Vigual
December 9th, 2009, 20:00
I am trying to reverse an algorithm but I have a few questions. The purpose of this algorithm is to find the dword that contains the last character in a string. Basically, it searches for a 00 byte in the dword.
THE FIRST PART:
ESP+4 is a pointer to an address. So ECX contains an address. By TESTing the address with 3, it seems like it checks to see if the address is a multiple of 4, since if it is not it will have bits sent between 3 and 0. I don't really get why that is done here. It seems like it's because the algorithm is working in dwords, which are 4 bytes, but I still don't get why that matters because you can get dwords from any address, not just ones that are multpiles of 4. Maybe I'm wrong here.
THE SECOND PART
This second part seems to check if there are 00s in the dword. Here's what I think I know about the algorithm. 7EFEFEFF xor FFFFFFFF = 81010101. So, what I guess should happen is
Should cause 7EFEFEFF to be inverted to 81010101, it should also add the inital value of EAX to EDX, which is obviously done, then later subtract intial EAX which I don't see. I don't really get how this is used to test if EAX contains a 00.
Here is the entire code just for context
I hope my explanation is not too confusing.
THE FIRST PART:
ESP+4 is a pointer to an address. So ECX contains an address. By TESTing the address with 3, it seems like it checks to see if the address is a multiple of 4, since if it is not it will have bits sent between 3 and 0. I don't really get why that is done here. It seems like it's because the algorithm is working in dwords, which are 4 bytes, but I still don't get why that matters because you can get dwords from any address, not just ones that are multpiles of 4. Maybe I'm wrong here.
Code:
MOV ECX,DWORD PTR SS:[ESP+4]
TEST ECX,3
JE SHORT 004A8A80
004A8A5C - MOV AL,BYTE PTR DS:[ECX]
ADD ECX,1
TEST AL,AL
JE SHORT 004A8AB3
TEST ECX,3
JNZ SHORT 004A8A5C
ADD EAX,0
LEA ESP,DWORD PTR SS:[ESP]
LEA ESP,DWORD PTR SS:[ESP]
THE SECOND PART
This second part seems to check if there are 00s in the dword. Here's what I think I know about the algorithm. 7EFEFEFF xor FFFFFFFF = 81010101. So, what I guess should happen is
Code:
ADD EDX,EAX
XOR EAX,FFFFFFFF
XOR EAX,EDX
Should cause 7EFEFEFF to be inverted to 81010101, it should also add the inital value of EAX to EDX, which is obviously done, then later subtract intial EAX which I don't see. I don't really get how this is used to test if EAX contains a 00.
Code:
004A8A80 - MOV EAX,DWORD PTR DS:[ECX]
MOV EDX,7EFEFEFF
ADD EDX,EAX
XOR EAX,FFFFFFFF
XOR EAX,EDX
ADD ECX,4
TEST EAX,81010100
JE SHORT 004A8A80
Here is the entire code just for context
Code:
MOV ECX,DWORD PTR SS:[ESP+4]
TEST ECX,3
JE SHORT 004A8A80
004A8A5C - MOV AL,BYTE PTR DS:[ECX]
ADD ECX,1
TEST AL,AL
JE SHORT 004A8AB3
TEST ECX,3
JNZ SHORT 004A8A5C
ADD EAX,0
LEA ESP,DWORD PTR SS:[ESP]
LEA ESP,DWORD PTR SS:[ESP]
004A8A80 - MOV EAX,DWORD PTR DS:[ECX]
MOV EDX,7EFEFEFF
ADD EDX,EAX
XOR EAX,FFFFFFFF
XOR EAX,EDX
ADD ECX,4
TEST EAX,81010100
JE SHORT 004A8A80
I hope my explanation is not too confusing.
