• Welcome to Valhalla Legends Archive.
 

Help with basic ASM

Started by Ringo, March 09, 2008, 10:00 AM

Previous topic - Next topic

Ringo

Hmmm, im trying to learn the basics of ASM, but this following function ASM has me a little confused:

DLLIMPORT unsigned char __stdcall *GamePacketSize(unsigned char *data,
                             unsigned int *size,
                             unsigned int *offset)
{
   unsigned int a;
   if (data[0] < 0xF0) {
       *size = data[0] - 1;
       *offset = 1;
       return &data[1];
   }
   a = (data[0] & 0xF) << 8;
   *size = a + data[1] - 2;
   *offset = 2;
   return &data[2];
}



This is my current understanding of the ASM, but i dont think i fully understand it :(
Could anyone explain anything i might have missed?

.text:6B5011A0 ; Exported entry   6. GamePacketSize
.text:6B5011A0 ; Exported entry   7. GamePacketSize@12
.text:6B5011A0
.text:6B5011A0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:6B5011A0
.text:6B5011A0 ; Attributes: bp-based frame
.text:6B5011A0
.text:6B5011A0                 public GamePacketSize@12
.text:6B5011A0 GamePacketSize@12 proc near
.text:6B5011A0
.text:6B5011A0 var_8           = dword ptr -8
.text:6B5011A0 var_4           = dword ptr -4
.text:6B5011A0 Data            = dword ptr  8
.text:6B5011A0 Size            = dword ptr  0Ch
.text:6B5011A0 Offset          = dword ptr  10h
.text:6B5011A0
.text:6B5011A0                 push    ebp             ; GamePacketSize
.text:6B5011A1                 mov     ebp, esp        ; store stack base pointer?
.text:6B5011A3                 sub     esp, 8          ; preserve 8 byts on the stack?
.text:6B5011A6                 mov     eax, [ebp+Data] ; move stack+8 to eax?
.text:6B5011A9                 cmp     byte ptr [eax], 0EFh ; compare eax to 0xEF
.text:6B5011AC                 ja      short loc_6B5011D0 ; if greater than goto?
.text:6B5011AE                 mov     edx, [ebp+Size] ; move stack+12 to edx?
.text:6B5011B1                 mov     eax, [ebp+Data] ; move stack+8 to eax?
.text:6B5011B4                 mov     al, [eax]       ; set 1st byte of eax to eax?
.text:6B5011B6                 and     eax, 0FFh       ; and off the end 3 bytes?
.text:6B5011BB                 dec     eax             ; subtract 1 from eax?
.text:6B5011BC                 mov     [edx], eax      ; move eax to address of edx?
.text:6B5011BE                 mov     eax, [ebp+Offset] ; set eax to address of stack+16?
.text:6B5011C1                 mov     dword ptr [eax], 1 ; set address of stack+16 (eax) to 1?
.text:6B5011C7                 mov     eax, [ebp+Data] ; move address of stack+8 to eax?
.text:6B5011CA                 inc     eax             ; add 1 to eax
.text:6B5011CB                 mov     [ebp+var_8], eax ; set stack-8 to eax? func vairable return space?
.text:6B5011CE                 jmp     short loc_6B50120B ; go to
.text:6B5011D0 ; ---------------------------------------------------------------------------
.text:6B5011D0
.text:6B5011D0 loc_6B5011D0:
.text:6B5011D0                 mov     eax, [ebp+Data] ; move stack+8 to eax? again?
.text:6B5011D3                 mov     al, [eax]       ; set 1st byte of eax to eax?
.text:6B5011D5                 and     eax, 0Fh        ; and eax by 0x0F
.text:6B5011D8                 and     eax, 0FFh       ; and eax by 0xFF? (huh?)
.text:6B5011DD                 shl     eax, 8          ; shift eax left 8 bits
.text:6B5011E0                 mov     [ebp+var_4], eax ; move eax into address of stack-4 (tmp variable)?
.text:6B5011E3                 mov     edx, [ebp+Size] ; move stack+12 to edx?
.text:6B5011E6                 mov     eax, [ebp+Data] ; move stack+8 to eax?
.text:6B5011E9                 inc     eax             ; add 1 to eax
.text:6B5011EA                 mov     al, [eax]       ; set 1st byte of eax to eax?
.text:6B5011EC                 and     eax, 0FFh       ; and eax by 0xFF
.text:6B5011F1                 add     eax, [ebp+var_4] ; add stack-4 variable to eax?
.text:6B5011F4                 sub     eax, 2          ; subtract 2 from eax?
.text:6B5011F7                 mov     [edx], eax      ; move eax to address of edx (stack+12)?
.text:6B5011F9                 mov     eax, [ebp+Offset] ; more stack+16 to eax?
.text:6B5011FC                 mov     dword ptr [eax], 2 ; set stack+16 (eax) to 2?
.text:6B501202                 mov     eax, [ebp+Data] ; move stack+8 to eax?
.text:6B501205                 add     eax, 2          ; add 2 to stack+8 (eax)?
.text:6B501208                 mov     [ebp+var_8], eax ; move stack+8 (eax) to stack-8, func return?
.text:6B50120B
.text:6B50120B loc_6B50120B:
.text:6B50120B                 mov     eax, [ebp+var_8] ; move stack-8 func return to eax?
.text:6B50120E                 leave                   ; hm whats this do?
.text:6B50120F                 retn    0Ch             ; return, poping 12 byets off the stack?
.text:6B50120F GamePacketSize@12 endp

thanks in advance


edit: woopsy, posted in the wrong forum, was ment to post it in Assembly Language forum ><
Can somone move it please? :P

edit#2: n/m spoke to rob@useast who verifyed a few things i was unsure of. can trash this if not usefull.
Still not sure what the op code "leave" does tho :p

Kp

leave reverses the changes made by enter.  See the Intel x86 instruction manual for details.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

iago

enter wasn't actually called, was it?

I always understood it as undoing what the standard prefix (push ebp / mov ebp, esp) does.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Ringo