Reputation: 559
Need help explaining the following program
Hi I am in the process of dissembling a program and I Can't seem to determine what this part of the program is meant to do. I understand that eax is a register and push eax places it onto the stack etc, but what does push offset aTaskmgr do?
An explanation would be most appreciated.
.text:00404867 loc_404867: ; CODE XREF: .text:00404870j
.text:00404867 mov cx, [eax]
.text:0040486A add eax, 2
.text:0040486D test cx, cx
.text:00404870 jnz short loc_404867
.text:00404872 sub eax, edx
.text:00404874 sar eax, 1
.text:00404876 jz loc_404927
.text:0040487C lea ecx, [esp+1389Ch]
.text:00404883 push ecx
.text:00404884 call __wcslwr
.text:00404889 push offset aTaskmgr ; "taskmgr"
.text:0040488E push eax
.text:0040488F call _wcsstr
.text:00404894 add esp, 0Ch
.text:00404897 test eax, eax
.text:00404899 jnz short loc_404917
.text:0040489B lea edx, [esp+1389Ch]
.text:004048A2 push edx
.text:004048A3 call __wcslwr
.text:004048A8 push offset aProcexp ; "procexp"
.text:004048AD push eax
.text:004048AE call _wcsstr
.text:004048B3 add esp, 0Ch
.text:004048B6 test eax, eax
.text:004048B8 jnz short loc_404917
.text:004048BA lea eax, [esp+1389Ch]
.text:004048C1 push eax
.text:004048C2 call __wcslwr
.text:004048C7 push offset aRegedit ; "regedit"
.text:004048CC push eax
.text:004048CD call _wcsstr
.text:004048D2 add esp, 0Ch
.text:004048D5 test eax, eax
.text:004048D7 jnz short loc_404917
.text:004048D9 lea ecx, [esp+1389Ch]
.text:004048E0 push ecx
.text:004048E1 call __wcslwr
.text:004048E6 push offset aMsconfig ; "msconfig"
.text:004048EB push eax
.text:004048EC call _wcsstr
.text:004048F1 add esp, 0Ch
.text:004048F4 test eax, eax
.text:004048F6 jnz short loc_404917
.text:004048F8 lea edx, [esp+1389Ch]
.text:004048FF push edx
.text:00404900 call __wcslwr
.text:00404905 push offset aCmd_exe ; "cmd.exe"
.text:0040490A push eax
.text:0040490B call _wcsstr
.text:00404910 add esp, 0Ch
.text:00404913 test eax, eax
.text:00404915 jz short loc_404920
Thanks
Upvotes: 0
Views: 140
Answers (1)
Reputation: 654
What this piece of code appears to be doing is first counting characters in a string, looking for a null character (two bytes in this case). It is a "wide" string - that is, 16-bit unicode based on the fact that it is incrementing eax by two each time around the loop. It is storing the length in eax, and while we can't see it, it looks like edx has a pointer to the beginning of the string. edx is subtracted from eax to turn eax from a pointer to a length count.
The rest of the code you provided us uses wcsstr, which is a function that looks for one wide string in another wide string, returning the location at which it is found. It is making comparisons with various provided strings, and when it finds a match by testing eax to see if it is non-zero (test eax, eax ; jnz...) it jumps to the code just after what you provided for us.
It appears to be traversing a list of processes based on the strings it is comparing. I am sure the surrounding code would make the rest of this clearer.
I hope this helps.
Upvotes: 3
Related Questions
- iterate through an array using assembly and find the sum of the elements
- Jumping to the next "instruction" using gdb
- (VC++) Runtime Check for Uninitialized Variables: How is the test Implemented?
- NASM on linux: Using sys_read adds extra line at the end
- ASM x86 Function call : best method to save EBP and common registers (EAX, EBX, ...)