training big understanding will teach me large fs:0

Дмитро · March 19, 2018, 11:52:57 AM

Greetings to all! Good wishes. I'm glad in the forum again!

What it is? At the beginning of this code. What's going on here?

How to understand this? I wanted to understand thoroughly.

Code Select

                 assume ds:_data

 ; =============== S U B R O U T I N E =======================================

 ; Attributes: library function noreturn bp-based frame

                 public start
 start           proc near               ; DATA XREF: HEADER:00400120o

 var_74          = dword ptr -74h
 var_70          = byte ptr -70h
 var_6C          = dword ptr -6Ch
 var_68          = dword ptr -68h
 var_64          = byte ptr -64h
 var_60          = byte ptr -60h
 StartupInfo     = _STARTUPINFOA ptr -5Ch
 var_18          = dword ptr -18h
 var_4           = dword ptr -4

                 push    ebp
                 mov     ebp, esp
                 push    0FFFFFFFFh      ; 
                 push    offset dword_41D650 ; 
                 push    offset loc_418654 ; 
                 mov     eax, large fs:0 ; 
                 push    eax             ; 
                 mov     large fs:0, esp ; 
                 sub     esp, 68h
                 push    ebx
                 push    esi
                 push    edi
                 mov     [ebp+var_18], esp
                 xor     ebx, ebx
                 mov     [ebp+var_4], ebx
                 push    2
                 call    ds:__set_app_type
                 pop     ecx
                 or      dword_5F6A24, 0FFFFFFFFh
                 or      dword_5F6A28, 0FFFFFFFFh
                 call    ds:__p__fmode
                 mov     ecx, dword_5F6A18
                 mov     [eax], ecx
                 call    ds:__p__commode
                 mov     ecx, dword_5F6A14
                 mov     [eax], ecx
                 mov     eax, ds:_adjust_fdiv
                 mov     eax, [eax]
                 mov     dword_5F6A20, eax
                 call    nullsub_1
                 cmp     dword_5F3F80, ebx
                 jnz     short loc_418579
                 push    offset sub_418684
                 call    ds:__setusermatherr
                 pop     ecx

 loc_418579:                             ; CODE XREF: start+75j
                 call    __setdefaultprecision
                 push    offset dword_421040
                 push    offset dword_42103C
                 call    _initterm
                 mov     eax, dword_5F6A10
                 mov     [ebp+var_6C], eax
                 lea     eax, [ebp+var_6C]
                 push    eax
                 push    dword_5F6A0C
                 lea     eax, [ebp+var_64]
                 push    eax
                 lea     eax, [ebp+var_70]
                 push    eax
                 lea     eax, [ebp+var_60]
                 push    eax
                 call    ds:__getmainargs
                 push    offset dword_421038
                 push    offset dword_421000
                 call    _initterm
                 add     esp, 24h
                 mov     eax, ds:_acmdln
                 mov     esi, [eax]
                 mov     [ebp+var_74], esi
                 cmp     byte ptr [esi], 22h
                 jnz     short loc_41860C

 loc_4185D2:                             ; CODE XREF: start+E8j
                 inc     esi
                 mov     [ebp+var_74], esi
                 mov     al, [esi]
                 cmp     al, bl
                 jz      short loc_4185E0
                 cmp     al, 22h
                 jnz     short loc_4185D2

 loc_4185E0:                             ; CODE XREF: start+E4j
                 cmp     byte ptr [esi], 22h
                 jnz     short loc_4185E9

 loc_4185E5:                             ; CODE XREF: start+FBj
                 inc     esi
                 mov     [ebp+var_74], esi

 loc_4185E9:                             ; CODE XREF: start+EDj
                                         ; start+119j
                 mov     al, [esi]
                 cmp     al, bl
                 jz      short loc_4185F3
                 cmp     al, 20h
                 jbe     short loc_4185E5

 loc_4185F3:                             ; CODE XREF: start+F7j
                 mov     [ebp+StartupInfo.dwFlags], ebx
                 lea     eax, [ebp+StartupInfo]
                 push    eax             ; lpStartupInfo
                 call    ds:GetStartupInfoA
                 test    byte ptr [ebp+StartupInfo.dwFlags], 1
                 jz      short loc_418617
                 movzx   eax, [ebp+StartupInfo.wShowWindow]
                 jmp     short loc_41861A
 ; ---------------------------------------------------------------------------

 loc_41860C:                             ; CODE XREF: start+DAj
                                         ; start+11Fj
                 cmp     byte ptr [esi], 20h
                 jbe     short loc_4185E9
                 inc     esi
                 mov     [ebp+var_74], esi
                 jmp     short loc_41860C
 ; ---------------------------------------------------------------------------

 loc_418617:                             ; CODE XREF: start+10Ej
                 push    0Ah
                 pop     eax

 loc_41861A:                             ; CODE XREF: start+114j
                 push    eax             ; nShowCmd
                 push    esi             ; lpCmdLine
                 push    ebx             ; hPrevInstance
                 push    ebx             ; lpModuleName
                 call    ds:GetModuleHandleA
                 push    eax             ; hInstance
                 call    _WinMain@16     ; WinMain(x,x,x,x)
                 mov     [ebp+var_68], eax
                 push    eax             ; Code
                 call    ds:exit
 start           endp

 ; ---------------------------------------------------------------------------
                 mov     eax, [ebp-14h]
                 mov     ecx, [eax]
                 mov     ecx, [ecx]
                 mov     [ebp-78h], ecx
                 push    eax
                 push    ecx
                 call    _XcptFilter
                 pop     ecx
                 pop     ecx
                 retn
 ; ---------------------------------------------------------------------------
                 mov     esp, [ebp-18h]
                 push    dword ptr [ebp-78h]
                 call    ds:_exit
 ; ---------------------------------------------------------------------------

 loc_418654:                             ; DATA XREF: `eh vector destructor iterator'(void *,uint,int,void (*)(void *))+Ao
                                         ; __ArrayUnwind(void *,uint,int,void (*)(void *))+Ao ...
                 jmp     ds:_except_handler3

 ; =============== S U B R O U T I N E =======================================

hutch-- · March 19, 2018, 01:24:29 PM

Hi Dimitri,

At a rough guess it looks like the list are just redefinable equates for local values.

var_74 = dword ptr -74h
etc ....

The "fs" reference looks like something to do with structured exception handling as does the commented out C++ code at the bottom.

dedndave · March 20, 2018, 03:11:53 AM

the FS register points to the TIB (Thread Information Block)
sometimes called the TEB (Thread Environment Block)

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FTEB.html

aw27 · March 20, 2018, 03:41:14 AM

Quote
What's going on here?

It is IDA Pro hybrid syntax. Usually it is not ready to reassemble but they should have a tutorial on that on their website.

felipe · March 20, 2018, 02:45:57 PM

Well i'm not an expert at all, so please don't laugh... too hard!

Just trying to help with comments in some of the first lines of the code. As your question is a little broad i mainly tried to point to the ida's syntax and basic of code (hopefully). If you already know all this and you just want to know about the functionality of the code, i'm sorry :redface: Maybe you can be more specific :idea: Also if i'm wrong in some comments, just ignore my ignorance... :P

Quote from: Дмитро on March 19, 2018, 11:52:57 AM
assume ds:_data

; =============== S U B R O U T I N E =======================================

; Attributes: library function noreturn bp-based frame This means that is a function of some lib and that it will not return to the caller and it has an stack frame pointer: ebp.

public start
start proc near ; DATA XREF: HEADER:00400120o The name of the function.

var_74 = dword ptr -74h These are just equates: var_74 is a dword of value -74h
var_70 = byte ptr -70h
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = byte ptr -64h
var_60 = byte ptr -60h
StartupInfo = _STARTUPINFOA ptr -5Ch This is a structure of windows you should look to the win32 documentation.
var_18 = dword ptr -18h
var_4 = dword ptr -4

push ebp
mov ebp, esp
push 0FFFFFFFFh ; A constant: -1 probably.
push offset dword_41D650 ; Some variable in the .data or .data? section.
push offset loc_418654 ; Some point in the code ( a label).
mov eax, large fs:0 ; Move the first dword of that structure in eax.
push eax ; Safe it.
mov large fs:0, esp ; Move the address of that first dword in the first dword of the structure.
sub esp, 68h Safe 68h of local variables.
push ebx Safe system registers.
push esi
push edi
mov [ebp+var_18], esp mov [ebp-18h],esp ;Safe location where locals ends.
xor ebx, ebx Zeroes ebx.
mov [ebp+var_4], ebx mov [ebp-4],0 ; Overrides the -1.
push 2 An argument of a function.
call ds:__set_app_type Some function called. Look for documentation about it.
pop ecx Clean the stack in return of the function last called. (used cdecl convention).
or dword_5F6A24, 0FFFFFFFFh Some array of dword elements turn to -1, maybe.
or dword_5F6A28, 0FFFFFFFFh
call ds:__p__fmode Call another function...In a jump table maybe?
mov ecx, dword_5F6A18 Probably from the array above you get some result of the funtion last called to ecx.
...

Дмитро · March 21, 2018, 10:42:04 AM

Thank you so much !! I am pleased.
I will later clarify my questions by specifying them.
I also want to reassemble this code later, recompile it.

Дмитро · March 22, 2018, 12:55:20 AM

I rarely have MASM that I forgot.
I do not really remember how to assemble a program.
I have collected several programs, but long ago, a great time ago.
Those programs and books, they are no longer available after reinstalling the Windows in my computer.

I ask you to write the correct BAT file, for the sample to build the program, with the necessary keys and the correct details.
I ask you to arrange my listing as much as possible in order to bring it closer to compilation. I respect you, this forum is good and everything in it.

Listing really does come from the IDAs.
I want to reassemble the program, first the first function, and then all the big parts, while understanding, thinking, understanding.

При цьому для уточнення In addition, for clarification

Code Select

.rdata:0041D650 dword_41D650    dd 0FFFFFFFFh, 418634h, 418648h, 0 ; DATA XREF: start+5o

.text:00418654 loc_418654:                             ; DATA XREF: `eh vector destructor iterator'(void *,uint,int,void (*)(void *))+Ao
.text:00418654                                         ; __ArrayUnwind(void *,uint,int,void (*)(void *))+Ao ...
.text:00418654                 jmp     ds:_except_handler3

eax 0012FFE0

felipe · March 22, 2018, 05:59:21 AM

Dimitri here you have the listing reordered to assemble. A bat file with command to assemble the file. This should be executed (is a .bat file) in the path of ml and the file. Also a .obj file of the listing assembled. Please note that i did only that for now, i didn't analyze nothing in the program (listing). Maybe it will help you a little bit to work, good luck! :icon14:

The MASM Forum

News:

training big understanding will teach me large fs:0

Дмитро

hutch--

dedndave

aw27

felipe

Дмитро

Дмитро

felipe