3

i have the following assembly lines:

....
LEA   EAX, DWORD PTR DS:[0x404212]
MOV   DWORD PTR SS:[EBP-0x3CC], EAX
PUSH  DWORD PTR SS:[EBP-0x3CC]
...
...
...
LEA   EAX, DWORD PTR DS:[0x404213]
MOV   DWORD PTR SS:[EBP-0x3D0], EAX
PUSH  DWORD PTR SS:[EBP-0x3D0]
...
...

So, I asked myself how I can that piece of code translate into a higher language like C? Or a pseudo C language?

But, for the the two blocks I have the following:

 UNKNOWNTYPE *eax_pointer_1;     //points to 00404212
 UNKNOWNTYPE *eax_pointer_2;     //points to 00404213

In ollydbg, I see that at the address 00404212 there is the following line :

ADD BYTE PTR DS:[EAX], DH

and at the address 00404213, there is:

XOR BYTE PTR DS:[EAX], AL

So my question would be : Is that a correct transformation? Have you some ideas how I can the instructions at 00404212 and 00404213 make part of my transformation into a pseudo-C language?

user3097712
  • 1,541
  • 1
  • 25
  • 44

2 Answers2

2

In ollydbg, I see that at the address 00404212 there is the following line:

ADD BYTE PTR DS:[EAX], DH

And, at the address 00404213, there is:

XOR BYTE PTR DS:[EAX], AL

I dont think those are code, rather variables, are they in a code/execute section ?

DCoder
  • 1,493
  • 12
  • 15
evlncrn8
  • 111
  • 3
  • No, they are not in a code/execute section. I only jump to that two addresses´ by right-clicking in ollydbg and then "Go To -> Expression" – user3097712 Aug 31 '14 at 23:13
  • Well, that invalidates my earlier comment. Examine the data at that point to guess the type of the pointer. – Jongware Sep 01 '14 at 06:33
  • these two lines are data segment where arguments are pointing to, its abslutly useless to translate em into asm instructions ! – Abr001am Sep 04 '15 at 04:47
1

It looks like the address of something (maybe an array element) is being taken and that is being used to set up call frame for later use. Something very roughly like:

void f(void){
  void *x = &someMemory;
  void *y = &someMemory2;

  g(y,x);
}

caveat lector.

BitShifter
  • 191
  • 4