Log in

View Full Version : ask: OPCode

Apakekdah
August 30th, 2006, 05:49
i have code like this

Code:
0051DB99    > \C745 FC 1B000000        MOV DWORD PTR SS:[EBP-4],1B

0051DBA0    .  8B45 9C                 MOV EAX,DWORD PTR SS:[EBP-64]

0051DBA3    .  99                      CDQ

0051DBA4    .  B9 3D000000             MOV ECX,3D

0051DBA9    .  F7F9                    IDIV ECX

0051DBAB    .  8955 B0                 MOV DWORD PTR SS:[EBP-50],EDX

0051DBAE    .  C745 FC 1C000000        MOV DWORD PTR SS:[EBP-4],1C

0051DBB5    .  0FBF45 C0               MOVSX EAX,WORD PTR SS:[EBP-40]

0051DBB9    .  0345 B0                 ADD EAX,DWORD PTR SS:[EBP-50]

0051DBBC    .  0F80 9B130000           JO 0051EF5D

0051DBC2    .  99                      CDQ

0051DBC3    .  B9 2B000000             MOV ECX,2B

0051DBC8    .  F7F9                    IDIV ECX

0051DBCA    .  F7DA                    NEG EDX

0051DBCC    .  1BD2                    SBB EDX,EDX

0051DBCE    .  42                      INC EDX


what i'm ask it just the original code in HighLevel (like vb)...
what it's :
1. IDIV ECX -> modulus in vb right...
2. sbb edx, edx -> what is this

please i'm still learning...
any please help me...
Silkut
August 30th, 2006, 06:35
1/ IDIV: Signed Divide

2/ SBB: Integer Substraction with Borrow
It add the source operand (the second edx) and the carry flag (CF). Then it substract the result from the destination operand (the first edx)

Check Intel's Instruction set reference, with a search engine =)
http://intel.com/design/pentium4/manuals/index_new.htm

You can either download PDF or order a hard copy..and it's useful.
naides
August 30th, 2006, 06:52
Quote:
[Originally Posted by Apakekdah]i have code like this

Code:
0051DB99    > \C745 FC 1B000000        MOV DWORD PTR SS:[EBP-4],1B

0051DBA0    .  8B45 9C                 MOV EAX,DWORD PTR SS:[EBP-64] ; The Number to divide( dividend) at EBP-64  is moved to EAX

0051DBA3    .  99                      CDQ;  Convert doble to quad: Takes the number stored at EAX, a double word, and converts it into a Quad word, stored in EDX:EAX, extending its sign bit as need (So a negative number in EAX, is still a negative number in EDX:EAX

0051DBA4    .  B9 3D000000             MOV ECX,3D;  The divisor is moved to ECX

0051DBA9    .  F7F9                    IDIV ECX;  Divides the quad EDX:EAX by ECX,   The quotient is stored in EAX, and the residue is stored in EDX

0051DBAB    .  8955 B0                 MOV DWORD PTR SS:[EBP-50],EDX;  This particular code is interested in the residue, EDX, and saves it in the stack variable pointed by  [EBP-50], so yes it resembles the operation modulus

0051DBAE    .  C745 FC 1C000000        MOV DWORD PTR SS:[EBP-4],1C

0051DBB5    .  0FBF45 C0               MOVSX EAX,WORD PTR SS:[EBP-40]

0051DBB9    .  0345 B0                 ADD EAX,DWORD PTR SS:[EBP-50]; more ops like those

0051DBBC    .  0F80 9B130000           JO 0051EF5D

0051DBC2    .  99                      CDQ

0051DBC3    .  B9 2B000000             MOV ECX,2B

0051DBC8    .  F7F9                    IDIV ECX

0051DBCA    .  F7DA                    NEG EDX;  This convoluted series of operations, NEG (2 complement),

0051DBCC    .  1BD2                    SBB EDX,EDX; Substract with carry from itself, with carry

0051DBCE    .  42                      INC EDX; then increment it by 1



is a very popular ASM idiom that will turn EDX into 0 (FALSE)if EDX is different from 0, and into 1 (TRUE)  if EDX is 0.  In othe words the program is asking if the second division residue is == 0



There is no "one to one" correspondence between asm opcodes and high level operations. one a single high level op like B = A%C becomes several (tents/hundreds) of asm lines.

Google is your friend
Apakekdah
August 30th, 2006, 08:00
many thx for naides and Silkut
now i understand...

it's like this right on C++
Code:


... other code ...

edx = eax % ecx

var50 = edx

var4 = 1c

eax = var40

eax = eax + var

JO 0051EF5D           // out of range jump right

edx = -(eax % ecx)

????????                /// SBB EDX,EDX -> what the original code is this ???

edx++

... other code ...


please correct me if wrong...
because i'm still amateur...

please tell me...
naides
August 30th, 2006, 08:15
Get this book. Read three times, cover to cover.
Then come back if you have any questions
Apakekdah
August 30th, 2006, 09:06
Quote:
[Originally Posted by naides]Get this book. Read three times, cover to cover.
Then come back if you have any questions

where i can get that book
ZaiRoN
August 30th, 2006, 09:54
Library, amazon.com and so on...
Apakekdah
August 30th, 2006, 11:04
Quote:
[Originally Posted by ZaiRoN]Library, amazon.com and so on...

waaaa....
What not there is one that is free..
Silkut
August 30th, 2006, 11:51
There is a lot of resources on the web. Opcodes on Intel's page, PDF's..free ebooks..but you have to find them by yourself, you have to search, you have to learn to use a search engine to increase serendipity
naides
August 30th, 2006, 11:57
Exe tools, E-book section.
Apakekdah
August 30th, 2006, 12:38
Quote:
[Originally Posted by naides]Exe tools, E-book section.

hi by the way...
i don't know with my account in exetools...
i can login, but can't do anything...
just like i was banned or suspend account...
any other advise ?
Apakekdah
August 30th, 2006, 12:44
Quote:
[Originally Posted by Silkut]There is a lot of resources on the web. Opcodes on Intel's page, PDF's..free ebooks..but you have to find them by yourself, you have to search, you have to learn to use a search engine to increase serendipity

i was download the basic opcodes on intel's page...
but can't find original code of SBB
-
bth what am i ask just 1...
i know IDIV = modulus on high level language
but SBB <= i was searching on google...
all i have just only meaning of SBB <= i was know what is SBB thats from you and naides...
but how original code in VB or C++ not in assembler...

IDIV on vb like
Code:


edx = eax mod ecx


IDIV on C++ like
Code:


edx = eax % ecx


and what about SBB ?
like SBB EDX, EDX...
just that hope you understand with my language ya...

thx anyway...
Admiral
August 30th, 2006, 13:03
http://faydoc.tripod.com/cpu/sbb.htm

There is no 'original' code as the instruction is dependent on the type of variable (signed/unsigned) and the state of the flags. Usually, however, it simply acts as a straightforward signed subtraction. If you like,
Code:
EAX = EAX - ECX;    // SBB EAX, ECX

in most cases.

Regards
Admiral
Apakekdah
August 30th, 2006, 15:08
Quote:
[Originally Posted by Admiral]http://faydoc.tripod.com/cpu/sbb.htm

There is no 'original' code as the instruction is dependent on the type of variable (signed/unsigned) and the state of the flags. Usually, however, it simply acts as a straightforward signed subtraction. If you like,
Code:
EAX = EAX - ECX;    // SBB EAX, ECX

in most cases.

Regards
Admiral

thx for your explanation sir...


but i'm was curious...

i put the code like this on C++
Code:


int iEdx, iEax;



iEdx = 0x2A;

iEdx  += 0x15;



iEdx -= iEdx; // on asm it will be operan SUB not SBB

the iEdx return 0

but when i put code like this on C++
Code:


int iEdx, iEax;



iEdx = 0x2A;

__asm

{

	mov eax, iEdx;

	add eax, -0x15;

	sbb eax, eax;

	mov iEdx, eax;

}

the iEdx return -1

can you explain why can be like this sir or anyone please... ?
or do you have more example of that ?
Beforehand sorry if being troublesome...
thx..
LLXX
August 30th, 2006, 21:43
I'm surprised almost none of you seem to have noticed this common Asm idiom NEG SBB INC !

All it is, in C, is the operator "!". More verbosely,
Code:
if(x==0) x=1;

else x=0;
But without any flow modification instructions e.g. Jcc JMP whatsoever - I believe this sort of code (just like CMP SBB DAS for turning a nybble into a higit) is called "intrinsic branching".

There's some interesting reading near the bottom of this page from our own site: http://www.woodmann.com/fravia/htdedlst.htm

Also, see if you can understand http://www.lrdev.com/lr/x86/samp1.html which contains this and other common idioms from an optimising compiler.

Someone has a whole page dedicated to it: http://www.pagetable.com/?p=13

I got all the links above from Googling "neg + sbb + inc"

Your code fragment in the OP is not written in VB, it appears to be C.
Apakekdah
September 2nd, 2006, 05:55
it's realy helping...
t4 LLXX

it's any other site that i need to know to learning asm for crk sir ?

so sbb just like Immediatly If right...
Admiral
September 4th, 2006, 11:11
Good spot, LLXX. That shouldn't have taken so long .
LLXX
September 4th, 2006, 16:49
I've memorised this and maybe another dozen Asm idioms... comes from many many many hours of reading disassembled code like a novel... it's not something you learn in a day or two.
naides
September 5th, 2006, 16:05
Quote:
[Originally Posted by LLXX]I'm surprised almost none of you seem to have noticed this common Asm idiom NEG SBB INC !

I did Look a the blue comments to the code in my first post.
laola
September 5th, 2006, 16:07
...and this idiom was already (sort of but not as detailed) mentioned by naides in post #3. Is it just me or are some newbs too lazy to read?
You'll never become good at RE if you don't pay enough attention to details.

P.S. Oops, got distracted while writing the post and naides was faster
Apakekdah
October 24th, 2006, 20:41
Quote:
[Originally Posted by laola]...and this idiom was already (sort of but not as detailed) mentioned by naides in post #3. Is it just me or are some newbs too lazy to read?
You'll never become good at RE if you don't pay enough attention to details.

P.S. Oops, got distracted while writing the post and naides was faster

yeah...
i read it but... don't understand
after LLXX giveme sample in c now i'm understand...

thx sir...
LLXX
October 25th, 2006, 02:34
Quote:
[Originally Posted by Apakekdah]thx sir...
You mean "madam"
Aimless
October 28th, 2006, 13:59
Of course, for the really strong of mind, there are the INTEL INSTRUCTION MANUAL. Opcodes and other stuff you would NOT want to read...

Your worst nightmare come true...

Have Phun