Results 1 to 2 of 2

Thread: Explaining the Disassemble

  1. #1

    Thread Starter
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906

    Explaining the Disassemble

    I have disassembled some C code (below) with gcb. I am familiar with some of the instructions but not with others.

    Code:
    ; I am guessing these lines have something to do with
    ; argv** and argc but I am not entirely sure.
    0x08048586 <main+0>:    lea    0x4(%esp),%ecx
    0x0804858a <main+4>:    and    $0xfffffff0,%esp
    0x0804858d <main+7>:    pushl  0xfffffffc(%ecx)
    
    ; Do they do something with the frame pointer??? :confused:
    ; Why are three registers involved?
    0x08048590 <main+10>:   push   %ebp
    0x08048591 <main+11>:   mov    %esp,%ebp
    0x08048593 <main+13>:   push   %ecx
    
    ; I assume this is where space it left on the stack for the buffer
    0x08048594 <main+14>:   sub    $0x34,%esp
    
    ; now this must be moving argv and argc on to the stack
    0x08048597 <main+17>:   mov    0x4(%ecx),%eax
    0x0804859a <main+20>:   mov    %eax,0x4(%esp)
    0x0804859e <main+24>:   mov    (%ecx),%eax
    0x080485a0 <main+26>:   mov    %eax,(%esp)
    
    ; quite self explanatory I guess
    0x080485a3 <main+29>:   call   0x80484e5 <checkName>
    
    ; clearly the if statement but why is it testing two registers of the
    ; same name?
    0x080485a8 <main+34>:   test   %eax,%eax
    0x080485aa <main+36>:   jne    0x80485b5 <main+47>
    
    ; this must be carrying out the true part of the if statement
    ; the movl must be puttting the return value of zero onto the stack??
    0x080485ac <main+38>:   movl   $0x0,0xffffffd8(%ebp)
    0x080485b3 <main+45>:   jmp    0x80485e7 <main+97>
    
    ; this must be the end of the if statement
    ; and the call to printf i am assuming $0x804872d is the address
    ; of the string "\nPlease enter password: "
    0x080485b5 <main+47>:   movl   $0x804872d,(%esp)
    0x080485bc <main+54>:   call   0x8048368 <printf@plt>
    
    ; this must be the call to gets()
    ; i am still not sure what lea means but i am asssuming
    ; 0xffffffde(%ebp) is the address of this buffer
    ; also why is 0xffffffde used to address an offset? and not 0x000000de(%ebp)??
    0x080485c1 <main+59>:   lea    0xffffffde(%ebp),%eax
    0x080485c4 <main+62>:   mov    %eax,(%esp)
    0x080485c7 <main+65>:   call   0x8048328 <gets@plt>
    
    ; now calling the check pass function with the strange offset again :D
    0x080485cc <main+70>:   lea    0xffffffde(%ebp),%eax
    0x080485cf <main+73>:   mov    %eax,(%esp)
    0x080485d2 <main+76>:   call   0x8048464 <checkPass>
    
    ; the register is testing itself again
    0x080485d7 <main+81>:   test   %eax,%eax
    0x080485d9 <main+83>:   je     0x80485e0 <main+90>
    
    ; calling the secret area function
    0x080485db <main+85>:   call   0x80484c5 <secretArea>
    
    ; this must be the cleanup for main.
    0x080485e0 <main+90>:   movl   $0x0,0xffffffd8(%ebp)
    0x080485e7 <main+97>:   mov    0xffffffd8(%ebp),%eax
    0x080485ea <main+100>:  add    $0x34,%esp
    0x080485ed <main+103>:  pop    %ecx
    0x080485ee <main+104>:  pop    %ebp
    0x080485ef <main+105>:  lea    0xfffffffc(%ecx),%esp
    0x080485f2 <main+108>:  ret
    The original C code is below. Any hints on what I have got wrong would be appreciated. This is a little different from the assembler I have seen before and I am not even great with that.

    Code:
    int main (int argc, char **argv)
    {
    char Pbuffer [30];
    if (!checkName(argc,argv))
      {return(0); }
    printf("\nPlease enter password: ");
    gets(Pbuffer);
    if (checkPass(Pbuffer))
     {
     secretArea();
     }
    return 0;
    }
    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!


    Spread happiness and joy. Rate good posts.

  2. #2
    New Member
    Join Date
    May 2008
    Posts
    3

    Re: Explaining the Disassemble

    try disassembling something like this it will show you what is goin on at any given step and what your code is doing in both languages:

    int main (int argc, char **argv)
    {
    printf("char Pbuffer [30];");
    char Pbuffer [30];
    printf("if (!checkName(argc,argv))");
    if (!checkName(argc,argv))
    {printf("return(0);");
    return(0); }
    printf("printf(\nPlease enter password;");
    printf("\nPlease enter password: ");
    printf("gets(Pbuffer);");
    gets(Pbuffer);
    printf("if (checkPass(Pbuffer))");
    if (checkPass(Pbuffer))
    {printf(" secretArea();");
    secretArea();
    }
    printf(" return 0;");
    return 0;
    }


    BTW only IDAPro is worth disassembling code with its hard enough to get a disassembly to reassemble but IDA is not so bad in this respect because its interactive

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width