Register EAX and memory cell

Kernel, Loader, code execution and working with memory

Register EAX and memory cell

Postby prospero78su » Tue Nov 22, 2016 12:24 pm

Hello everybody!)
If anyone knows what's the feature - explain to me, please.
I opened the disassembled binary code of several modules. All modules have a strange combination of assembler commands, by sending the value of the memory cell in the EAX register and the back of the EAX register to the memory location.
Below is an example of such a disassembled binary code.

Code: Select all
PROCEDURE $$
00000000H:   55    push  ebp
00000001H:   8B EC    mov  ebp, esp
00000003H:   57    push  edi
00000004H:   56    push  esi
00000005H:   66|A1 00 00 00 64   mov  ax, [1677721600] (*!!!!!!!!!!!!!!!!!!!!!!!!!!!!      1*)
0000000BH:   66|A3 00 00 00 64   mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000011H:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   repeat 1*)
00000017H:   66|A3 00 00 00 64   mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   not necessary!*)
0000001DH:   50    push  eax
0000001EH:   66|A1 0D 00 00 64   mov  ax, [1677721613]
00000024H:   50    push  eax
00000025H:   68 00 00 00 64   push  1677721600
0000002AH:   68 00 00 00 64   push  1677721600
0000002FH:   FF 15 00 00 00 64    call  [1677721600]
00000035H:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  2*)
0000003BH:   66|A3 20 00 00 64   mov  [1677721632], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000041H:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 2,  not necessary!*)
00000047H:   66|A3 19 00 00 64   mov  [1677721625], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!! *)
0000004DH:   50    push  eax
0000004EH:   66|A1 3D 00 00 64   mov  ax, [1677721661]
00000054H:   50    push  eax
00000055H:   68 00 00 00 64   push  1677721600
0000005AH:   68 00 00 00 64   push  1677721600
0000005FH:   FF 15 00 00 00 64    call  [1677721600]
00000065H:   C6 05 00 00 00 64 00    mov  [1677721600], 0
0000006CH:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  3* not otimized! this equ xor ax,ax*)
00000072H:   66|A3 50 00 00 64   mov  [1677721680], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000078H:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 3, not necessary!*)
0000007EH:   66|A3 49 00 00 64   mov  [1677721673], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000084H:   50    push  eax
00000085H:   66|A1 74 00 00 64   mov  ax, [1677721716]
0000008BH:   50    push  eax
0000008CH:   68 26 00 00 64   push  1677721638
00000091H:   68 00 00 00 64   push  1677721600
00000096H:   FF 15 31 00 00 64    call  [1677721649]
0000009CH:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4*)
000000A2H:   66|A3 87 00 00 64   mov  [1677721735], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000A8H:   66|A1 00 00 00 64   mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! repeat 4, not necessary!*)
000000AEH:   66|A3 80 00 00 64   mov  [1677721728], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000B4H:   50    push  eax
000000B5H:   66|A1 A4 00 00 64   mov  ax, [1677721764]
000000BBH:   50    push  eax
000000BCH:   68 56 00 00 64   push  1677721686
000000C1H:   68 00 00 00 64   push  1677721600
000000C6H:   FF 15 61 00 00 64    call  [1677721697]
000000CCH:   C6 05 00 00 00 64 00    mov  [1677721600], 0
000000D3H:   5E    pop  esi
000000D4H:   5F    pop  edi
000000D5H:   8B E5    mov  esp, ebp
000000D7H:   5D    pop  ebp
000000D8H:   C3    ret


Plis, comment this behavior translate?!
prospero78su
 
Posts: 5
Joined: Wed Jul 27, 2016 11:03 am

Re: Register EAX and memory cell

Postby luowy » Tue Nov 22, 2016 2:03 pm

Which module do you compile?
which disam tool do you use?
luowy
 
Posts: 51
Joined: Thu Dec 17, 2015 1:32 pm

Re: Register EAX and memory cell

Postby X512 » Tue Nov 22, 2016 2:20 pm

Is you use recently introduced ocf viewer disassembler, most addresses are wrong because fixup information (used to correct addresses that depends on module load position in memory) is ignored. Use DevDecoder form here: http://oberoncore.ru/_media/bbcc/subs/dev/devdecoder.7z.
X512
 
Posts: 41
Joined: Sat Feb 07, 2015 2:51 pm

Re: Register EAX and memory cell

Postby luowy » Tue Nov 22, 2016 4:04 pm

what your dasm codes is not patched the 'fixup', you'd better dasm it after fixed these "fixup".
luowy
 
Posts: 51
Joined: Thu Dec 17, 2015 1:32 pm

Re: Register EAX and memory cell

Postby Josef Templ » Tue Nov 22, 2016 10:09 pm

So far there was no need to decode the fixups or other hidden sections.
We use the tool for looking at the generated code, i.e. to see what the compiler
has generated. It was not needed so far to duplicate the fixup handling of the loader.
This made the tool much simpler.

On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.
Click on a procedure link. With the merged source code you see
where a call goes to quite well.

- Josef
Josef Templ
 
Posts: 242
Joined: Tue Sep 17, 2013 6:50 am

Re: Register EAX and memory cell

Postby X512 » Wed Nov 23, 2016 10:37 pm

Without fixup handling most of addresses will be completely wrong and confusing. Blackbox module have no concept of base address like Windows PE executable has. Value of address before fixup is part of fixups information and don't mean address at all. For example 1677721600 in
Code: Select all
mov  ax, [1677721600]
means fixup type 100 (absolute), next address 0 (end of fixup list). Fixup table defines what address should be written here. So value 1677721600 not an address, it may be possible that different addresses will be same value before fixup.
Fixup is not difficult and done in following procedure (StdLoader.Fixup):
Code: Select all
PROCEDURE Fixup (adr: INTEGER; mod: ModSpec);
   VAR link, offset, linkadr, t, n, x, low, hi: INTEGER;
BEGIN
   RNum(link);
   WHILE link # 0 DO
      RNum(offset);
      WHILE link # 0 DO
         IF link > 0 THEN linkadr := mod.mad + mod.ms + link
         ELSE link := -link;
            IF link < mod.ms THEN linkadr := mod.mad + link
            ELSE linkadr := mod.dad + link - mod.ms
            END
         END;
         S.GET(linkadr, x); t := x DIV 1000000H;
         n := (x + 800000H) MOD 1000000H - 800000H;
         IF t = absolute THEN x := adr + offset
         ELSIF t = relative THEN x := adr + offset - linkadr - 4
         ELSIF t = copy THEN S.GET(adr + offset, x)
         ELSIF t = table THEN x := adr + n; n := link + 4
         ELSIF t = tableend THEN x := adr + n; n := 0
         ELSIF t = deref THEN S.GET(adr+2, x); INC(x, offset);
         ELSIF t = halfword THEN
            x := adr + offset;
            low := (x + 8000H) MOD 10000H - 8000H;
            hi := (x - low) DIV 10000H;
            S.GET(linkadr + 4, x);
            S.PUT(linkadr + 4, x DIV 10000H * 10000H + low MOD 10000H);
            x := x * 10000H + hi MOD 10000H
         ELSE Error(syntaxError, mod, NIL)
         END;
         S.PUT(linkadr, x); link := n
      END;
      RNum(link)
   END
END Fixup;


Josef Templ wrote:On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.

How to use this feature? When I tried to open ocf file, no source was displayed.
X512
 
Posts: 41
Joined: Sat Feb 07, 2015 2:51 pm

Re: Register EAX and memory cell

Postby Josef Templ » Thu Nov 24, 2016 8:01 am

Click on a procedure link to see the instructions of the
procedure merged with the source code.

- Josef
Josef Templ
 
Posts: 242
Joined: Tue Sep 17, 2013 6:50 am

Re: Register EAX and memory cell

Postby Ivan Denisov » Thu Nov 24, 2016 1:55 pm

X512 wrote:How to use this feature? When I tried to open ocf file, no source was displayed.

This feature in 1.7.1-a1 version. Use this link to get newest version: http://blackboxframework.org/lastdev/zip
User avatar
Ivan Denisov
 
Posts: 277
Joined: Tue Sep 17, 2013 12:21 am
Location: Krasnoyarsk, Russia


Return to System

Who is online

Users browsing this forum: No registered users and 1 guest

cron