Log in

View Full Version : Something Strange with Asm!!Help Please!


MeTERMan
February 26th, 2001, 18:37
Hello!


I dump it!


EAX=9805EB64 EBX=9805EB64 ECX=0000CCFD EDX=00000000 ESI=00BF2E6A
EDI=00000000 EBP=006CF3EC ESP=006CF1FC EIP=00456B5E o d I s Z a P c
CS=0167 DS=016F SS=016F ES=016F FS=3DB7 GS=0000
ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДPROT32Д
0167:00456B07 8D8520FEFFFF LEA EAX,[EBP-01E0] 
0167:00456B0D E80AECFAFF CALL 0040571C 
0167:00456B12 E885BCFAFF CALL 0040279C
0167:00456B17 31DB XOR EBX,EBX
0167:00456B19 31C0 XOR EAX,EAX
0167:00456B1B 31D2 XOR EDX,EDX
0167:00456B1D 8B75F4 MOV ESI,[EBP-0C]
0167:00456B20 803E00 CMP BYTE PTR [ESI],00
0167:00456B23 740D JZ 00456B32
0167:00456B25 AC LODSB
0167:00456B26 80E830 SUB AL,30
0167:00456B29 01C3 ADD EBX,EAX
0167:00456B2B 6BDB0A IMUL EBX,EBX,0A
0167:00456B2E 31C0 XOR EAX,EAX
0167:00456B30 EBEE JMP 00456B20
0167:00456B32 B90A000000 MOV ECX,0000000A
0167:00456B37 89D8 MOV EAX,EBX
0167:00456B39 F7F9 IDIV ECX
0167:00456B3B 8945F0 MOV [EBP-10],EAX
0167:00456B3E 89C3 MOV EBX,EAX
0167:00456B40 B908020000 MOV ECX,00000208
0167:00456B45 8B45F0 MOV EAX,[EBP-10]
0167:00456B48 0FAFD8 IMUL EBX,EAX
0167:00456B4B 3B1D10834500 CMP EBX,[00458310]
0167:00456B51 7210 JB 00456B63
0167:00456B53 31D2 XOR EDX,EDX
0167:00456B55 51 PUSH ECX
0167:00456B56 89D8 MOV EAX,EBX
0167:00456B58 8B0D10834500 MOV ECX,[00458310] I am here! Cursor!
0167:00456B5E F7F9 IDIV ECX This give me cripps!
0167:00456B60 59 POP ECX
0167:00456B61 89D3 MOV EBX,EDX
0167:00456B63 E2E0 LOOP 00456B45
0167:00456B65 81FBF7310000 CMP EBX,000031F7
0167:00456B6B 7504 JNZ 00456B71
0167:00456B6D C645EF01 MOV BYTE PTR [EBP-11],01
0167:00456B71 8D8520FEFFFF LEA EAX,[EBP-01E0]
0167:00456B77 E858EAFAFF CALL 004055D4
0167:00456B7C E81BBCFAFF CALL 0040279C
0167:00456B81 807DEF01 CMP BYTE PTR [EBP-11],01 
0167:00456B85 7512 JNZ 00456B99




there is :Eax= as you can see above
EAX=9805EB64 EBX=9805EB64 ECX=0000CCFD EDX=00000000!
So the fucktion does moves ccfd to ECx!And idiv Ecx ;The same as Eax=eax/ecx!
Right!So you get right nothing new!!

But this is the strange thing! Look down::

MeTERMan
February 26th, 2001, 18:40
But this is the strange thing!



EAX=0000BDDA EBX=9805EB64 ECX=0000CCFD EDX=000092F2 ESI=00BF2E6A
EDI=00000000 EBP=006CF3EC ESP=006CF1FC EIP=00456B60 o d I s Z a P c
CS=0167 DS=016F SS=016F ES=016F FS=3DB7 GS=0000



0167:00456B53 31D2 XOR EDX,EDX
0167:00456B55 51 PUSH ECX
0167:00456B56 89D8 MOV EAX,EBX
0167:00456B58 8B0D10834500 MOV ECX,[00458310]
0167:00456B5E F7F9 IDIV ECX
0167:00456B60 59 POP ECX ***Curson here!!CRipss!
0167:00456B61 89D3 MOV EBX,EDX
0167:00456B63 E2E0 LOOP 00456B45
0167:00456B65 81FBF7310000 CMP EBX,000031F7
0167:00456B6B 7504 JNZ 00456B71



So logicaly the eax and ecx would change right!
But looked at edx it changes too !!Edx =00 before now EDX=000092F2
How do you get the edx!Or how to see it where does it change!It's crackem so i did send you one!
can you please advice me!!How to calculate edx!!

Thanks for helping!

MeTERMan
February 26th, 2001, 18:40
But this is the strange thing!



EAX=0000BDDA EBX=9805EB64 ECX=0000CCFD EDX=000092F2 ESI=00BF2E6A
EDI=00000000 EBP=006CF3EC ESP=006CF1FC EIP=00456B60 o d I s Z a P c
CS=0167 DS=016F SS=016F ES=016F FS=3DB7 GS=0000



0167:00456B53 31D2 XOR EDX,EDX
0167:00456B55 51 PUSH ECX
0167:00456B56 89D8 MOV EAX,EBX
0167:00456B58 8B0D10834500 MOV ECX,[00458310]
0167:00456B5E F7F9 IDIV ECX
0167:00456B60 59 POP ECX ***Curson here!!CRipss!
0167:00456B61 89D3 MOV EBX,EDX
0167:00456B63 E2E0 LOOP 00456B45
0167:00456B65 81FBF7310000 CMP EBX,000031F7
0167:00456B6B 7504 JNZ 00456B71



So logicaly the eax and ecx would change right!
But looked at edx it changes too !!Edx =00 before now EDX=000092F2
How do you get the edx!Or how to see it where does it change!It's crackem so i did send you one!
can you please advice me!!How to calculate edx!!

Thanks for helping!


MeTERMan

Bratcher
February 26th, 2001, 22:31
IDIV, signed integer division, may operate with dword numbers that are bigger than 32 bits.
I such case the Dividend is contained in EDX:EAX. the divisor, in your example, was in ECX. After the operation executes, the quotient is contained in EAX and the remainder is placed in EDX. That is why EDX, despite not being explicitly involved in the operation, changes from 0 to something.

Bratcher
February 26th, 2001, 22:34
EDX is the remainder of EDX (0 n this case):EAX integer divided by ECX.
(I pulsed the post button before I was done.

MeTERMan
February 27th, 2001, 05:38
Thanks Bratcher!!I get answer quicker if i put it on board then if i email you !!heh

Thanks again!

MeTERMan

MeTERMan
February 27th, 2001, 05:39
Thanks Bratcher!!I get answer quicker if i put it on board then if i email you !!heh

Thanks again!

MeTERMan