• Welcome to Valhalla Legends Archive.
 

getsockname in battle.snp

Started by iago, June 07, 2003, 04:36 AM

Previous topic - Next topic

iago

.text:190166A0     ; ecx = a pointer to a sockaddr structure
.text:190166A0    
.text:190166A0     ; BOOL __stdcall GetSockNameEx()
.text:190166A0     GetSockNameEx   proc near               ; CODE XREF: sub_19013E80+A2p
.text:190166A0                                             ; sub_19016810+EDp
.text:190166A0    
.text:190166A0     namelen         = dword ptr -1
.text:190166A0    
.text:190166A0 000                 push    ecx
.text:190166A1 004                 push    esi
.text:190166A2 008                 xor     eax, eax        ; Clear eax
.text:190166A4 008                 mov     esi, ecx        ; Backup ecx
.text:190166A6 008                 mov     [ecx], eax      ; Set the entire structure to NULL
.text:190166A8 008                 mov     [ecx+4], eax
.text:190166AB 008                 mov     [ecx+8], eax
.text:190166AE 008                 mov     [ecx+0Ch], eax
.text:190166B1 008                 mov     eax, TCPSocket  ; Move the TCPSocket into eax
.text:190166B6 008                 cmp     eax, INVALID_SOCKET ; Make sure it's a valid socket
.text:190166B9 008                 jnz     short loc_190166C0 ; Load the address of this local variable into edx
.text:190166BB 008                 xor     eax, eax
.text:190166BD 008                 pop     esi
.text:190166BE 004                 pop     ecx
.text:190166BF 000                 retn                    ; If the socket is invalid, return 0
.text:190166C0     ; ---------------------------------------------------------------------------
.text:190166C0    
.text:190166C0     loc_190166C0:                           ; CODE XREF: GetSockNameEx+19j
.text:190166C0 008                 lea     edx, [esp+5+namelen] ; Load the address of this local variable into edx
.text:190166C4 008                 mov     [esp+5+namelen], 10h ; Set it to 0x10
.text:190166CC 008                 push    edx             ; namelen
.text:190166CD 00C                 push    esi             ; name
.text:190166CE 010                 push    eax             ; s
.text:190166CF 014                 call    ds:getsockname  ; retrieves the local name for a socket
.text:190166CF                                             ; s [in] Descriptor identifying a socket.
.text:190166CF                                             ; name [out] Receives the address (name) of the socket.
.text:190166CF                                             ; namelen [in, out] Size of the name buffer.
.text:190166CF                                             ;
.text:190166D5 008                 cmp     eax, INVALID_SOCKET
.text:190166D8 008                 jnz     short loc_190166DF
.text:190166DA 008                 xor     eax, eax
.text:190166DC 008                 pop     esi
.text:190166DD 004                 pop     ecx
.text:190166DE 000                 retn
.text:190166DF     ; ---------------------------------------------------------------------------
.text:190166DF    
.text:190166DF     loc_190166DF:                           ; CODE XREF: GetSockNameEx+38j
.text:190166DF 008                 xor     eax, eax        ; Clear eax
.text:190166E1 008                 add     esi, 8
.text:190166E4 008                 mov     [esi], eax
.text:190166E6 008                 mov     [esi+4], eax
.text:190166E9 008                 mov     eax, 1          ; return TRUE
.text:190166EE 008                 pop     esi
.text:190166EF 004                 pop     ecx
.text:190166F0    
.text:190166F0     unknown_libname_47:
.text:190166F0 000                 retn
.text:190166F0     GetSockNameEx   endp



This is a snippet of code from battle.snp 1.10.  Besides my inability to name variables, I'm trying to figure out what it does.  I know it should be a __fastcall function, but that's not important...

Anyway, I can't figure out what's going on after 190166DF.  It seems to add 8 to the pointer, which would put it to sockaddr.sa_name + 6 bytes, then it sets that and the next dword to NULL, but I have no idea why it's doing that.. can anybody shed some light on it?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Adron

If what you say is true, it seems to be setting sin_zero to zero...


struct sockaddr_in {
       short   sin_family;
       u_short sin_port;
       struct  in_addr sin_addr;
       char    sin_zero[8];
};

iago

Hmm, that would make sense.  I was looking at these definitions:
int getsockname(
 SOCKET s,                    
 struct sockaddr FAR *name,  
 int FAR *namelen            
);

and

struct sockaddr {
 u_short   sa_family;
 char       sa_data[14];
};  

(From VS.net's SDK documentation)

You can see why it confused me based on these definitions.  Thanks! :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on June 07, 2003, 06:02 AM
Hmm, that would make sense.  I was looking at these definitions:
int getsockname(
 SOCKET s,                    
 struct sockaddr FAR *name,  
 int FAR *namelen            
);

and

struct sockaddr {
 u_short   sa_family;
 char       sa_data[14];
};  

(From VS.net's SDK documentation)

You can see why it confused me based on these definitions.  Thanks! :)
For future reference: The SOCKADDR struct's contents beyond sa_family are socket-family specific.  When you're dealing with AF_INET, you use SOCKADDR_IN; there's a variety of other versions, however.

iago

Yes, I figured that out.  Well, Adron actually told me this morning.  Thanks for the help, though! :-)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*