Reputation: 13
I'm very new to this, but I'm trying to reverse engineer assembly code to figure out what it's doing in C. The function I was looking at called a different function (func4) and I dissembled it to look. I'd appreciate any help or advice on whether I'm going in the right direction.
In the original function, 0xe was in %edx, 0 was in %esi, and a value (let's call it x) that I'm trying to discover was in %edi.
func4
0x00000000004010ff <+0>: push %rbx
0x0000000000401100 <+1>: mov %edx,%eax
So now %eax has 0xe.
0x0000000000401102 <+3>: sub %esi,%eax
%eax = 0xe - 0
0x0000000000401104 <+5>: mov %eax,%ebx
0x0000000000401106 <+7>: shr $0x1f,%ebx
%ebx = %ebx >> 0x1f = 0
0x0000000000401109 <+10>: add %ebx,%eax
%eax = %eax + %ebx = 0xe
0x000000000040110b <+12>: sar %eax
I believe this is shorthand for sar %eax,1, which would be 7.
0x000000000040110d <+14>: lea (%rax,%rsi,1),%ebx
Now, I think (%rax,%rsi,1) means %rax + %rsi*1, which is 7
0x0000000000401110 <+17>: cmp %edi,%ebx
0x0000000000401112 <+19>: jle 0x401120 <func4+33>
This means we jump to func4+33 if ebx <= edi (if 7 <= x) Since I have no idea what x is, let's assume it's greater than 7 and not jump.
0x0000000000401114 <+21>: lea -0x1(%rbx),%edx
0x0000000000401117 <+24>: callq 0x4010ff <func4>
Here's where I'm confused. Am I going through the function again? Just with different values in the registers?
0x000000000040111c <+29>: add %eax,%ebx
0x000000000040111e <+31>: jmp 0x40112e <func4+47>
0x0000000000401120 <+33>: cmp %edi,%ebx
0x0000000000401122 <+35>: jge 0x40112e <func4+47>
0x0000000000401124 <+37>: lea 0x1(%rbx),%esi
0x0000000000401127 <+40>: callq 0x4010ff <func4>
0x000000000040112c <+45>: add %eax,%ebx
0x000000000040112e <+47>: mov %ebx,%eax
0x0000000000401130 <+49>: pop %rbx
0x0000000000401131 <+50>: retq
Upvotes: 1
Views: 3020
Reputation:
Don't try to evaluate func4 right away. First translate it to C by translating each line of assembly one by one. The result should look like this:
int func4 (int edi, int esi, int edx)
{
// temporaries
int eax, ebx;
eax = edx;
eax = eax - esi;
ebx = eax;
ebx = (unsigned int)ebx >> 31;
eax = eax + ebx;
eax = eax >> 1;
ebx = eax + esi + 1;
if (ebx <= edi) goto L1;
edx = ebx - 1;
eax = func4 (edi, esi, edx);
ebx = ebx + eax;
goto L2;
L1:
if (ebx >= edi) goto L2;
esi = ebx + 1;
eax = func4 (edi, esi, edx);
ebx = ebx + eax;
L2:
eax = ebx;
return eax;
}
It is ugly, but it works.
Now, as I understand, given a y, you are looking for an x such that y = func4 (x, 0, 14);
You have two options:
y = func4 (x, 0, 14)
for all values of x until you get the desired y.Upvotes: 2