The C/C++ Reversing Reference Thread

iago · February 22, 2004, 01:04 PM

To start the ball rolling:

.text:6FC01A00 sub_6FC01A00    proc near               ; CODE XREF: .text:6FC01000p
.text:6FC01A00                                         ; D2Net_10025p ...
.text:6FC01A00                 mov     eax, Variable
.text:6FC01A05                 cmp     eax, 1
.text:6FC01A08                 jnz     short loc_6FC01A0B
.text:6FC01A0A                 retn
.text:6FC01A0B ; ---------------------------------------------------------------------------
.text:6FC01A0B 
.text:6FC01A0B loc_6FC01A0B:                           ; CODE XREF: sub_6FC01A00+8j
.text:6FC01A0B                 xor     ecx, ecx
.text:6FC01A0D                 cmp     eax, 2
.text:6FC01A10                 setz    cl
.text:6FC01A13                 mov     eax, ecx
.text:6FC01A15                 retn
.text:6FC01A15 sub_6FC01A00    endp

This has two optimizations, the first one is more obvoius, though.

The top half would be this:

Code Select

if((eax = Variable) == false) return; // keeping in mind that return value is in eax

Then in the second half, it compares it sets ecx to null, does the comparison, sets cl to 1, moves ecx to eax, then returns.

I've seen this construct many times, and all it's really doing is,

Code Select

if(eax == 2) return true;

iago · February 29, 2004, 04:51 PM

hmm, I should add the most famous optimization:

Code Select

.text:6FC0132E ADC xor esi, esi

is the same as,
esi = 0.

Arta · February 29, 2004, 06:06 PM

Still consider myself rather newb at this, so feel free to delete if wrong.

Code Select


mov     edx, eax
dec     eax
test    edx, edx
jz      return

Equivalent to:

Code Select


if(!eax) return -1;

iago · March 07, 2004, 08:54 PM

Code Select

add edx, 0FFFFFFFCh

For those of you who don't know, this has the same effect as subtracting 4 from edx.

iago · March 11, 2004, 09:26 PM

Right Answer

Code Select

mov edx, [some variable]
movzx edx, dl

Is the same as:

Code Select

mov edx, [some variable]
and edx, 0xFF

(movZx stants for mov with Zero extend)

On the other hand, this:

Code Select

mov edx, [some variable]
movsx edx, dl

Will do the same thing if dl is positive, but will sign-extend if dl is negative, so:
7F will become 0000007F, and 80 will become FFFFFF80.
(movsx means mov with Sign extend)

Finally,

Code Select

mov edx, [some variable]
mov edx, dl

Will have no affect because mov extends nothing and leaves the rest of the register intact.

(Thanks to skywing for correcting me on this

)

iago · May 14, 2004, 08:51 PM

This is a very important pattern I see all the time:

Code Select

.text:1503AABB                 mov     eax, esi
.text:1503AABD                 neg     eax
.text:1503AABF                 sbb     eax, eax
.text:1503AAC1                 mov     ecx, edi
.text:1503AAC3                 neg     ecx
.text:1503AAC5                 sbb     ecx, ecx
.text:1503AAC7                 test    ecx, eax        ; Make sure both arguments are valid
.......

this is the same as,
if(esi != NULL && edi != NULL).....

TheMinistered · May 16, 2004, 08:21 PM

In C++, and many other languages, the compiler will generate the following code to access an item in an array:

Code Select


mov eax, [arraybase+index*arraytypesize]

arraybase is the pointer to the base of the array, index is the item in the array you are trying to retreive, and arraytypesize is the size of the type the array is declared as.

iago · May 16, 2004, 09:19 PM

For some arithmatic:

This C code:

Code Select

int edx = 3;
edx = edx * 2 + 5;

will probably look like this:

Code Select

mov edx, 3
lea edx, [5 + edx*2]

lea's can be used for arithmatic.