Solved

finding out members of a C struct from disassembled ASM functions

Posted on 2003-10-26
6
435 Views
Last Modified: 2010-08-05
Hi, i need to find out the members of a C struct from ASM functions, but i don't know ASM, the functions does an MD5Update. (This is not for a crack!).

---
DEBUG :: void __cdecl appMD5Init(struct FMD5Context *)
=========
?appMD5Init@@YAXPAUFMD5Context@@@Z
=========
:1012D390 8B442404                mov eax, dword[esp+04]
:1012D394 33C9                    xor ecx, ecx
:1012D396 894814                  mov dword[eax+14], ecx
:1012D399 894810                  mov dword[eax+10], ecx
:1012D39C C70001234567            mov dword[eax], 67452301
:1012D3A2 C7400489ABCDEF          mov dword[eax+04], EFCDAB89
:1012D3A9 C74008FEDCBA98          mov dword[eax+08], 98BADCFE
:1012D3B0 C7400C76543210          mov dword[eax+0C], 10325476
:1012D3B7 53                      push ebx
:1012D3B8 83C018                  add eax, 018
:1012D3BB 57                      push edi
:1012D3BC 8944240C                mov dword[esp+0C], eax
:1012D3C0 B940000000              mov ecx, 00000040
:1012D3C5 8B7C240C                mov edi, dword[esp+0C]
:1012D3C9 33C0                    xor eax, eax
:1012D3CB 8BD9                    mov ebx, ecx
:1012D3CD C1E902                  shr ecx, 02
:1012D3D0 83E303                  and ebx, 003
:1012D3D3 F3AB                    rep stosd
:1012D3D5 8BCB                    mov ecx, ebx
:1012D3D7 F3AA                    rep stosb
:1012D3D9 5F                      pop edi
:1012D3DA 5B                      pop ebx
:1012D3DB C3                      ret

DEBUG :: void __cdecl appMD5Update(struct FMD5Context *,unsigned char *,int)
=========
?appMD5Update@@YAXPAUFMD5Context@@PAEH@Z
=========
:1012E5E0 53                      push ebx
:1012E5E1 55                      push ebp
:1012E5E2 56                      push esi
:1012E5E3 8B742410                mov esi, dword[esp+10]
:1012E5E7 8B4E10                  mov ecx, dword[esi+10]
:1012E5EA 8BC1                    mov eax, ecx
:1012E5EC 57                      push edi
:1012E5ED 8B7C241C                mov edi, dword[esp+1C]
:1012E5F1 C1E803                  shr eax, 03
:1012E5F4 8D0CF9                  lea ecx, dword[ecx+8*edi]
:1012E5F7 8D14FD00000000          lea edx, dword[8*edi+00000000]
:1012E5FE 83E03F                  and eax, 03F
:1012E601 3BCA                    cmp ecx, edx
:1012E603 894E10                  mov dword[esi+10], ecx
:1012E606 7303                    jae 1012E60B
:1012E608 FF4614                  inc dword[esi+14]
---------
:1012E60B 8B5E14                  mov ebx, dword[esi+14]
:1012E60E 8BCF                    mov ecx, edi
:1012E610 C1E91D                  shr ecx, 1D
:1012E613 03D9                    add ebx, ecx
:1012E615 895E14                  mov dword[esi+14], ebx
:1012E618 BB40000000              mov ebx, 00000040
:1012E61D 2BD8                    sub ebx, eax
:1012E61F 3BFB                    cmp edi, ebx
:1012E621 7C4D                    jl 1012E670
:1012E623 8B542418                mov edx, dword[esp+18]
:1012E627 53                      push ebx
:1012E628 52                      push edx
:1012E629 8D443018                lea eax, dword[eax+esi+18]
:1012E62D 50                      push eax
:1012E62E E8CD29FDFF              call 10101000
:1012E633 8D4E18                  lea ecx, dword[esi+18]
:1012E636 51                      push ecx
:1012E637 56                      push esi
:1012E638 E893F4FFFF              call 1012DAD0 {void __cdecl appMD5Transform(unsigned long *,unsigned char *)}  {void __cdecl appMD5Transform(unsigned long *,unsigned char *)}
                            ;;?appMD5Transform@@YAXPAKPAE@Z
:1012E63D 8BEB                    mov ebp, ebx
:1012E63F 83C33F                  add ebx, 03F
:1012E642 83C414                  add esp, 014
:1012E645 3BDF                    cmp ebx, edi
:1012E647 7D23                    jge 1012E66C
:1012E649 8DA42400000000          lea esp, dword[esp+00000000]
---------
:1012E650 8B542418                mov edx, dword[esp+18]
:1012E654 8D441AC1                lea eax, dword[edx+ebx-3F]
:1012E658 50                      push eax
:1012E659 56                      push esi
:1012E65A E871F4FFFF              call 1012DAD0 {void __cdecl appMD5Transform(unsigned long *,unsigned char *)}  {void __cdecl appMD5Transform(unsigned long *,unsigned char *)}
                            ;;?appMD5Transform@@YAXPAKPAE@Z
:1012E65F 83C340                  add ebx, 040
:1012E662 83C408                  add esp, 008
:1012E665 83C540                  add ebp, 040
:1012E668 3BDF                    cmp ebx, edi
:1012E66A 7CE4                    jl 1012E650
---------
:1012E66C 33C0                    xor eax, eax
:1012E66E EB02                    jmp 1012E672
---------
:1012E670 33ED                    xor ebp, ebp
---------
:1012E672 8B4C2418                mov ecx, dword[esp+18]
:1012E676 2BFD                    sub edi, ebp
:1012E678 57                      push edi
:1012E679 03E9                    add ebp, ecx
:1012E67B 8D543018                lea edx, dword[eax+esi+18]
:1012E67F 55                      push ebp
:1012E680 52                      push edx
:1012E681 E87A29FDFF              call 10101000
:1012E686 83C40C                  add esp, 00C
:1012E689 5F                      pop edi
:1012E68A 5E                      pop esi
:1012E68B 5D                      pop ebp
:1012E68C 5B                      pop ebx
:1012E68D C3                      ret

DEBUG :: void __cdecl appMD5Final(unsigned char *,struct FMD5Context *)
=========
?appMD5Final@@YAXPAEPAUFMD5Context@@@Z
=========
:1012E690 83EC08                  sub esp, 008
:1012E693 56                      push esi
:1012E694 8B742414                mov esi, dword[esp+14]
:1012E698 57                      push edi
:1012E699 33C9                    xor ecx, ecx
:1012E69B 8D4612                  lea eax, dword[esi+12]
:1012E69E 8BFF                    mov edi, edi
---------
:1012E6A0 8A50FE                  mov dl, byte[eax-02]
:1012E6A3 88540C08                mov byte[esp+ecx+08], dl
:1012E6A7 8A50FF                  mov dl, byte[eax-01]
:1012E6AA 88540C09                mov byte[esp+ecx+09], dl
:1012E6AE 8A10                    mov dl, byte[eax]
:1012E6B0 88540C0A                mov byte[esp+ecx+0A], dl
:1012E6B4 8A5001                  mov dl, byte[eax+01]
:1012E6B7 88540C0B                mov byte[esp+ecx+0B], dl
:1012E6BB 83C104                  add ecx, 004
:1012E6BE 83C004                  add eax, 004
:1012E6C1 83F908                  cmp ecx, 008
:1012E6C4 7CDA                    jl 1012E6A0
:1012E6C6 8B4E10                  mov ecx, dword[esi+10]
:1012E6C9 C1E903                  shr ecx, 03
:1012E6CC 83E13F                  and ecx, 03F
:1012E6CF 83F938                  cmp ecx, 038
:1012E6D2 B838000000              mov eax, 00000038
:1012E6D7 7C05                    jl 1012E6DE
:1012E6D9 B878000000              mov eax, 00000078
---------
:1012E6DE 2BC1                    sub eax, ecx
:1012E6E0 50                      push eax
:1012E6E1 68201E1910              push 10191E20
:1012E6E6 56                      push esi
:1012E6E7 E8F4FEFFFF              call 1012E5E0 {void __cdecl appMD5Update(struct FMD5Context *,unsigned char *,int)}  {void __cdecl appMD5Update(struct FMD5Context *,unsigned char *,int)}
                            ;;?appMD5Update@@YAXPAUFMD5Context@@PAEH@Z
:1012E6EC 6A08                    push 008
:1012E6EE 8D442418                lea eax, dword[esp+18]
:1012E6F2 50                      push eax
:1012E6F3 56                      push esi
:1012E6F4 E8E7FEFFFF              call 1012E5E0 {void __cdecl appMD5Update(struct FMD5Context *,unsigned char *,int)}  {void __cdecl appMD5Update(struct FMD5Context *,unsigned char *,int)}
                            ;;?appMD5Update@@YAXPAUFMD5Context@@PAEH@Z
:1012E6F9 8B4C242C                mov ecx, dword[esp+2C]
:1012E6FD 83C418                  add esp, 018
:1012E700 41                      inc ecx
:1012E701 8D4602                  lea eax, dword[esi+02]
:1012E704 BF04000000              mov edi, 00000004
:1012E709 8DA42400000000          lea esp, dword[esp+00000000]
---------
:1012E710 8A50FE                  mov dl, byte[eax-02]
:1012E713 8851FF                  mov byte[ecx-01], dl
:1012E716 8A50FF                  mov dl, byte[eax-01]
:1012E719 8811                    mov byte[ecx], dl
:1012E71B 8A10                    mov dl, byte[eax]
:1012E71D 885101                  mov byte[ecx+01], dl
:1012E720 8A5001                  mov dl, byte[eax+01]
:1012E723 885102                  mov byte[ecx+02], dl
:1012E726 83C004                  add eax, 004
:1012E729 83C104                  add ecx, 004
:1012E72C 4F                      dec edi
:1012E72D 75E1                    jne 1012E710
:1012E72F 6A58                    push 058
:1012E731 6A00                    push 000
:1012E733 56                      push esi
:1012E734 E83753FEFF              call 10113A70 {void __cdecl appMemset(void *,int,int)}  {void __cdecl appMemset(void *,int,int)}
                            ;;?appMemset@@YAXPAXHH@Z
:1012E739 83C40C                  add esp, 00C
:1012E73C 5F                      pop edi
:1012E73D 5E                      pop esi
:1012E73E 83C408                  add esp, 008
:1012E741 C3                      ret
---
i need to know the c variable types and what they would contain.

Thank You.
0
Comment
Question by:MudBlud
  • 3
  • 3
6 Comments
 
LVL 5

Expert Comment

by:mtmike
ID: 9623837
You definitely can't find out the members of the original C structs from an assembly dump. However, the code you posted is the well-known MD5 algorithm. The corresponding C code is published in here:

http://www.faqs.org/rfcs/rfc1321.html
0
 

Author Comment

by:MudBlud
ID: 9626316
i just need to know if the FMD5Context is the same as the original, so if that code is the same i guess it must be ;/
0
 
LVL 5

Accepted Solution

by:
mtmike earned 400 total points
ID: 9626428
The MD5Init in the given dump is nearly the same as the RFC C code, except for the fact that it also clears the buffer. Fields are identical.

Context structure offsets:
0x00 state[0]
0x04 state[1]
0x08 state[2]
0x12 state[3]
0x10 count[0]
0x14 count[1]
0x18 buffer

Annotated MD5Init:

mov eax, dword[esp+04] ; eax = context
xor ecx, ecx
mov dword[eax+14], ecx ; context->count[1] = 0
mov dword[eax+10], ecx ; context->count(0) = 0
mov dword[eax], 67452301 ; context->state[0] = 0x67452301
mov dword[eax+04], EFCDAB89 ; context->state[1] = 0xEFCDAB89
mov dword[eax+08], 98BADCFE ; context->state[2] = 0x98BADCFE
mov dword[eax+0C], 10325476 ; context->state[3] = 0x10325476

; memset(context->buffer, 0, 64)
push ebx
add eax, 018
push edi
mov dword[esp+0C], eax
mov ecx, 00000040 ; 0x40 == 64
mov edi, dword[esp+0C]
xor eax, eax
mov ebx, ecx
shr ecx, 02
and ebx, 003
rep stosd
mov ecx, ebx
rep stosb
pop edi
pop ebx

ret
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:MudBlud
ID: 9629919
hmm, i already accepted it but i have one more question :(

how am i meant  to get the final hash when the buffer is cleared?
0
 
LVL 5

Expert Comment

by:mtmike
ID: 9630084
By calling MD5Final(digest, context). The context is cleared, but the message digest is stored in a user-supplied buffer.

Sample function to compute the 16 byte message digest:

void MessageDigest(unsigned char *digest, char *message, int length)
{
  MD5_CTX context;

  MD5Init(&context);
  MD5Update(&context, message, length);
  MD5Final(digest, &context);
}
0
 

Author Comment

by:MudBlud
ID: 9630941
oh.. k, thanks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now