3

I am confused by what the following command is doing:

00401234  mov     dword [esp+0x35], sub_408678

For context, I'm reversing a piece of malware and am using Binary Ninja, which to my knowledge typically uses the following syntax for low level IL commands:

mov    dest, src

Is the first command executing the subroutine specified in the src parameter (sub_408678) and storing the result of that command in [esp + 35]? Or just moving the address for later use? I have never seen this syntax before, I'm wondering if someone else has seen a program do this / can tell me what the purpose of writing it this way is. Thank you!

n00bsauce
  • 31
  • 1

1 Answers1

6

src sub_408678 is probably a label given by your tool to the address 408678

[esp+0x35] the destination is a pointer to a 32 bit value

it can take anything from 0x0 to 0xffffffff

so after executing this instruction 00401234 mov dword [esp+0x35], sub_408678 [esp+0x35 will point to 0x408678

in high level construct this will be

<sometype *>foo ; // here sometype can be int,long,in your cse function_ptr etc 
foo = &blah

a sample code and disassembly

unsigned long global = 0xdeadbeef;
int main (void) {
    unsigned long *foo;
    foo = &global;
    return *foo;
}

disassembly

:\>cdb -c "uf ptr!main;q" ptr.exe | awk "/Reading/,/quit/"
0:000> cdb: Reading initial command 'uf ptr!main;q'
ptr!main:
01381000 55              push    ebp
01381001 8bec            mov     ebp,esp
01381003 51              push    ecx
01381004 c745fc00903c01  mov     dword ptr [ebp-4],offset ptr!global (013c9000) <<<<<<<
0138100b 8b45fc          mov     eax,dword ptr [ebp-4]
0138100e 8b00            mov     eax,dword ptr [eax]
01381010 8be5            mov     esp,ebp
01381012 5d              pop     ebp
01381013 c3              ret
quit:
blabb
  • 16,376
  • 1
  • 15
  • 30