ASM to C? [Archive] - RCE Messageboard's Regroupment

View Full Version : ASM to C?

callan300

June 19th, 2007, 18:32

Hello Everyone.

I am learning. Could someone help me with this code? I need to understand what the code is doing so that I can re-write the function in C#. I need help on learning how to figure this out. I am using a program called RecStud.exe.

Let me know if I need to provide more info?

Here is what I get from RecStud:

/* Procedure: 0x10001100 - 0x10001143
* Argument size: 24
* Local size: 0
* Save regs size: 0
*/

CALCRATED(A4, A8, Ac, A10, A14, A18)
/* unknown */ void A4;
/* unknown */ void A8;
/* unknown */ void Ac;
/* unknown */ void A10;
/* unknown */ void A14;
/* unknown */ void A18;
{

(fsave)A18;
asm("fcomp dword [0x100080e4]"

;
asm("fnstsw ax"

;
if(!(ah & 0x40)) {
if(A4 >= Ac && A4 > 0) {
return A8 - A14 + A10 - 1;
}
return A4 | -1;
}
return 10000;
}

LLXX

June 19th, 2007, 22:10

WTF. Give us C or Asm, not an unreadable mixture of both

...and this is not advanced by any measure.

ZaiRoN

June 20th, 2007, 06:10

Don't know what it does exactly and I have never used recstudio before. From the output seems like it calls some fpu instructions followed by simple math operations. Fpu instructions are:

fsave: saves the state of the FPU. A18 is the destination address
fcomp: compares st(0) with the converted value pointed by dword [0x100080E4]
fnstsw: stores fpu status register into ax

The end of the procedure contains simple operations you'll surely figure out by yourself.

naides

June 20th, 2007, 06:13

Quote:

[Originally Posted by callan300;66513]Hello Everyone.

I am learning. Could someone help me with this code? I need to understand what the code is doing so that I can re-write the function in C#. I need help on learning how to figure this out. I am using a program called RecStud.exe.

Let me know if I need to provide more info?

Here is what I get from RecStud:

/* Procedure: 0x10001100 - 0x10001143
* Argument size: 24
* Local size: 0
* Save regs size: 0
*/

CALCRATED(A4, A8, Ac, A10, A14, A18)Looks like a function that takes 6 parameters, which appear to be 4 bytes long if you interpret each suffix as a position in the stack
/* unknown */ void A4;
/* unknown */ void A8;
/* unknown */ void Ac;
/* unknown */ void A10;
/* unknown */ void A14;
/* unknown */ void A18;
{

(fsave)A18; saves the status of the whole FPU. (Float Processing Unit). This is a structure that takes 94 bytes, so I assume that A18 is a pointer to that structure
asm("fcomp dword [0x100080e4]"; Compares the float number located at the top of the fstack, ST0, with another float one LOCATED at [0x100080e4]. Notice that [0x100080e4] is a POINTER: it contains the address of a global variable, so this comp is NOT if ( ST(0) == global_pointer ) BUT rather ( ST(0) == *global_pointer ) . The result of the comparison sets the zero flag C3 in the FPU status register
asm("fnstsw ax"; because the regular CPU zero flag is not affected by the comparison, we read the FPU status register into AX, to be able to learn the result of the comparison
if(!(ah & 0x40)) {Now this step masks out all the bits to only read the "zero flag" C3 which is located at the 7th position of the AH: In other words all these weird float instructions can be summarized to pseudo code: If ( ST0 != *global_pointer){
if(A4 >= Ac && A4 > 0) {
return A8 - A14 + A10 - 1;
}
return A4 | -1;
}
return 10000;
}Ant the rest is Plain all C with some bitwise ops.

So The only mystery I see is getting access to the contents of the fstack and do a fcomparison in GREEN to a float global variable located at address [0x100080e4]. Some of this info depends on the context and is not explicit in the code snippet you provided.

Add On: I looked around RecStudio decompiler. I have the impression that it has some trouble dealing with float variable types, so the decompilation of steps involving these types are a little clunky. But for the most part does a decent job.

deroko

June 20th, 2007, 08:37

hmm have you tried IDA 5.1 and it's decompiler plugin?

It could help.

reverser

June 20th, 2007, 09:54

HexRays also doesn't support floating point yet, though it's possible it will produce better output for the rest of the code.

LLXX

June 20th, 2007, 16:43

Ironic that FPU code, which is stack-based, should be the easiest to decompile.

callan300

June 24th, 2007, 18:25

Thanks for the great response, that really helps.

I have IDA 4.5.1.770 but I am not making any sense out of if.
Do I need some sort of plug in to see the functions (like in REC studio)? And if the answer is yes, please could you point me to where I can find it?

Thanks.

Polaris

June 25th, 2007, 02:24

IDA is a disassembler, not a decompiler. Therefore, you'll be seeing only assembly code. To see the decompiled output people were discussing about above, you need a special IDA plugin that is built on top of IDA. To use such plugin, you need IDA 5.1 not 4.5.1; in addition to this, you need to enroll for the closed beta of the decompiler. Both retrieving IDA 5.1 and getting your hands on the decompiler plugin are very difficult unless you're a paying customer for IDA.