• Welcome to Valhalla Legends Archive.
 

neg esi

Started by Camel, September 17, 2003, 06:07 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

Camel

September 17, 2003, 06:07 PM
Code Select
.text:6F6721BB                 lea     esi, [eax+9]
.text:6F6721BE                 neg     esi
.text:6F6721C0                 xor     ebx, ebx
.text:6F6721C2                 and     esi, 3Fh

If I am not mistaken, the first line should set esi to the offset (eax+9). What, then, is the point of inverting a pointer?

iago

#1
September 17, 2003, 06:10 PM
eax isnt' necessarely a pointer.  Using a lea is an optimized way of adding 2 variables and storing them somewhere else.

It's basically, esi = ~(eax + 9);
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Camel

#2
September 17, 2003, 06:21 PM Last Edit: September 17, 2003, 06:21 PM by Camel
Ah, thanks.

[edit]
Code Select
.text:6F6721F9                 lea     esp, [esp+0]
Uh, esp = esp + 0?

iago

#3
September 17, 2003, 07:32 PM
yes, actually.. that load the address of [esp] into esp .. I don't know why it would do that, unless I was horribly mistaken
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Camel

#4
September 17, 2003, 09:47 PM
Well, I should say esp = &(*(esp+0));

Skywing

#5
September 18, 2003, 12:58 AM
Quote from: iago on September 17, 2003, 07:32 PM
yes, actually.. that load the address of [esp] into esp .. I don't know why it would do that, unless I was horribly mistaken
That is a fairly common "large nop" when the compiler has a specific amount of bytes it wants to fill with do-nothing code with as minimal of a performance impact as possible.  Typical reasons for this are aligning a code segment that the compiler thinks will be used a good deal.
Print
|
Go Up Pages1
User actions