All geek questions in one place

How can I find out what this does?

I got this assembly code, extracted from some software, but unfortunately I don't know anything about assembler, and the bit that I touched the assembler returned to the Commodore Amiga with 68000.

Can someone direct me on how I could understand this code without having to learn assembler from scratch or just tell me what it does?

Is there any “simulator” that I can run to see what it does?

-[ObjSample Param1:andParam2:]: 00000c79 pushl %ebp 00000c7a movl %esp,%ebp 00000c7c subl $0x48,%esp 00000c7f movl %ebx,0xf4(%ebp) 00000c82 movl %esi,0xf8(%ebp) 00000c85 movl %edi,0xfc(%ebp) 00000c88 calll 0x00000c8d 00000c8d popl %ebx 00000c8e cmpb $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx) 00000c95 jel 0x00000d47 00000c9b movb $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx) 00000ca2 movl 0x7dc0-0xc8d(%ebx),%eax 00000ca8 movl %eax,0x04(%esp) 00000cac movl 0x7df4-0xc8d(%ebx),%eax 00000cb2 movl %eax,(%esp) 00000cb5 calll _objc_msgSend 00000cba movl 0x7dbc-0xc8d(%ebx),%edx 00000cc0 movl %edx,0x04(%esp) 00000cc4 movl %eax,(%esp) 00000cc7 calll _objc_msgSend 00000ccc movl %eax,0xe4(%ebp) 00000ccf movl 0x7db8-0xc8d(%ebx),%eax 00000cd5 movl %eax,0x04(%esp) 00000cd9 movl 0xe4(%ebp),%eax 00000cdc movl %eax,(%esp) 00000cdf calll _objc_msgSend 00000ce4 leal (%eax,%eax),%edi 00000ce7 movl %edi,(%esp) 00000cea calll _malloc 00000cef movl %eax,%esi 00000cf1 movl %edi,0x08(%esp) 00000cf5 movl $-[ObjSample delegate],0x04(%esp) 00000cfd movl %eax,(%esp) 00000d00 calll _memset 00000d05 movl $0x00000004,0x10(%esp) 00000d0d movl %edi,0x0c(%esp) 00000d11 movl %esi,0x08(%esp) 00000d15 movl 0x7db4-0xc8d(%ebx),%eax 00000d1b movl %eax,0x04(%esp) 00000d1f movl 0xe4(%ebp),%eax 00000d22 movl %eax,(%esp) 00000d25 calll _objc_msgSend 00000d2a xorl %edx,%edx 00000d2c movl %edi,%eax 00000d2e shrl $0x03,%eax 00000d31 jmp 0x00000d34 00000d33 incl %edx 00000d34 cmpl %edx,%eax 00000d36 ja 0x00000d33 00000d38 movl %esi,(%esp) 00000d3b calll _free 00000d40 movb $0x01,_isAuthenticated-0xc8d(%ebx) 00000d47 movzbl _isAuthenticated-0xc8d(%ebx),%eax 00000d4e movl 0xf4(%ebp),%ebx 00000d51 movl 0xf8(%ebp),%esi 00000d54 movl 0xfc(%ebp),%edi 00000d57 leave 00000d58 ret
+4
source share
2 answers

This sets the stack frame, allocates 0x48 bytes for local variables and saves ebx, esi and edi, this is a pretty standard function prolog.

 00000c79 pushl %ebp 00000c7a movl %esp,%ebp 00000c7c subl $0x48,%esp 00000c7f movl %ebx,0xf4(%ebp) 00000c82 movl %esi,0xf8(%ebp) 00000c85 movl %edi,0xfc(%ebp)

This is an assembler trick in order to configure ebx to code when it is done ebx contains 00000c8d.

 00000c88 calll 0x00000c8d 00000c8d popl %ebx

This bit ensures that the function runs only once, if you call it a second time, it just skips to the end (jel 0x00000d47)

 00000c8e cmpb $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx) 00000c95 jel 0x00000d47 00000c9b movb $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx)

This bit copies the values ​​relative to ebx into the local (stack) space of variables, remember that ebx points to the current function, but the offsets from ebx are quite large. most likely, it is persistent data embedded in the code, and they are set as arguments for calling the function.

 00000ca2 movl 0x7dc0-0xc8d(%ebx),%eax 00000ca8 movl %eax,0x04(%esp) 00000cac movl 0x7df4-0xc8d(%ebx),%eax 00000cb2 movl %eax,(%esp)

call the function.

 00000cb5 calll _objc_msgSend

more constant values ​​inserted on the stack and another call to the same function, this time the return value of the function call is stored in a local variable: 0xe4 (% ebp)

 00000cba movl 0x7dbc-0xc8d(%ebx),%edx 00000cc0 movl %edx,0x04(%esp) 00000cc4 movl %eax,(%esp) 00000cc7 calll _objc_msgSend 00000ccc movl %eax,0xe4(%ebp)

more values ​​are pushed onto the stack to call the function, this time one value is constant relative to ebx, and the other value is the return value from the previous call.

 00000ccf movl 0x7db8-0xc8d(%ebx),%eax 00000cd5 movl %eax,0x04(%esp) 00000cd9 movl 0xe4(%ebp),%eax 00000cdc movl %eax,(%esp) 00000cdf calll _objc_msgSend

take the return value from this call, double it and malloc on so much memory.

 00000ce4 leal (%eax,%eax),%edi 00000ce7 movl %edi,(%esp) 00000cea calll _malloc

fill memory with byte found in [ObjSample delegate]

 00000cef movl %eax,%esi 00000cf1 movl %edi,0x08(%esp) 00000cf5 movl $-[ObjSample delegate],0x04(%esp) 00000cfd movl %eax,(%esp) 00000d00 calll _memset

send another message that takes arguments: 0xe4 (% ebp), constant from ebx, mallocd ptr, size malloc, 4. Presumably this sends a message in our malloc'd buffer, (the buffer is freed, but not returned to the caller)

 00000d05 movl $0x00000004,0x10(%esp) 00000d0d movl %edi,0x0c(%esp) 00000d11 movl %esi,0x08(%esp) 00000d15 movl 0x7db4-0xc8d(%ebx),%eax 00000d1b movl %eax,0x04(%esp) 00000d1f movl 0xe4(%ebp),%eax 00000d22 movl %eax,(%esp) 00000d25 calll _objc_msgSend

clear edx and save the return value from the sendmessage call in edi.

 00000d2a xorl %edx,%edx 00000d2c movl %edi,%eax

eax >> 3 , then while (edx < eax) ++edx; it doesn't make much sense.

 00000d2e shrl $0x03,%eax 00000d31 jmp 0x00000d34 00000d33 incl %edx 00000d34 cmpl %edx,%eax 00000d36 ja 0x00000d33

free mallocd memory

 00000d38 movl %esi,(%esp) 00000d3b calll _free

set _isAuthenticated to true, also set the return value to true. this variable appears to be in code, or possibly global.

 00000d40 movb $0x01,_isAuthenticated-0xc8d(%ebx) 00000d47 movzbl _isAuthenticated-0xc8d(%ebx),%eax

restore registers and return.

 00000d4e movl 0xf4(%ebp),%ebx 00000d51 movl 0xf8(%ebp),%esi 00000d54 movl 0xfc(%ebp),%edi 00000d57 leave 00000d58 ret
+18
source

Hard work ... your assembler is just a routine, but it applies to other routines and global or static variables, so the best we can do is have an idea of ​​the equivalent in a more readable language. But ... let him try! (C-like language)

 int unknown_function(/* Parameters? */) { static char bDoOnce; static char isAuthenticated; uint32 tmp1,tmp2,tmp3; void *p; int i; if (bDoOnce == ObjSample_delegate) { return isAuthenticated; } bDoOnce = ObjSample_delegate; tmp1= objc_msgSend(some_data1, some_data2); tmp2 = objc_msgSend(tmp1, some_data3); tmp3 = objc_msgSend(tmp2, some_data4); p = malloc(tmp3*2); memset(p, ObjSample_delegate, tmp3*2); objc_msgSend(tmp2,some_data5,p, tmp3*2,4); for (i = 0; i < tmp3/4; ++i) { } free(p); isAuthenticated = 1; return isAuthenticated; }

Uh ... there is not enough information to figure out what is really happening (not to say that I can do something wrong;)) The program contains too many "some_data", and it seems empty here for a loop just to consume a processor . Uhm ... Is this a function compiled by gnu objectiveC?

Sorry, I tried, but I can not say much more useful. In any case, I hope this can help you. Relations

+12
source

Source: https://habr.com/ru/post/1303862/

More articles:


All Articles