Recognize of data block

Question

Assembler code from data segment:

.data:006A5038 dword_6A5038    dd 0
.data:006A5038                   
.data:006A503C ; char *off_6A503C
.data:006A503C off_6A503C      dd offset aOption0
.data:006A503C                                   
.data:006A503C                                   
.data:006A5040 dword_6A5040    dd 1              
.data:006A5040                                   
.data:006A5044                 dd offset aOption1
.data:006A5048                 db    2
.data:006A5049                 db    0
.data:006A504A                 db    0
.data:006A504B                 db    0
.data:006A504C                 dd offset aOption2
.data:006A5050                 db    3
.data:006A5051                 db    0
.data:006A5052                 db    0
.data:006A5053                 db    0
.data:006A5054                 dd offset aOption3
.data:006A5058                 db    4
..................................................
.data:006A5294                 dd offset aOption4bh
.data:006A5298                 db  4Ch ; L
.data:006A5299                 db    0
.data:006A529A                 db    0
.data:006A529B                 db    0
.data:006A529C                 dd offset aOption4ch 
.data:006A52A0                 db 0FFh
.data:006A52A1                 db 0FFh
.data:006A52A2                 db 0FFh
.data:006A52A3                 db 0FFh

Assembler code of code segment, it piece of code below is loop, and during this loop checks eax with value 0xffffffff for end of loop; every step of loop to do some opertion with compare this strings named "options". i.e. there is string, and string's numeric indefiner, and for end of loop checks eax if 0xffffffff.

.text:005334DF                 mov     eax, dword_6A5040[edi*8]
.text:005334E6                 inc     edi
.text:005334E7                 cmp     eax, 0FFFFFFFFh
.text:005334EA                 jnz     loc_533433

Question- how this data from data segment (strings and numeric indefiners) might look in high-level languages like c++? May be is it structures, how arranged this structures? It like global variables, because placed in data segment. Thanks in advance!

score 2 · Accepted Answer · answered Aug 11 '20 at 19:39

.text:005334DF mov     eax, dword_6A5040[edi*8]

edi is multiplied by 8
edi is a 32 bit register
so by inferance edi can range from 0 to 0xffffffff
so edi can be 0*8 = 0,1*8 = 8,2*8=16,.....n*8 =8n,....
or multiplication table of 8

arrays and pointers are represented in x86 assembly with square brackets

this 6A5040[edi*8] denotes Array Access so

.data:006A5040 dword_6A5040    dd 1

will be the first member of array

in a higher language this will look like

*int eax = *(int *)6a5040* or

int eax = foo[i]

where foo is an array of some type

int foo[] = { {1,ptr} , {2,ptr} ,{3.ptr}, ...... ,{n ,ptr} };

inc edi here index is increased this will be like i++;

cmp and jnz will map to a conditional like

if (eax != val) {do something}

or

while (eax!=val) {do something}

putting all this together one can derive a higher levelcode that would yield similar work flowlike below

#include <stdio.h> 
typedef struct _FOO 
{
    unsigned int a;
    unsigned int *b;
}Foo,*PFoo;
unsigned int  mint[] = {0,1,2,3,4,5,6,7,8,0xffffffff};
Foo myfoo[] = 
{ 
    {mint[ 0],&(mint[ 0])},
    {mint[ 1],&(mint[ 1])},
    {mint[ 2],&(mint[ 2])},
    {mint[10],&(mint[10])} 
};
int main (void) 
{
    int i =0;    
    while(myfoo[i].a != 0xffffffff)    
    {
        printf("%u\t%p\n",  myfoo[i].a, myfoo[i].b);
        i++;
    }
    return 0;
}

and disassembly wouldbe like

0:000> uf .
foo!main:
013410a0 55              push    ebp
013410a1 8bec            mov     ebp,esp
013410a3 51              push    ecx
013410a4 c745fc00000000  mov     dword ptr [ebp-4],0
foo!main+0xb:
013410ab 8b45fc          mov     eax,dword ptr [ebp-4]
013410ae 833cc5f8993801ff cmp     dword ptr foo!myfoo (013899f8)[eax*8],0FFFFFFFFh
013410b6 742e            je      foo!main+0x46 (013410e6)
foo!main+0x18:
013410b8 8b4dfc          mov     ecx,dword ptr [ebp-4]
013410bb 8b14cdfc993801  mov     edx,dword ptr foo!myfoo+0x4 (013899fc)[ecx*8]
013410c2 52              push    edx
013410c3 8b45fc          mov     eax,dword ptr [ebp-4]
013410c6 8b0cc5f8993801  mov     ecx,dword ptr foo!myfoo (013899f8)[eax*8]
013410cd 51              push    ecx
013410ce 6890013801      push    offset foo!__xt_z+0x4 (01380190)
013410d3 e858000000      call    foo!printf (01341130)
013410d8 83c40c          add     esp,0Ch
013410db 8b55fc          mov     edx,dword ptr [ebp-4]
013410de 83c201          add     edx,1
013410e1 8955fc          mov     dword ptr [ebp-4],edx
013410e4 ebc5            jmp     foo!main+0xb (013410ab)
foo!main+0x46:
013410e6 33c0            xor     eax,eax
013410e8 8be5            mov     esp,ebp
013410ea 5d              pop     ebp
013410eb c3              ret
0:000>

Recognize of data block

1 Answers1