Binary-auditing training package – Manual decompilation, Exercise 8
August 13th, 2011
No comments
This problem statement is part of binary-auditing package. This needs
to be converted to HLL Problem:(Assembly code) sub_408138 proc near 000 push ebx 004 push esi 008 mov esi, edx 008 dec esi 008 test esi, esi 008 jl short loc_40816F 008 inc esi loc_408142: 008 xor edx, edx 008 mov dl, [eax] 008 xor ebx, ebx 008 mov bl, cl 008 add edx, ebx 008 test edx, edx 008 jge short loc_40815B 008 mov ebx, 100h 008 sub ebx, edx 008 mov edx, ebx 008 jmp short loc_408169 loc_40815B: 008 cmp edx, 100h 008 jle short loc_408169 008 sub edx, 100h loc_408169: 008 mov [eax], dl 008 inc eax 008 dec esi 008 jnz short loc_408142 loc_40816F: 008 pop esi 004 pop ebx 000 retn sub_408138 endp
Pseudo/High Level code: var_esi = var_edx; var_esi -- ; if(var_esi >=0) var_esi++; do { var_edx=0; LOWER byte of EDX=*var_eax; //EAX supplied from outside var_ebx=0; LOWER byte of EBX=LOWER byte of ECX; //ECX supplied from outside var_edx=var_edx+var_ebx; if(var_edx<0) { var_ebx=100h; //256 var_ebx=var_ebx-var_edx; var_edx=var_ebx; } else { if(var_edx>100h) var_edx=var_edx-100h; } *var_eax=LOWER byte of EDX var_eax++; }while(--var_edx!=0)
Categories: Application Security, MalwareAnalysis