Log in

View Full Version : Code Sample Question

tutenKam
January 9th, 2014, 21:03
Hello,

I have some code that I need help with. ( comment on each line what its doing )

I know I can get shift F1 help in ollydbg but I am not sure what they are doing with this code.

Is this the right place?



Also,

Some general questions:

I see references saying to search for fs:[30] in the dump but I can never get any search hits?

How do I display the memory location so I can use the offset data in PEid for example?



I am a newbie so bare with me.
I am doing this for fun, its what happens when the weather is -30 outsite.



Thanks for any help.

Code:
CPU Disasm

Address   Hex dump          Command                                  Comments

6F5C4B91  /$  8BFF          MOV EDI,EDI                              ; test_exe.6F5C4B91(guessed Arg1)

6F5C4B93  |.  55            PUSH EBP

6F5C4B94  |.  8BEC          MOV EBP,ESP

6F5C4B96  |.  837D 08 00    CMP DWORD PTR SS:[EBP+8],0

6F5C4B9A  |.- 74 2D         JE SHORT 6F5C4BC9

6F5C4B9C  |.  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; /pMem

6F5C4B9F  |.  6A 00         PUSH 0                                   ; |Flags = 0

6F5C4BA1  |.  FF35 8C3A5F6F PUSH DWORD PTR DS:[6F5F3A8C]             ; |Heap = 043A0000

6F5C4BA7  |.  FF15 8C705D6F CALL DWORD PTR DS:[<&KERNEL32.HeapFree>] ; \KERNEL32.HeapFree

6F5C4BAD  |.  85C0          TEST EAX,EAX

6F5C4BAF  |.- 75 18         JNZ SHORT 6F5C4BC9

6F5C4BB1  |.  56            PUSH ESI

6F5C4BB2  |.  E8 E0120000   CALL 6F5C5E97

6F5C4BB7  |.  8BF0          MOV ESI,EAX

6F5C4BB9  |.  FF15 88705D6F CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError

6F5C4BBF  |.  50            PUSH EAX                                 ; /Arg1

6F5C4BC0  |.  E8 90120000   CALL 6F5C5E55                            ; \test_exe.6F5C5E55

6F5C4BC5  |.  59            POP ECX

6F5C4BC6  |.  8906          MOV DWORD PTR DS:[ESI],EAX

6F5C4BC8  |.  5E            POP ESI

6F5C4BC9  |>  5D            POP EBP

6F5C4BCA  \.  C3            RETN
niaren
January 10th, 2014, 03:16
Manually trying to decompile the easy part of that function gets

Code:


void HeapFreeWrap(LPVOID lpMem)

{

    if(0 == lpMem)

        return;



    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return

        return;



    _asm{                  // Error logging

        CALL 6F5C5E97

        MOV ESI,EAX

        CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [KERNEL32.GetLastError

        PUSH EAX                                 ; /Arg1

        CALL 6F5C5E55                            ; \test_exe.6F5C5E55

        POP ECX

        MOV DWORD PTR DS:[ESI],EAX

    }

    return;

}


I'm unsure how to 'decompile' the asm stub. The pop ecx confuses me. The three instructions in the middle can be converted to sub_6F5C5E55(GetLastError()), I believe, and the return value is stored in the address return by function sub_6F5C5E97(), I think. Best guess (I know this is not correct)

Code:


void HeapFreeWrap(LPVOID lpMem)

{

    if(0 == lpMem)

        return;



    if(0 != HeapFree(globalHeapHandle, 0, lpMem)  // if success just return

        return;



    // Error logging

    int *pInt = sub_6F5C5E97()

    *pInt = sub_6F5C5E55(GetLastError());

    return;

}


The function does not appear to be very interesting and there is no reference to fs:[30] anywhere. If nothing is wrong it just calls HeapFree. Thats it!
Can you explain why you chose to show this function?
tutenKam
January 12th, 2014, 09:46
Thanks for the reply. I am a newbie and I am learning assembler slowly. I can compile code and I can make sense of what the code does. But when professors give code samples, they always ask the question "what function does the code do"? Anothewords, anyone can look up the instructions one line at a time but at the end of the day, you have to answer the question of what is the author trying to do?

I am getting better with normal code but references to kernel or user32 are the ones that stomp me and thats why I posted this.

Is there a quick tutorial on these two dlls? I am looking something for newbies, google gives to many hits and I find msdn useless most of the time.

Thank