Difference in disassembly. [Archive] - RCE Messageboard's Regroupment

View Full Version : Difference in disassembly.

5aLIVE

January 12th, 2009, 11:09

Just working between Olly and IDA and noticed the following:

IDA listing:

Code:



.text:10001175 8B+                mov     ecx, [ebp+var_8]

.text:10001178 03+                add     eax, [ebp+var_48]

.text:1000117B 8D+                lea     ecx, [ecx+eax-28955B88h]

.text:10001182 8B+                mov     eax, ecx

.text:10001184 C1+                shl     eax, 7

OllyDbg listing:

Code:



02111175   8B4D F8          MOV ECX,DWORD PTR SS:[EBP-8]

02111178   0345 B8          ADD EAX,DWORD PTR SS:[EBP-48]

0211117B   8D8C01 78A46AD7  LEA ECX,DWORD PTR DS:[ECX+EAX+D76AA478]

02111182   8BC1             MOV EAX,ECX

02111184   C1E0 07          SHL EAX,7

The OllDbg listing uses the constant I would expect to see, While IDA has a different vlaue and a change of sign.

Can anyone expain to me why this is please?

tofu-sensei

January 12th, 2009, 11:17

because
680876936 * (-1) mod 2^32 = 3614090360

naides

January 12th, 2009, 11:22

Hi Five:

If you think about SIGNED versus Unsigned Integers you will see the reason:

IDA is interpreting the constant as a signed integer: -28955B88
Olly is interpreting it as an unsigned Integer : +D76AA478

At the end, they are one and the same: FFFFFFFF - 28955B88 = +D76AA477 (You have to add 1 because of carry concerns).

5aLIVE

January 12th, 2009, 11:40

Aha! Now I see why.

Ricardo Narvaja

January 12th, 2009, 12:40

if you make right click in any of this lines in IDA, you can see the option to change to the OLLYDBG representation too, if you want.

ricnar

5aLIVE

January 12th, 2009, 12:50

Thanks for the tip Ricardo.