1

Can anyone explain me following asm code please? What it does? I already commented it a bit out..
EDIT: C++, compiled with MS Visual C++ 2008 Express Eddition -> reassembled

.text:39552AF5 pop ecx .text:39552AF6 push eax ; void * .text:39552AF7 lea eax, [ebp+procedureVariable_C] ; get a proc variable from stack to eax? .text:39552AFA call sub_39501565 ; call procedure with arguments: eax(void) and the lea result? .text:39552AFF mov ecx, dword_395D0A44 ; dword_395D0A44("official") char gets moved into ecx .text:39552B05 mov eax, ebx ; ? .text:39552B07 call sub_39572981 ; ? no arguments? 
.text:39501565 ; int __stdcall sub_39501565(void *) .text:39501565 sub_39501565 proc near ; CODE XREF: sub_39501423+1Cp .text:39501565 ; sub_39501803+1Cp ... .text:39501565 .text:39501565 arg_0 = dword ptr 4 .text:39501565 .text:39501565 cmp [esp+arg_0], 0 .text:3950156A push edi .text:3950156B mov edi, eax .text:3950156D jnz short loc_39501573 .text:3950156F xor eax, eax .text:39501571 jmp short loc_39501583 .text:39501573 ; --------------------------------------------------------------------------- .text:39501573 .text:39501573 loc_39501573: ; CODE XREF: sub_39501565+8j .text:39501573 mov eax, [esp+4+arg_0] .text:39501577 lea edx, [eax+1] .text:3950157A .text:3950157A loc_3950157A: ; CODE XREF: sub_39501565+1Aj .text:3950157A mov cl, [eax] .text:3950157C inc eax .text:3950157D test cl, cl .text:3950157F jnz short loc_3950157A .text:39501581 sub eax, edx .text:39501583 .text:39501583 loc_39501583: ; CODE XREF: sub_39501565+Cj .text:39501583 push eax ; int .text:39501584 push [esp+8+arg_0] ; void * .text:39501588 call sub_39501524 .text:3950158D mov eax, edi .text:3950158F pop edi .text:39501590 retn 4 .text:39501590 sub_39501565 endp
Improve this question
7
  • I suspect that this code uses a calling convention that uses EAX and ECX as arguments. Like Borland's fastcall/register convention. But without the content of the functions you're calling this is difficult to say. And if your program uses some kind of whole-program-optimization these might not even be conventional calling conventions. Commented Jun 12, 2011 at 12:03
  • 1
    Add the code for the functions you're calling. Commented Jun 12, 2011 at 12:06
  • way too big and complex, it's a really big disassembled DLL. I would like to see general info about the commands..? Commented Jun 12, 2011 at 12:11
  • I want to see enough of those functions to deduce which calling convention they use. And what compiler was used to compile that project? Commented Jun 12, 2011 at 12:16
  • C++, compiled with MS Visual C++ 2008 Express Eddition -> reassembled Commented Jun 12, 2011 at 12:29

3 Answers 3

Reset to default
1

This part

.text:39501573 .text:39501573 loc_39501573: ; CODE XREF: sub_39501565+8j .text:39501573 mov eax, [esp+4+arg_0] .text:39501577 lea edx, [eax+1] .text:3950157A .text:3950157A loc_3950157A: ; CODE XREF: sub_39501565+1Aj .text:3950157A mov cl, [eax] .text:3950157C inc eax .text:3950157D test cl, cl .text:3950157F jnz short loc_3950157A .text:39501581 sub eax, edx

looks like it is scanning for a nul byte and computing end - start + 1, where start + 1comes from edx.

This is what strlen would do!

Is there some magic here?!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

lea does not dereference anything. It just does arithmetic with the registers in its second parameter and stores the result in the first parameter.

lea eax, [ebp+procedureVariable_C];

Assuming that procedureVariable_C is a constant offset it adds that offset to calculate the pointer to the corresponding variable.

Improve this answer

Comments

0

What do you want to know from SO that you don't already know? It's a couple function calls. The first passes a local parameter by reference in EAX, the second gets EAX as a parameter, perhaps a result from the first call, or perhaps just what was passed into this block in EBX.

We don't know what calling conventions are used, whether this assembler is disassembled compiler output or 'human' coding, no context, no clue to what the functions do or return. We're not exactly in a good position to help.

There is nothing unusual about this code. What's the problem?

Rgds, Martin

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.