Greetings to all! Good wishes. I'm glad in the forum again!
What it is? At the beginning of this code. What's going on here?
How to understand this? I wanted to understand thoroughly.
assume ds:_data
; =============== S U B R O U T I N E =======================================
; Attributes: library function noreturn bp-based frame
public start
start proc near ; DATA XREF: HEADER:00400120o
var_74 = dword ptr -74h
var_70 = byte ptr -70h
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = byte ptr -64h
var_60 = byte ptr -60h
StartupInfo = _STARTUPINFOA ptr -5Ch
var_18 = dword ptr -18h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh ;
push offset dword_41D650 ;
push offset loc_418654 ;
mov eax, large fs:0 ;
push eax ;
mov large fs:0, esp ;
sub esp, 68h
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_4], ebx
push 2
call ds:__set_app_type
pop ecx
or dword_5F6A24, 0FFFFFFFFh
or dword_5F6A28, 0FFFFFFFFh
call ds:__p__fmode
mov ecx, dword_5F6A18
mov [eax], ecx
call ds:__p__commode
mov ecx, dword_5F6A14
mov [eax], ecx
mov eax, ds:_adjust_fdiv
mov eax, [eax]
mov dword_5F6A20, eax
call nullsub_1
cmp dword_5F3F80, ebx
jnz short loc_418579
push offset sub_418684
call ds:__setusermatherr
pop ecx
loc_418579: ; CODE XREF: start+75j
call __setdefaultprecision
push offset dword_421040
push offset dword_42103C
call _initterm
mov eax, dword_5F6A10
mov [ebp+var_6C], eax
lea eax, [ebp+var_6C]
push eax
push dword_5F6A0C
lea eax, [ebp+var_64]
push eax
lea eax, [ebp+var_70]
push eax
lea eax, [ebp+var_60]
push eax
call ds:__getmainargs
push offset dword_421038
push offset dword_421000
call _initterm
add esp, 24h
mov eax, ds:_acmdln
mov esi, [eax]
mov [ebp+var_74], esi
cmp byte ptr [esi], 22h
jnz short loc_41860C
loc_4185D2: ; CODE XREF: start+E8j
inc esi
mov [ebp+var_74], esi
mov al, [esi]
cmp al, bl
jz short loc_4185E0
cmp al, 22h
jnz short loc_4185D2
loc_4185E0: ; CODE XREF: start+E4j
cmp byte ptr [esi], 22h
jnz short loc_4185E9
loc_4185E5: ; CODE XREF: start+FBj
inc esi
mov [ebp+var_74], esi
loc_4185E9: ; CODE XREF: start+EDj
; start+119j
mov al, [esi]
cmp al, bl
jz short loc_4185F3
cmp al, 20h
jbe short loc_4185E5
loc_4185F3: ; CODE XREF: start+F7j
mov [ebp+StartupInfo.dwFlags], ebx
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
call ds:GetStartupInfoA
test byte ptr [ebp+StartupInfo.dwFlags], 1
jz short loc_418617
movzx eax, [ebp+StartupInfo.wShowWindow]
jmp short loc_41861A
; ---------------------------------------------------------------------------
loc_41860C: ; CODE XREF: start+DAj
; start+11Fj
cmp byte ptr [esi], 20h
jbe short loc_4185E9
inc esi
mov [ebp+var_74], esi
jmp short loc_41860C
; ---------------------------------------------------------------------------
loc_418617: ; CODE XREF: start+10Ej
push 0Ah
pop eax
loc_41861A: ; CODE XREF: start+114j
push eax ; nShowCmd
push esi ; lpCmdLine
push ebx ; hPrevInstance
push ebx ; lpModuleName
call ds:GetModuleHandleA
push eax ; hInstance
call _WinMain@16 ; WinMain(x,x,x,x)
mov [ebp+var_68], eax
push eax ; Code
call ds:exit
start endp
; ---------------------------------------------------------------------------
mov eax, [ebp-14h]
mov ecx, [eax]
mov ecx, [ecx]
mov [ebp-78h], ecx
push eax
push ecx
call _XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov esp, [ebp-18h]
push dword ptr [ebp-78h]
call ds:_exit
; ---------------------------------------------------------------------------
loc_418654: ; DATA XREF: `eh vector destructor iterator'(void *,uint,int,void (*)(void *))+Ao
; __ArrayUnwind(void *,uint,int,void (*)(void *))+Ao ...
jmp ds:_except_handler3
; =============== S U B R O U T I N E =======================================
Hi Dimitri,
At a rough guess it looks like the list are just redefinable equates for local values.
var_74 = dword ptr -74h
etc ....
The "fs" reference looks like something to do with structured exception handling as does the commented out C++ code at the bottom.
the FS register points to the TIB (Thread Information Block)
sometimes called the TEB (Thread Environment Block)
https://en.wikipedia.org/wiki/Win32_Thread_Information_Block
http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FTEB.html
Quote
What's going on here?
It is IDA Pro hybrid syntax. Usually it is not ready to reassemble but they should have a tutorial on that on their website.
Well i'm not an expert at all, so please don't laugh... too hard! :bgrin: Just trying to help with comments in some of the first lines of the code. As your question is a little broad i mainly tried to point to the ida's syntax and basic of code (hopefully). If you already know all this and you just want to know about the functionality of the code, i'm sorry :redface: Maybe you can be more specific :idea: Also if i'm wrong in some comments, just ignore my ignorance... :P
Quote from: Дмитро on March 19, 2018, 11:52:57 AM
assume ds:_data
; =============== S U B R O U T I N E =======================================
; Attributes: library function noreturn bp-based frame This means that is a function of some lib and that it will not return to the caller and it has an stack frame pointer: ebp.
public start
start proc near ; DATA XREF: HEADER:00400120o The name of the function.
var_74 = dword ptr -74h These are just equates: var_74 is a dword of value -74h
var_70 = byte ptr -70h
var_6C = dword ptr -6Ch
var_68 = dword ptr -68h
var_64 = byte ptr -64h
var_60 = byte ptr -60h
StartupInfo = _STARTUPINFOA ptr -5Ch This is a structure of windows you should look to the win32 documentation.
var_18 = dword ptr -18h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh ; A constant: -1 probably.
push offset dword_41D650 ; Some variable in the .data or .data? section.
push offset loc_418654 ; Some point in the code ( a label).
mov eax, large fs:0 ; Move the first dword of that structure in eax.
push eax ; Safe it.
mov large fs:0, esp ; Move the address of that first dword in the first dword of the structure.
sub esp, 68h Safe 68h of local variables.
push ebx Safe system registers.
push esi
push edi
mov [ebp+var_18], esp mov [ebp-18h],esp ;Safe location where locals ends.
xor ebx, ebx Zeroes ebx.
mov [ebp+var_4], ebx mov [ebp-4],0 ; Overrides the -1.
push 2 An argument of a function.
call ds:__set_app_type Some function called. Look for documentation about it.
pop ecx Clean the stack in return of the function last called. (used cdecl convention).
or dword_5F6A24, 0FFFFFFFFh Some array of dword elements turn to -1, maybe.
or dword_5F6A28, 0FFFFFFFFh
call ds:__p__fmode Call another function...In a jump table maybe?
mov ecx, dword_5F6A18 Probably from the array above you get some result of the funtion last called to ecx.
...
Thank you so much !! I am pleased.
I will later clarify my questions by specifying them.
I also want to reassemble this code later, recompile it.
I rarely have MASM that I forgot.
I do not really remember how to assemble a program.
I have collected several programs, but long ago, a great time ago.
Those programs and books, they are no longer available after reinstalling the Windows in my computer.
I ask you to write the correct BAT file, for the sample to build the program, with the necessary keys and the correct details.
I ask you to arrange my listing as much as possible in order to bring it closer to compilation. I respect you, this forum is good and everything in it.
Listing really does come from the IDAs.
I want to reassemble the program, first the first function, and then all the big parts, while understanding, thinking, understanding.
При цьому для уточнення In addition, for clarification
.rdata:0041D650 dword_41D650 dd 0FFFFFFFFh, 418634h, 418648h, 0 ; DATA XREF: start+5o
.text:00418654 loc_418654: ; DATA XREF: `eh vector destructor iterator'(void *,uint,int,void (*)(void *))+Ao
.text:00418654 ; __ArrayUnwind(void *,uint,int,void (*)(void *))+Ao ...
.text:00418654 jmp ds:_except_handler3
eax 0012FFE0
Dimitri here you have the listing reordered to assemble. A bat file with command to assemble the file. This should be executed (is a .bat file) in the path of ml and the file. Also a .obj file of the listing assembled. Please note that i did only that for now, i didn't analyze nothing in the program (listing). Maybe it will help you a little bit to work, good luck! :icon14: