CODEWITHSUNDEEP
cassembly
SSpoke
SSpoke

Reputation: 5836

Assembly JP / JNP to C code

How would I go about converting a assembly snippet like this to C code, without any ASM inlining as I would like to convert it to .NET too.

JP example..

seg000:0041FA29                 jp      short near ptr loc_41FA2B+2
seg000:0041FA2B
seg000:0041FA2B loc_41FA2B:                             ; CODE XREF: seg000:0041FA29j
seg000:0041FA2B                 mov     eax, 104E8B00h
seg000:0041FA30                 mov     eax, ebx

JNP example

seg000:0041FB8B                 mov     eax, 0x40F009
seg000:0041FB90                 sub     [ebp-18h], eax
seg000:0041FB93                 jnp     short near ptr loc_41FB95+2
seg000:0041FB95
seg000:0041FB95 loc_41FB95:                             ; CODE XREF: seg000:0041FB93j
seg000:0041FB95                 mov     eax, 1C468B00h

I noticed these opcodes behave pretty stange in IDA PRO like they alter themselves.. I dont know how to explain this but they become different instructions when you run them..

At first I stepped them and Nopped them out thinking it was some sort of obfuscation.. But it turns out to be something pretty interesting probably optimized code.

I know they are same like Jumps JE/JMP/JNZ etc.. But they don't deal with registers but with flag for overflow checking how I transform this into C code?

I thought then maybe it was like this,

JP example

   int eax = 0x4E8688;
   ebp_18 |= eax;
   if(ebp_18 % 2)
     eax = ebx;
   else
     eax = 0x104E8B00;

JNP example

   int eax = 0x40F009;
   ebp_18 = eax;
   if(!(ebp_18 % 1))
     ebp_18 -= eax;
   else
     eax = 0x1C468B00;

Whats worse I cannot even step this line by line in ollydebugger or IDA PRO because it keeps modifying the instructions in realtime

Bytes:

55 8B EC 6A FF 68 D0 58 4A 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 53 56 57 8B F1 89 65 F0 89 55 E4 89 75 EC C7 45 FC 00 00 00 00 7A 03 7B 03 C7 7B FB 8B 7E 1C 8B 5E 2C 8B 56 34 33 FB 33 FA C7 45 E8 95 3B 58 3A 83 E7 0F 83 FF 07 75 37 B8 80 05 42 00 2D F0 5C 00 00 BA A1 50 36 F4 8B 4D EC FF D0 F7 D8 05 3A 4A 17 08 BA 18 AC 52 82 8B 4D EC FF D0 F7 D8 05 55 44 6A 21 89 45 E0 8B 56 20 8B CE FF 55 E0 83 FF 04 75 37 B8 70 3B 42 00 2D F0 9E 00 00 BA 35 48 BB E6 8B 4D EC FF D0 F7 D8 05 58 C7 8E 0A BA B0 A4 8C 72 8B 4D EC FF D0 F7 D8 05 7F C6 61 1D 89 45 E0 8B 56 1C 8B CE FF 55 E0 B8 21 4F 4B 00 29 45 E8 7A 02 B8 00 8B 5E 18 8B 4D E8 03 D9 0F AF 5D E4 85 FF 89 5D E4 75 37 B8 90 B0 41 00 2D 80 0E 00 00 BA 66 25 11 EF 8B 4D EC FF D0 F7 D8 05 52 2A A9 17 BA 5D DB 73 DD 8B 4D EC FF D0 F7 D8 05 FC 37 78 0B 89 45 E0 8B 56 34 8B CE FF 55 E0 83 FF 03 75 36 B8 80 B4 41 00 2D 80 16 00 00 BA 56 38 38 43 8B 4D EC FF D0 F7 D8 05 92 1B 7C 00 BA ED 14 2F EA 8B 4D EC FF D0 F7 D8 05 68 81 D5 06 89 45 E0 8B D3 8B CE FF 55 E0 83 FF 04 75 36 B8 D0 C9 41 00 2D 60 23 00 00 BA 84 2C 04 D8 8B 4D EC FF D0 F7 D8 05 CF C0 F2 2D BA 26 D0 C0 33 8B 4D EC FF D0 F7 D8 05 B1 B3 6E 07 89 45 E0 8B D3 8B CE FF 55 E0 B8 2D 51 46 00 01 45 E8 7B 02 B8 00 8B 06 C7 45 E0 00 00 00 00 25 FF 00 00 00 89 45 DC DF 6D DC D9 FE DC 1D B8 91 4A 00 DF E0 F6 C4 01 8B 45 E8 75 03 8B 46 08 8B 4E 08 2B C8 83 FF 08 89 4E 08 75 37 B8 20 57 42 00 2D A0 AD 00 00 BA ED 0D F1 39 8B 4D EC FF D0 F7 D8 05 9F 37 9C 24 BA 30 FB 56 D3 8B 4D EC FF D0 F7 D8 05 92 46 66 00 89 45 E0 8B 56 24 8B CE FF 55 E0 83 FF 02 75 36 B8 70 BD 41 00 2D C0 1B 00 00 BA 27 17 9E D4 8B 4D EC FF D0 F7 D8 05 16 10 BA 01 BA 2B E4 43 DD 8B 4D EC FF D0 F7 D8 05 52 62 43 36 89 45 E0 8B D3 8B CE FF 55 E0 8B 4D E8 8B D3 D3 C2 8B 4E 38 03 CA 83 FF 05 89 4E 38 75 36 B8 F0 12 42 00 2D D0 6E 00 00 BA C7 BD 5E 4D 8B 4D EC FF D0 F7 D8 05 3D FB 97 74 BA 45 B1 48 FF 8B 4D EC FF D0 F7 D8 05 4E F7 24 09 89 45 E0 8B D3 8B CE FF 55 E0 83 FF 0F 75 37 B8 40 F9 41 00 2D B0 50 00 00 BA 64 3F CF FA 8B 4D EC FF D0 F7 D8 05 1F 3B BE 0C BA 06 F2 FE CE 8B 4D EC FF D0 F7 D8 05 F9 87 A7 02 89 45 E0 8B 56 34 8B CE FF 55 E0 85 FF 75 37 B8 F0 37 42 00 2D 50 9C 00 00 BA 33 9F FF 77 8B 4D EC FF D0 F7 D8 05 ED 30 75 02 BA 22 12 AB 2B 8B 4D EC FF D0 F7 D8 05 65 38 C9 2A 89 45 E0 8B 56 48 8B CE FF 55 E0 B8 56 11 4A 00 29 45 E8 7A 02 B8 00 8B 46 08 8B 4E 04 C1 C8 2A 03 C8 83 FF 06 89 4E 04 75 37 B8 D0 D8 41 00 2D E0 38 00 00 BA D2 B7 41 7D 8B 4D EC FF D0 F7 D8 05 BE 4A 08 46 BA 09 63 01 19 8B 4D EC FF D0 F7 D8 05 AE 75 31 27 89 45 E0 8B 56 30 8B CE FF 55 E0 83 FF 05 75 37 B8 A0 2F 42 00 2D 10 8C 00 00 BA 3E B1 68 38 8B 4D EC FF D0 F7 D8 05 87 8A 52 4F BA ED 64 32 38 8B 4D EC FF D0 F7 D8 05 90 3D DB 02 89 45 E0 8B 56 28 8B CE FF 55 E0 B8 26 03 4B 00 09 45 E8 7A 02 B8 00 8B 4E 48 C7 45 E0 00 00 00 00 8B D1 81 E2 FF 00 00 00 89 55 DC DF 6D DC D9 FF DC 1D B8 91 4A 00 DF E0 F6 C4 01 8B 45 E8 75 03 8B 46 38 2B C8 83 FF 0A 89 4E 48 75 37 B8 70 57 42 00 2D 10 B9 00 00 BA E6 41 C8 1C 8B 4D EC FF D0 F7 D8 05 DE 4B C7 0B BA A4 2B B2 0F 8B 4D EC FF D0 F7 D8 05 6E CC 6D 43 89 45 E0 8B 56 38 8B CE FF 55 E0 83 FF 01 75 6D B8 90 F4 41 00 2D B0 57 00 00 BA B7 F4 83 F7 8B 4D EC FF D0 F7 D8 05 8D EC E0 24 BA 07 0C F1 F2 8B 4D EC FF D0 F7 D8 05 03 70 70 13 89 45 E0 8B 56 08 8B CE FF 55 E0 B8 50 C5 41 00 2D F0 1C 00 00 BA 2C 0D A6 89 8B 4D EC FF D0 F7 D8 05 56 7D 64 28 BA E5 B2 75 76 8B 4D EC FF D0 F7 D8 05 4F 3E 2E 3B 89 45 E0 8B D3 8B CE FF 55 E0 8B 46 3C 8B 56 40 8D 0C 40 C1 E1 03 2B C8 F7 D9 D1 E1 03 D1 83 FF 0C 89 56 40 75 36 B8 A0 11 42 00 2D 60 76 00 00 BA 13 97 03 AE 8B 4D EC FF D0 F7 D8 05 5D B7 5E 27 BA 60 25 FE F9 8B 4D EC FF D0 F7 D8 05 EF 9B 1C 05 89 45 E0 8B D3 8B CE FF 55 E0 83 FF 09 75 36 B8 D0 61 42 00 2D F0 C6 00 00 BA 46 B7 54 E3 8B 4D EC FF D0 F7 D8 05 C5 94 03 23 BA AF C6 A3 DD 8B 4D EC FF D0 F7 D8 05 88 3B 83 38 89 45 E0 8B D3 8B CE FF 55 E0 B8 2D 99 46 00 21 45 E8 7B 02 B8 00 0F 9F DB 8B 46 08 8B 4E 10 8D 14 C0 8D 04 90 8D 04 40 03 C8 83 FF 06 89 4E 10 75 37 B8 A0 4F 42 00 2D F0 B2 00 00 BA B5 12 5F DE 8B 4D EC FF D0 F7 D8 05 61 7F 90 38 BA 6F 86 71 46 8B 4D EC FF D0 F7 D8 05 0B D2 C5 2A 89 45 E0 8B 56 44 8B CE FF 55 E0 83 FF 02 75 37 B8 A0 AA 41 00 2D 00 0A 00 00 BA 31 5A 5C F8 8B 4D EC FF D0 F7 D8 05 A4 E3 FF 1D BA 1B 9E 8D AB 8B 4D EC FF D0 F7 D8 05 C8 E1 37 34 89 45 E0 8B 56 28 8B CE FF 55 E0 83 FF 0B 75 37 B8 70 48 42 00 2D B0 9D 00 00 BA 12 0B D6 72 8B 4D EC FF D0 F7 D8 05 9F 86 B4 00 BA D4 7F 57 E0 8B 4D EC FF D0 F7 D8 05 52 56 30 51 89 45 E0 8B 56 38 8B CE FF 55 E0 B8 46 93 48 00 09 45 E8 7B 02 B8 00 8B 46 44 8B 4E 0C 8B 56 4C C1 E1 06 0B D1 83 FF 03 89 56 4C 75 37 B8 A0 F8 41 00 2D 20 4F 00 00 BA 73 0A 63 F9 8B 4D EC FF D0 F7 D8 05 AE F9 FB 67 BA BE 6B 95 37 8B 4D EC FF D0 F7 D8 05 7D 24 78 02 89 45 E0 8B 56 08 8B CE FF 55 E0 83 FF 0E 75 36 B8 20 6A 42 00 2D 60 C1 00 00 BA C2 F6 D8 04 8B 4D EC FF D0 F7 D8 05 AC 5E 3D 0F BA 15 B8 2D 87 8B 4D EC FF D0 F7 D8 05 2E F0 EC 1C 89 45 E0 8B D3 8B CE FF 55 E0 8B 46 20 8B 4D E8 3B C1 72 02 8B C3 8B 4E 30 23 C8 83 FF 07 89 4E 30 75 37 B8 00 E2 41 00 2D 80 3A 00 00 BA 60 B3 48 A7 8B 4D EC FF D0 F7 D8 05 38 6F B0 38 BA AA 10 45 FF 8B 4D EC FF D0 F7 D8 05 AC 6C 0C 1C 89 45 E0 8B 56 2C 8B CE FF 55 E0 83 FF 0D 75 36 B8 B0 4F 42 00 2D 20 A7 00 00 BA CC 0C 35 F6 8B 4D EC FF D0 F7 D8 05 F7 81 18 02 BA 02 78 86 E9 8B 4D EC FF D0 F7 D8 05 33 92 7B 01 89 45 E0 8B 16 8B CE FF 55 E0 B8 E6 6C 4B 00 09 45 E8 7A 02 B8 00 8B 46 38 8B 4E 44 8B C3 35 06 98 44 07 2B C8 8B C3 89 4E 44 8B 4D F4 64 89 0D 00 00 00 00 5F 5E 5B 8B E5 5D C3 8B 55 D8 8B 45 E4 33 C2 89 45 E4 B8 6A 1C 42 00 C3 8B 5D E4 8B 4D F4 5F 8B C3 5E 64 89 0D 00 00 00 00 5B 8B E5 5D C3

Upvotes: 1

Views: 2356

Answers (2)

icktoofay
icktoofay

Reputation: 129011

The Intel documentation says that jp jumps if the parity flag is set. jnp jumps if the parity flag is not set. The parity flag is set if the least significant byte of the result of a previous instruction contains an even number of 1 bits.

For more information, see Intel order number 24319002.

Upvotes: 0

ughoavgfhw
ughoavgfhw

Reputation: 39905

This is definitely obfuscation code. Look at the destination of the jump:

    jp      short near ptr loc_41FA2B+2
loc_41FA2B:
    mov     eax, 104E8B00h

Notice that the destination of the jump is 2 bytes into the next instruction. This means that the actual instruction you should be looking at starts two bytes in. The machine code of the mov instruction would be B8 00 8B 4E 10. If you skip the first two bytes, you have 8B 4E 10. The disassembly of this is:

mov ecx,[esi+16]

The calculation before the jp instruction must have a known result so that the proper instruction is used. Since NOPing it failed, I will assume that the calculation should result in the parity flag being set. This means that you could get the right result by NOPing the jp instruction and the first 2 bytes of the mov instruction.

The second snippet is the same type of thing, except that the result of the calculation should have the parity flag cleared. After skipping the first two bytes, the disassembly is:

mov eax,[esi+28]

Upvotes: 4

Related Questions