hakers.info

As a part of learning reverse engineering and enhancing RCE skills, I was going through binary-auditing tutorials. This is manual decompilation exercise 7.

Problem: This is the code to be analysed:

proc near
000 push ebx
004 push esi
008 xor ebx, ebx
008 mov [eax], ebx
008 mov ebx, ecx
008 dec ebx
008 test ebx, ebx
008 jl short loc_408135
008 inc ebx
loc_40810E:
008 mov ecx, [eax]
008 shl ecx, 4
008 movzx esi, byte ptr [edx]
008 add ecx, esi
008 mov [eax], ecx
008 mov ecx, [eax]
008 and ecx, 0F0000000h
008 test ecx, ecx
008 jz short loc_40812D
008 mov esi, ecx
008 shr esi, 18h
008 xor [eax], esi
loc_40812D:
008 not ecx
008 and [eax], ecx
008 inc edx
008 dec ebx
008 jnz short loc_40810E
loc_408135:
008 pop esi
004 pop ebx
000 retn
sub_408100 endp

And here is the solution:
var1_eax  //eax  -->pointer variable
var2_ebx=0;
var4_edx;
var5_esi;
*var1_eax=0;
var2_ebx= ecx;

var2_ebx--;

if(var2_ebx >=0)
{
var2_ebx++;
}
else
return;

do
{
var3_ecx=*var1_eax; //value of eax
var3_ecx=var3_ecx*16;   //multiply by 16
var5_esi=BYTE at var4_edx;   //movzx
var3_ecx=var3_ecx+var5_esi;
*var1_eax=var3_ecx;
var3_ecx=*var1_eax;
var3_ecx=var3_ecx&0F0000000h;

if(var3_ecx!=0)
{
var5_esi=var3_ecx;
var5_esi=var5_esi/24;
*var1_eax=(*var1_eax)^var5_esi;
}

var3_ecx=! var3_ecx
*var1_eax=(*var1_eax)&var_ecx;

var4_edx++;

}while(var2_ebx-- != 0)