this is shown:
00402039  |.  6A 00         PUSH    0
0040203B  |.  FF35 32104000 PUSH    [DWORD 401032]
00402041  |.  50            PUSH    EAX
00402042  |.  6A 00         PUSH    0
00402044  |.  68 C8000000   PUSH    0C8
00402049  |.  68 C8000000   PUSH    0C8
0040204E  |.  6A 64         PUSH    64
00402050  |.  6A 64         PUSH    64
00402052  |.  68 0000CF10   PUSH    10CF0000
00402057  |.  E8 05000000   CALL    test.00402061                    ;  PUSH ASCII "Test"
0040205C  |.  54 65 73 74 0>ASCII   "Test",0
00402061  |>  68 00104000   PUSH    test.00401000                    ; |Class = "TestClass"
00402066  |.  68 00030000   PUSH    300                              ; |ExtStyle = WS_EX_WINDOWEDGE|WS_EX_CLIENTEDGE
0040206B  |.  FF15 D0304000 CALL    [<&USER32.CreateWindowExA>]      ; \CreateWindowExA

This is because the high level the FASM macros can get - I'm only using the "win32a.inc" for my projects, but that "win32ax.inc" lets you define constructs like this:

Code:

invoke MyProcedure,eax,"some string",[ebx]
;This will be assembled to something like the next:
    push [ebx]
    call @f
      db "some string",0
@@:
    push eax
    call [MyProcedure]

08 Apr 2006, 09:05

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 08 Apr 2006, 09:17

i wonder why OllyDbg claims it handle this then. BTW, FASMLIB macros define PUSHD-defined string in data block, like

Code:

idata {
  ..string db "Ain't it fun waitin' 'round in data segment?",0
}
push ..string

08 Apr 2006, 09:17

Madis731

Joined: 25 Sep 2003
Posts: 2139
Location: Estonia

Madis731 08 Apr 2006, 09:19

As I already said - its the configuration. His Olly showed only ASCII, mine showed them as ops, but didn't recognize the structure as a whole, but only the end of it. Maybe there are still some ticks to be clicked Wink

08 Apr 2006, 09:19

Ivan2k2

Joined: 08 Sep 2004
Posts: 80
Location: Russia, Angarsk

Ivan2k2 08 Apr 2006, 10:14

Madis731 is right, when i checked "Debugging options -> Analysis 1 -> Decode tricky code sequences", this disassembly code became more readable.

08 Apr 2006, 10:14

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum