BlackBox Component Builder Forums

The board for BlackBox users and developers
https://community.blackboxframework.org/

Register EAX and memory cell

https://community.blackboxframework.org/viewtopic.php?t=151

Page 1 of 1

Register EAX and memory cell

Posted: Tue Nov 22, 2016 12:24 pm
by prospero78su
Hello everybody!)
If anyone knows what's the feature - explain to me, please.
I opened the disassembled binary code of several modules. All modules have a strange combination of assembler commands, by sending the value of the memory cell in the EAX register and the back of the EAX register to the memory location.
Below is an example of such a disassembled binary code.

Code: Select all

PROCEDURE $$
00000000H:	55 	push  ebp
00000001H:	8B EC 	mov  ebp, esp
00000003H:	57 	push  edi
00000004H:	56 	push  esi
00000005H:	66|A1 00 00 00 64	mov  ax, [1677721600] (*!!!!!!!!!!!!!!!!!!!!!!!!!!!!      1*)
0000000BH:	66|A3 00 00 00 64	mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000011H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   repeat 1*)
00000017H:	66|A3 00 00 00 64	mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   not necessary!*)
0000001DH:	50 	push  eax
0000001EH:	66|A1 0D 00 00 64	mov  ax, [1677721613]
00000024H:	50 	push  eax
00000025H:	68 00 00 00 64	push  1677721600
0000002AH:	68 00 00 00 64	push  1677721600
0000002FH:	FF 15 00 00 00 64 	call  [1677721600]
00000035H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  2*)
0000003BH:	66|A3 20 00 00 64	mov  [1677721632], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000041H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 2,  not necessary!*)
00000047H:	66|A3 19 00 00 64	mov  [1677721625], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!! *)
0000004DH:	50 	push  eax
0000004EH:	66|A1 3D 00 00 64	mov  ax, [1677721661]
00000054H:	50 	push  eax
00000055H:	68 00 00 00 64	push  1677721600
0000005AH:	68 00 00 00 64	push  1677721600
0000005FH:	FF 15 00 00 00 64 	call  [1677721600]
00000065H:	C6 05 00 00 00 64 00 	mov  [1677721600], 0
0000006CH:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  3* not otimized! this equ xor ax,ax*)
00000072H:	66|A3 50 00 00 64	mov  [1677721680], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000078H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 3, not necessary!*) 
0000007EH:	66|A3 49 00 00 64	mov  [1677721673], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000084H:	50 	push  eax
00000085H:	66|A1 74 00 00 64	mov  ax, [1677721716]
0000008BH:	50 	push  eax
0000008CH:	68 26 00 00 64	push  1677721638
00000091H:	68 00 00 00 64	push  1677721600
00000096H:	FF 15 31 00 00 64 	call  [1677721649]
0000009CH:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4*)
000000A2H:	66|A3 87 00 00 64	mov  [1677721735], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000A8H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! repeat 4, not necessary!*)
000000AEH:	66|A3 80 00 00 64	mov  [1677721728], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000B4H:	50 	push  eax
000000B5H:	66|A1 A4 00 00 64	mov  ax, [1677721764]
000000BBH:	50 	push  eax
000000BCH:	68 56 00 00 64	push  1677721686
000000C1H:	68 00 00 00 64	push  1677721600
000000C6H:	FF 15 61 00 00 64 	call  [1677721697]
000000CCH:	C6 05 00 00 00 64 00 	mov  [1677721600], 0
000000D3H:	5E 	pop  esi
000000D4H:	5F 	pop  edi
000000D5H:	8B E5 	mov  esp, ebp
000000D7H:	5D 	pop  ebp
000000D8H:	C3 	ret
Plis, comment this behavior translate?!

Re: Register EAX and memory cell

Posted: Tue Nov 22, 2016 2:03 pm
by luowy
Which module do you compile?
which disam tool do you use?

Re: Register EAX and memory cell

Posted: Tue Nov 22, 2016 2:20 pm
by X512
Is you use recently introduced ocf viewer disassembler, most addresses are wrong because fixup information (used to correct addresses that depends on module load position in memory) is ignored. Use DevDecoder form here: http://oberoncore.ru/_media/bbcc/subs/dev/devdecoder.7z.

Re: Register EAX and memory cell

Posted: Tue Nov 22, 2016 4:04 pm
by luowy
what your dasm codes is not patched the 'fixup', you'd better dasm it after fixed these "fixup".

Re: Register EAX and memory cell

Posted: Tue Nov 22, 2016 10:09 pm
by Josef Templ
So far there was no need to decode the fixups or other hidden sections.
We use the tool for looking at the generated code, i.e. to see what the compiler
has generated. It was not needed so far to duplicate the fixup handling of the loader.
This made the tool much simpler.

On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.
Click on a procedure link. With the merged source code you see
where a call goes to quite well.

- Josef

Re: Register EAX and memory cell

Posted: Wed Nov 23, 2016 10:37 pm
by X512
Without fixup handling most of addresses will be completely wrong and confusing. Blackbox module have no concept of base address like Windows PE executable has. Value of address before fixup is part of fixups information and don't mean address at all. For example 1677721600 in

Code: Select all

mov  ax, [1677721600]
means fixup type 100 (absolute), next address 0 (end of fixup list). Fixup table defines what address should be written here. So value 1677721600 not an address, it may be possible that different addresses will be same value before fixup.
Fixup is not difficult and done in following procedure (StdLoader.Fixup):

Code: Select all

PROCEDURE Fixup (adr: INTEGER; mod: ModSpec);
	VAR link, offset, linkadr, t, n, x, low, hi: INTEGER;
BEGIN
	RNum(link);
	WHILE link # 0 DO
		RNum(offset);
		WHILE link # 0 DO
			IF link > 0 THEN linkadr := mod.mad + mod.ms + link
			ELSE link := -link;
				IF link < mod.ms THEN linkadr := mod.mad + link
				ELSE linkadr := mod.dad + link - mod.ms
				END
			END;
			S.GET(linkadr, x); t := x DIV 1000000H;
			n := (x + 800000H) MOD 1000000H - 800000H;
			IF t = absolute THEN x := adr + offset
			ELSIF t = relative THEN x := adr + offset - linkadr - 4
			ELSIF t = copy THEN S.GET(adr + offset, x)
			ELSIF t = table THEN x := adr + n; n := link + 4
			ELSIF t = tableend THEN x := adr + n; n := 0
			ELSIF t = deref THEN S.GET(adr+2, x); INC(x, offset);
			ELSIF t = halfword THEN
				x := adr + offset;
				low := (x + 8000H) MOD 10000H - 8000H;
				hi := (x - low) DIV 10000H;
				S.GET(linkadr + 4, x);
				S.PUT(linkadr + 4, x DIV 10000H * 10000H + low MOD 10000H);
				x := x * 10000H + hi MOD 10000H
			ELSE Error(syntaxError, mod, NIL)
			END;
			S.PUT(linkadr, x); link := n
		END;
		RNum(link)
	END
END Fixup;
Josef Templ wrote:On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.
How to use this feature? When I tried to open ocf file, no source was displayed.

Re: Register EAX and memory cell

Posted: Thu Nov 24, 2016 8:01 am
by Josef Templ
Click on a procedure link to see the instructions of the
procedure merged with the source code.

- Josef

Re: Register EAX and memory cell

Posted: Thu Nov 24, 2016 1:55 pm
by Ivan Denisov
X512 wrote:How to use this feature? When I tried to open ocf file, no source was displayed.
This feature in 1.7.1-a1 version. Use this link to get newest version: http://blackboxframework.org/lastdev/zip
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited