Register EAX and memory cell

Kernel, Loader, code execution and working with memory
Post Reply
prospero78su
Posts: 5
Joined: Wed Jul 27, 2016 11:03 am

Register EAX and memory cell

Post by prospero78su »

Hello everybody!)
If anyone knows what's the feature - explain to me, please.
I opened the disassembled binary code of several modules. All modules have a strange combination of assembler commands, by sending the value of the memory cell in the EAX register and the back of the EAX register to the memory location.
Below is an example of such a disassembled binary code.

Code: Select all

PROCEDURE $$
00000000H:	55 	push  ebp
00000001H:	8B EC 	mov  ebp, esp
00000003H:	57 	push  edi
00000004H:	56 	push  esi
00000005H:	66|A1 00 00 00 64	mov  ax, [1677721600] (*!!!!!!!!!!!!!!!!!!!!!!!!!!!!      1*)
0000000BH:	66|A3 00 00 00 64	mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000011H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   repeat 1*)
00000017H:	66|A3 00 00 00 64	mov  [1677721600], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!   not necessary!*)
0000001DH:	50 	push  eax
0000001EH:	66|A1 0D 00 00 64	mov  ax, [1677721613]
00000024H:	50 	push  eax
00000025H:	68 00 00 00 64	push  1677721600
0000002AH:	68 00 00 00 64	push  1677721600
0000002FH:	FF 15 00 00 00 64 	call  [1677721600]
00000035H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  2*)
0000003BH:	66|A3 20 00 00 64	mov  [1677721632], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000041H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 2,  not necessary!*)
00000047H:	66|A3 19 00 00 64	mov  [1677721625], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!! *)
0000004DH:	50 	push  eax
0000004EH:	66|A1 3D 00 00 64	mov  ax, [1677721661]
00000054H:	50 	push  eax
00000055H:	68 00 00 00 64	push  1677721600
0000005AH:	68 00 00 00 64	push  1677721600
0000005FH:	FF 15 00 00 00 64 	call  [1677721600]
00000065H:	C6 05 00 00 00 64 00 	mov  [1677721600], 0
0000006CH:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  3* not otimized! this equ xor ax,ax*)
00000072H:	66|A3 50 00 00 64	mov  [1677721680], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000078H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!!  repeat 3, not necessary!*) 
0000007EH:	66|A3 49 00 00 64	mov  [1677721673], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
00000084H:	50 	push  eax
00000085H:	66|A1 74 00 00 64	mov  ax, [1677721716]
0000008BH:	50 	push  eax
0000008CH:	68 26 00 00 64	push  1677721638
00000091H:	68 00 00 00 64	push  1677721600
00000096H:	FF 15 31 00 00 64 	call  [1677721649]
0000009CH:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! 4*)
000000A2H:	66|A3 87 00 00 64	mov  [1677721735], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000A8H:	66|A1 00 00 00 64	mov  ax, [1677721600](*!!!!!!!!!!!!!!!!!!!!!!!!!!!! repeat 4, not necessary!*)
000000AEH:	66|A3 80 00 00 64	mov  [1677721728], ax(*!!!!!!!!!!!!!!!!!!!!!!!!!!!!*)
000000B4H:	50 	push  eax
000000B5H:	66|A1 A4 00 00 64	mov  ax, [1677721764]
000000BBH:	50 	push  eax
000000BCH:	68 56 00 00 64	push  1677721686
000000C1H:	68 00 00 00 64	push  1677721600
000000C6H:	FF 15 61 00 00 64 	call  [1677721697]
000000CCH:	C6 05 00 00 00 64 00 	mov  [1677721600], 0
000000D3H:	5E 	pop  esi
000000D4H:	5F 	pop  edi
000000D5H:	8B E5 	mov  esp, ebp
000000D7H:	5D 	pop  ebp
000000D8H:	C3 	ret 
Plis, comment this behavior translate?!
luowy
Posts: 87
Joined: Thu Dec 17, 2015 1:32 pm

Re: Register EAX and memory cell

Post by luowy »

Which module do you compile?
which disam tool do you use?
X512
Posts: 72
Joined: Sat Feb 07, 2015 2:51 pm

Re: Register EAX and memory cell

Post by X512 »

Is you use recently introduced ocf viewer disassembler, most addresses are wrong because fixup information (used to correct addresses that depends on module load position in memory) is ignored. Use DevDecoder form here: http://oberoncore.ru/_media/bbcc/subs/dev/devdecoder.7z.
luowy
Posts: 87
Joined: Thu Dec 17, 2015 1:32 pm

Re: Register EAX and memory cell

Post by luowy »

what your dasm codes is not patched the 'fixup', you'd better dasm it after fixed these "fixup".
Josef Templ
Posts: 262
Joined: Tue Sep 17, 2013 6:50 am

Re: Register EAX and memory cell

Post by Josef Templ »

So far there was no need to decode the fixups or other hidden sections.
We use the tool for looking at the generated code, i.e. to see what the compiler
has generated. It was not needed so far to duplicate the fixup handling of the loader.
This made the tool much simpler.

On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.
Click on a procedure link. With the merged source code you see
where a call goes to quite well.

- Josef
X512
Posts: 72
Joined: Sat Feb 07, 2015 2:51 pm

Re: Register EAX and memory cell

Post by X512 »

Without fixup handling most of addresses will be completely wrong and confusing. Blackbox module have no concept of base address like Windows PE executable has. Value of address before fixup is part of fixups information and don't mean address at all. For example 1677721600 in

Code: Select all

mov  ax, [1677721600]
means fixup type 100 (absolute), next address 0 (end of fixup list). Fixup table defines what address should be written here. So value 1677721600 not an address, it may be possible that different addresses will be same value before fixup.
Fixup is not difficult and done in following procedure (StdLoader.Fixup):

Code: Select all

PROCEDURE Fixup (adr: INTEGER; mod: ModSpec);
	VAR link, offset, linkadr, t, n, x, low, hi: INTEGER;
BEGIN
	RNum(link);
	WHILE link # 0 DO
		RNum(offset);
		WHILE link # 0 DO
			IF link > 0 THEN linkadr := mod.mad + mod.ms + link
			ELSE link := -link;
				IF link < mod.ms THEN linkadr := mod.mad + link
				ELSE linkadr := mod.dad + link - mod.ms
				END
			END;
			S.GET(linkadr, x); t := x DIV 1000000H;
			n := (x + 800000H) MOD 1000000H - 800000H;
			IF t = absolute THEN x := adr + offset
			ELSIF t = relative THEN x := adr + offset - linkadr - 4
			ELSIF t = copy THEN S.GET(adr + offset, x)
			ELSIF t = table THEN x := adr + n; n := link + 4
			ELSIF t = tableend THEN x := adr + n; n := 0
			ELSIF t = deref THEN S.GET(adr+2, x); INC(x, offset);
			ELSIF t = halfword THEN
				x := adr + offset;
				low := (x + 8000H) MOD 10000H - 8000H;
				hi := (x - low) DIV 10000H;
				S.GET(linkadr + 4, x);
				S.PUT(linkadr + 4, x DIV 10000H * 10000H + low MOD 10000H);
				x := x * 10000H + hi MOD 10000H
			ELSE Error(syntaxError, mod, NIL)
			END;
			S.PUT(linkadr, x); link := n
		END;
		RNum(link)
	END
END Fixup;
Josef Templ wrote:On the other side it has a nice feature not many decoders have:
it is able to merge the source code into the decoded instructions.
How to use this feature? When I tried to open ocf file, no source was displayed.
Josef Templ
Posts: 262
Joined: Tue Sep 17, 2013 6:50 am

Re: Register EAX and memory cell

Post by Josef Templ »

Click on a procedure link to see the instructions of the
procedure merged with the source code.

- Josef
User avatar
Ivan Denisov
Posts: 362
Joined: Tue Sep 17, 2013 12:21 am
Location: Krasnoyarsk, Russia

Re: Register EAX and memory cell

Post by Ivan Denisov »

X512 wrote:How to use this feature? When I tried to open ocf file, no source was displayed.
This feature in 1.7.1-a1 version. Use this link to get newest version: http://blackboxframework.org/lastdev/zip
Post Reply