Need help reverse engineering (understanding) Assembly
Good day, I have created an objdump from an executable. And received a bunch of code. However, I am unsure what this one particular function does. I have a few ideas here and there, but still can't seem to figure it out.
To give it some context, a random number is generated (probably has some sort of property), and then asks the user for input. This then gets send to the function that I need help with. For some conditions, something (maybe like a char from the string) is put into a linked list. And I think that is where I need help with.
804b66b: 55 push ebp
804b66c: 89 e5 mov ebp,esp
804b66e: 83 ec 38 sub esp,0x38 #parameter stuff
804b671: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] #answer to eax
804b674: 89 45 d4 mov DWORD PTR [ebp-0x2c],eax #put eax->ptr
804b677: 65 a1 14 00 00 00 mov eax,gs:0x14 #??
804b67d: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804b680: 31 c0 xor eax,eax #make eax 0
804b682: c7 45 e8 00 00 00 00 mov DWORD PTR [ebp-0x18],0x0 #make all 0
804b689: c7 45 ec 00 00 00 00 mov DWORD PTR [ebp-0x14],0x0
804b690: c7 45 dc 00 00 00 00 mov DWORD PTR [ebp-0x24],0x0
804b697: c7 45 e0 00 00 00 00 mov DWORD PTR [ebp-0x20],0x0
#The following is the start of a for loop or something
#Get next char from string that was input
804b69e: 8b 45 ec mov eax,DWORD PTR [ebp-0x14] #something with counter?
804b6a1: 8d 50 01 lea edx,[eax+0x1]
804b6a4: 89 55 ec mov DWORD PTR [ebp-0x14],edx #inc counter
804b6a7: 89 c2 mov edx,eax
804b6a9: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c] #put input into eax
804b6ac: 01 d0 add eax,edx #take next char
804b6ae: 0f b6 00 movzx eax,BYTE PTR [eax] #ptreax->eax
804b6b1: 88 45 db mov BYTE PTR [ebp-0x25],al #next char of input
804b6b4: e8 f7 e4 ff ff call 8049bb0 <__ctype_b_loc@plt>
804b6b9: 8b 00 mov eax,DWORD PTR [eax]
804b6bb: 0f be 55 db movsx edx,BYTE PTR [ebp-0x25]
804b6bf: 01 d2 add edx,edx
804b6c1: 01 d0 add eax,edx #increment?
804b6c3: 0f b7 00 movzx eax,WORD PTR [eax]
804b6c6: 0f b7 c0 movzx eax,ax
804b6c9: 25 00 08 00 00 and eax,0x800
804b6ce: 85 c0 test eax,eax #check if the char is an int or char
804b6d0: 74 51 je 804b723 <function42+0xb8> #if it is, jump
#If it is an int, it is then converted to an int (cast maybe)
804b6d2: 0f b6 45 db movzx eax,BYTE PTR [ebp-0x25] #char->eax
804b6d6: 83 e8 30 sub eax,0x30
804b6d9: 88 45 db mov BYTE PTR [ebp-0x25],al #make digit
804b6dc: 0f be 45 db movsx eax,BYTE PTR [ebp-0x25]
#I think the following snippit only does this (-1 - (int)char) / 10
804b6e0: ba ff ff ff 7f mov edx,0x7fffffff #edx = -1
804b6e5: 89 d1 mov ecx,edx #ecx = -1
804b6e7: 29 c1 sub ecx,eax #-1 - (int) c
804b6e9: ba 67 66 66 66 mov edx,0x66666667 #1717986919->edx
804b6ee: 89 c8 mov eax,ecx #-1 - (int) c -> eax
804b6f0: f7 ea imul edx #eax = eax * edx
804b6f2: c1 fa 02 sar edx,0x2 #divide by 4
804b6f5: 89 c8 mov eax,ecx #-1 - (int) c -> eax
804b6f7: c1 f8 1f sar eax,0x1f #eax >> 31
804b6fa: 29 c2 sub edx,eax #eax - edx
804b6fc: 89 d0 mov eax,edx #eax = edx - eax
804b6fe: 3b 45 e0 cmp eax,DWORD PTR [ebp-0x20]
804b701: 0f 8c e7 00 00 00 jl 804b7ee <function42+0x183> #if true: return
#make space of some sort?
804b707: 8b 55 e0 mov edx,DWORD PTR [ebp-0x20]
804b70a: 89 d0 mov eax,edx
804b70c: c1 e0 02 shl eax,0x2 #eax << 2
804b70f: 01 d0 add eax,edx #eax = eax + edx
804b711: 01 c0 add eax,eax #eax = eax + eax
804b713: 89 c2 mov edx,eax #eax -> edx
#Maybe calc difference between input number and generated number
804b715: 0f be 45 db movsx eax,BYTE PTR [ebp-0x25] #c[i]->eax
804b719: 01 d0 add eax,edx #eax = eax + edx
804b71b: 89 45 e0 mov DWORD PTR [ebp-0x20],eax
804b71e: e9 7b ff ff ff jmp 804b69e <function42+0x33> #go to beginning of for
#I think the next part executes when the char is indeed a char and not a digit.
#But I am not sure... And this is where I get stuck
804b723: 80 7d db 5e cmp BYTE PTR [ebp-0x25],0x5e
804b727: 75 23 jne 804b74c <function42+0xe1>
804b729: 83 7d e8 00 cmp DWORD PTR [ebp-0x18],0x0
804b72d: 0f 85 be 00 00 00 jne 804b7f1 <function42+0x186>
804b733: c7 45 e8 01 00 00 00 mov DWORD PTR [ebp-0x18],0x1
804b73a: 8b 45 e0 mov eax,DWORD PTR [ebp-0x20]
804b73d: 89 45 e4 mov DWORD PTR [ebp-0x1c],eax
804b740: c7 45 e0 00 00 00 00 mov DWORD PTR [ebp-0x20],0x0
804b747: e9 52 ff ff ff jmp 804b69e <function42+0x33>
804b74c: e8 5f e4 ff ff call 8049bb0 <__ctype_b_loc@plt>
804b751: 8b 00 mov eax,DWORD PTR [eax]
804b753: 0f be 55 db movsx edx,BYTE PTR [ebp-0x25]
804b757: 01 d2 add edx,edx
804b759: 01 d0 add eax,edx
804b75b: 0f b7 00 movzx eax,WORD PTR [eax]
804b75e: 0f b7 c0 movzx eax,ax
804b761: 25 00 20 00 00 and eax,0x2000
804b766: 85 c0 test eax,eax
804b768: 75 0a jne 804b774 <function42+0x109>
804b76a: 80 7d db 00 cmp BYTE PTR [ebp-0x25],0x0
804b76e: 0f 85 81 00 00 00 jne 804b7f5 <function42+0x18a>
804b774: 83 7d e8 01 cmp DWORD PTR [ebp-0x18],0x1
804b778: 75 7a jne 804b7f4 <function42+0x189>
804b77a: c7 45 e8 00 00 00 00 mov DWORD PTR [ebp-0x18],0x0
804b781: 8b 45 e0 mov eax,DWORD PTR [ebp-0x20]
804b784: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
804b787: c7 45 e0 00 00 00 00 mov DWORD PTR [ebp-0x20],0x0
804b78e: 83 ec 04 sub esp,0x4
804b791: ff 75 f0 push DWORD PTR [ebp-0x10]
804b794: ff 75 e4 push DWORD PTR [ebp-0x1c]
804b797: 8d 45 dc lea eax,[ebp-0x24]
804b79a: 50 push eax
804b79b: e8 c7 fd ff ff call 804b567 <insert>
804b7a0: 83 c4 10 add esp,0x10
804b7a3: eb 16 jmp 804b7bb <function42+0x150>
804b7a5: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
804b7a8: 8d 50 01 lea edx,[eax+0x1]
804b7ab: 89 55 ec mov DWORD PTR [ebp-0x14],edx
804b7ae: 89 c2 mov edx,eax
804b7b0: 8b 45 d4 mov eax,DWORD PTR [ebp-0x2c]
804b7b3: 01 d0 add eax,edx
804b7b5: 0f b6 00 movzx eax,BYTE PTR [eax]
804b7b8: 88 45 db mov BYTE PTR [ebp-0x25],al
804b7bb: e8 f0 e3 ff ff call 8049bb0 <__ctype_b_loc@plt>
804b7c0: 8b 00 mov eax,DWORD PTR [eax]
804b7c2: 0f be 55 db movsx edx,BYTE PTR [ebp-0x25]
804b7c6: 01 d2 add edx,edx
804b7c8: 01 d0 add eax,edx
804b7ca: 0f b7 00 movzx eax,WORD PTR [eax]
804b7cd: 0f b7 c0 movzx eax,ax
804b7d0: 25 00 20 00 00 and eax,0x2000
804b7d5: 85 c0 test eax,eax
804b7d7: 75 cc jne 804b7a5 <function42+0x13a>
804b7d9: 83 6d ec 01 sub DWORD PTR [ebp-0x14],0x1
804b7dd: 80 7d db 00 cmp BYTE PTR [ebp-0x25],0x0
804b7e1: 74 05 je 804b7e8 <function42+0x17d>
804b7e3: e9 b6 fe ff ff jmp 804b69e <function42+0x33>
804b7e8: 90 nop
804b7e9: 8b 45 dc mov eax,DWORD PTR [ebp-0x24]
804b7ec: eb 1b jmp 804b809 <function42+0x19e>
804b7ee: 90 nop
804b7ef: eb 04 jmp 804b7f5 <function42+0x18a>
804b7f1: 90 nop
804b7f2: eb 01 jmp 804b7f5 <function42+0x18a>
804b7f4: 90 nop
804b7f5: 8b 45 dc mov eax,DWORD PTR [ebp-0x24]
804b7f8: 83 ec 0c sub esp,0xc
804b7fb: 50 push eax
804b7fc: e8 00 fe ff ff call 804b601 <freeList>
804b801: 83 c4 10 add esp,0x10
804b804: b8 00 00 00 00 mov eax,0x0
804b809: 8b 4d f4 mov ecx,DWORD PTR [ebp-0xc]
804b80c: 65 33 0d 14 00 00 00 xor ecx,DWORD PTR gs:0x14
804b813: 74 05 je 804b81a <function42+0x1af>
804b815: e8 76 de ff ff call 8049690 <__stack_chk_fail@plt>
804b81a: c9 leave
804b81b: c3 ret
Thank you so much for your time reading.
Rikus Strydom
old_timer0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0