Wednesday, 21 August 2013

dilemma with an opcode in a debugger

dilemma with an opcode in a debugger

i got a line of code like this
push ff
push 0
push 0
push offset "this is a test"
push offset "Hello world!" ; string in hex: 48656C6C6F20776F726C6421
push 0
CALL FUNCTION 1
MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI
OR ESI,FFFFFFFF
MOV DWORD PTR SS:[EBP-4],EDI
MOV DWORD PTR SS:[EBP-8],EDI
CMP DWORD PTR SS:[EBP+0C],EDI
JE SHORT ; jump is taken
now going down the list of operations in the function
PUSH EBP
PUSH ECX
PUSH ECX
PUSH ESI
PUSH EDI
XOR EDI,EDI ; will clear the edi register, it's
zero now
OR ESI,FFFFFFFF ; esi will hold value ffffffff
MOV DWORD PTR SS:[EBP-4],EDI ; copies edi to ecx
MOV DWORD PTR SS:[EBP-8],EDI ; copies edi to 2nd ecx
now heres the part i dont get
CMP DWORD PTR SS:[EBP+0C],EDI
it's comparing edi which has a value of zero to ?
push offset "Hello world!" 48656C6C6F20776F726C6421
its comparing what? the JE command states jump is taken. whats not adding
up here... i've looked further down in the code and i'm not seeing
anything significant, why is it jumping if the string is being compared to
0
EDIT #1
here is the entire code again, from starting point, maybe you can find out
what i'm doing wrong
start of program
00401000 6A 00 PUSH 0
00401002 68 00304000 PUSH OFFSET 00403000 ; ASCII
"this is a test"
00401007 68 17304000 PUSH OFFSET 00403017 ; ASCII
"Hello world!"
0040100C 6A 00 PUSH 0
0040100E FF15 70204000 CALL DWORD PTR DS:[402070]
calls user32
750AFD1E /$ 8BFF MOV EDI,EDI ; ID_X
user32.MessageBoxA
750AFD20 |. 55 PUSH EBP
750AFD21 |. 8BEC MOV EBP,ESP
750AFD23 |. 6A 00 PUSH 0 ; /LanguageID =
LANG_NEUTRAL
750AFD25 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Type
750AFD28 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ;
|Caption
750AFD2B |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Text
750AFD2E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ;
|hOwner
750AFD31 |. E8 A0FFFFFF CALL MessageBoxExA ;
\USER32.MessageBoxExA
750AFD36 |. 5D POP EBP
750AFD37 \. C2 1000 RETN 10
calls MessageBoxExA
750AFCD6 /$ 8BFF MOV EDI,EDI ; ID_X
user32.MessageBoxExA
750AFCD8 |. 55 PUSH EBP
750AFCD9 |. 8BEC MOV EBP,ESP
750AFCDB |. 6A FF PUSH -1 ;
/Arg6 = -1
750AFCDD |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFCE0 |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFCE3 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg3
750AFCE6 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFCE9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFCEC |. E8 37FEFFFF CALL MessageBoxTimeoutA
750AFCF1 |. 5D POP EBP
750AFCF2 \. C2 1400 RETN 14
calls MessageBoxTimeoutA
750AFB28 /$ 8BFF MOV EDI,EDI ;
user32.MessageBoxTimeoutA
750AFB2A |. 55 PUSH EBP
750AFB2B |. 8BEC MOV EBP,ESP
750AFB2D |. 51 PUSH ECX
750AFB2E |. 51 PUSH ECX
750AFB2F |. 56 PUSH ESI
750AFB30 |. 57 PUSH EDI
750AFB31 |. 33FF XOR EDI,EDI
750AFB33 |. 83CE FF OR ESI,FFFFFFFF
750AFB36 |. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
750AFB39 |. 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
750AFB3C |. 397D 0C CMP DWORD PTR SS:[EBP+0C],EDI
750AFB3F |.- 74 19 JE SHORT 750AFB5A <----- ollydbg
states jump is taken
750AFB41 |. 6A 01 PUSH 1 ;
/Arg6 = 1
750AFB43 |. 56 PUSH ESI ; |Arg5
750AFB44 |. 8D45 FC LEA EAX,[EBP-4] ; |
750AFB47 |. 50 PUSH EAX ; |Arg4
750AFB48 |. 56 PUSH ESI ; |Arg3
750AFB49 |. FF75 0C PUSH DWORD PTR SS:[EBP+0C] ; |Arg2
750AFB4C |. 57 PUSH EDI ; |Arg1
750AFB4D |. E8 72D5FAFF CALL MBToWCSEx ;
\USER32.MBToWCSEx
750AFB52 |. 85C0 TEST EAX,EAX
750AFB54 |.- 75 04 JNZ SHORT 750AFB5A
750AFB56 |> 33C0 XOR EAX,EAX
750AFB58 |.- EB 6C JMP SHORT 750AFBC6
750AFB5A |> 397D 10 CMP DWORD PTR SS:[EBP+10],EDI <----- jumps
here
750AFB5D |.- 74 27 JE SHORT 750AFB86 <----- jump is taken again
750AFB5F |. 6A 01 PUSH 1 ;
/Arg6 = 1
750AFB61 |. 56 PUSH ESI ; |Arg5
750AFB62 |. 8D45 F8 LEA EAX,[EBP-8] ; |
750AFB65 |. 50 PUSH EAX ; |Arg4
750AFB66 |. 56 PUSH ESI ; |Arg3
750AFB67 |. FF75 10 PUSH DWORD PTR SS:[EBP+10] ; |Arg2
750AFB6A |. 57 PUSH EDI ; |Arg1
750AFB6B |. E8 54D5FAFF CALL MBToWCSEx ;
\USER32.MBToWCSEx
750AFB70 |. 85C0 TEST EAX,EAX
750AFB72 |.- 75 12 JNZ SHORT 750AFB86
750AFB74 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFB77 |. 57 PUSH EDI ; |Flags
750AFB78 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ;
|Heap = 00350000
750AFB7E |. FF15 14000575 CALL DWORD PTR DS:[<&ntdll.RtlFreeHeap>] ;
\NTDLL.RtlFreeHeap
750AFB84 |.- EB D0 JMP SHORT 750AFB56
750AFB86 |> 53 PUSH EBX <--------- jumps here
750AFB87 |. FF75 1C PUSH DWORD PTR SS:[EBP+1C] ; /Arg6
750AFB8A |. FF75 18 PUSH DWORD PTR SS:[EBP+18] ; |Arg5
750AFB8D |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |Arg4
750AFB90 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; |Arg3
750AFB93 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |Arg2
750AFB96 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Arg1
750AFB99 |. E8 2FFFFFFF CALL MessageBoxTimeoutW
750AFB9E |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /pMem
750AFBA1 |. 8B35 14000575 MOV ESI,DWORD PTR DS:[<&ntdll.RtlFreeHea ; |
750AFBA7 |. 57 PUSH EDI ; |Flags
750AFBA8 |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C] ;
|Heap = 00350000
750AFBAE |. 8BD8 MOV EBX,EAX ; |
750AFBB0 |. FFD6 CALL ESI ;
\NTDLL.RtlFreeHeap
750AFBB2 |. 397D F8 CMP DWORD PTR SS:[EBP-8],EDI
750AFBB5 |.- 74 0C JE SHORT 750AFBC3
750AFBB7 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
750AFBBA |. 57 PUSH EDI
750AFBBB |. FF35 0C010C75 PUSH DWORD PTR DS:[750C010C]
750AFBC1 |. FFD6 CALL ESI
750AFBC3 |> 8BC3 MOV EAX,EBX
750AFBC5 |. 5B POP EBX
750AFBC6 |> 5F POP EDI
750AFBC7 |. 5E POP ESI
750AFBC8 |. C9 LEAVE
750AFBC9 \. C2 1800 RETN 18
is it maybe somehow the debugger is throwing me off? say for example the
first time it cmps it's not equal, so it doesnt jump, performs some
operations, then attempts again, which result in the jump?
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)