How can I know what this does?

Question

I got this piece of Assembly code extracted from some piece of software, but unfortunately I don't know anything of assembler and the bits I touched of Assembler was back in the Commodore Amiga with the 68000.

Can anybody guide me on how I could understand this code without me needing to learn assembler from scratch, or just tell me what it does?

Is there any kind of "Simulator" out there that I can run this on to see what it does?

   -[ObjSample Param1:andParam2:]:
    00000c79    pushl   %ebp
    00000c7a    movl    %esp,%ebp
    00000c7c    subl    $0x48,%esp
    00000c7f    movl    %ebx,0xf4(%ebp)
    00000c82    movl    %esi,0xf8(%ebp)
    00000c85    movl    %edi,0xfc(%ebp)
    00000c88    calll   0x00000c8d
    00000c8d    popl    %ebx
    00000c8e    cmpb    $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx)
    00000c95    jel 0x00000d47
    00000c9b    movb    $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx)
    00000ca2    movl    0x7dc0-0xc8d(%ebx),%eax
    00000ca8    movl    %eax,0x04(%esp)
    00000cac    movl    0x7df4-0xc8d(%ebx),%eax
    00000cb2    movl    %eax,(%esp)
    00000cb5    calll   _objc_msgSend
    00000cba    movl    0x7dbc-0xc8d(%ebx),%edx
    00000cc0    movl    %edx,0x04(%esp)
    00000cc4    movl    %eax,(%esp)
    00000cc7    calll   _objc_msgSend
    00000ccc    movl    %eax,0xe4(%ebp)
    00000ccf    movl    0x7db8-0xc8d(%ebx),%eax
    00000cd5    movl    %eax,0x04(%esp)
    00000cd9    movl    0xe4(%ebp),%eax
    00000cdc    movl    %eax,(%esp)
    00000cdf    calll   _objc_msgSend
    00000ce4    leal    (%eax,%eax),%edi
    00000ce7    movl    %edi,(%esp)
    00000cea    calll   _malloc
    00000cef    movl    %eax,%esi
    00000cf1    movl    %edi,0x08(%esp)
    00000cf5    movl    $-[ObjSample delegate],0x04(%esp)
    00000cfd    movl    %eax,(%esp)
    00000d00    calll   _memset
    00000d05    movl    $0x00000004,0x10(%esp)
    00000d0d    movl    %edi,0x0c(%esp)
    00000d11    movl    %esi,0x08(%esp)
    00000d15    movl    0x7db4-0xc8d(%ebx),%eax
    00000d1b    movl    %eax,0x04(%esp)
    00000d1f    movl    0xe4(%ebp),%eax
    00000d22    movl    %eax,(%esp)
    00000d25    calll   _objc_msgSend
    00000d2a    xorl    %edx,%edx
    00000d2c    movl    %edi,%eax
    00000d2e    shrl    $0x03,%eax
    00000d31    jmp 0x00000d34
    00000d33    incl    %edx
    00000d34    cmpl    %edx,%eax
    00000d36    ja  0x00000d33
    00000d38    movl    %esi,(%esp)
    00000d3b    calll   _free
    00000d40    movb    $0x01,_isAuthenticated-0xc8d(%ebx)
    00000d47    movzbl  _isAuthenticated-0xc8d(%ebx),%eax
    00000d4e    movl    0xf4(%ebp),%ebx
    00000d51    movl    0xf8(%ebp),%esi
    00000d54    movl    0xfc(%ebp),%edi
    00000d57    leave
    00000d58    ret

Answer 1

Hard job... your assembler is only a routine, but it refers to other subroutines and global or static variables, so the best we can do is have an idea of its equivalent in a more readable language. But... let's try! (C-like language)

int unknown_function(/* Parameters? */)
{
static char bDoOnce;
static char isAuthenticated;
uint32 tmp1,tmp2,tmp3;
void *p;
int i;

       if (bDoOnce == ObjSample_delegate) {
             return isAuthenticated;
       }
       bDoOnce = ObjSample_delegate;
       tmp1= objc_msgSend(some_data1, some_data2);
       tmp2 = objc_msgSend(tmp1, some_data3);
       tmp3 = objc_msgSend(tmp2, some_data4);
       p = malloc(tmp3*2);
       memset(p, ObjSample_delegate, tmp3*2);
       objc_msgSend(tmp2,some_data5,p, tmp3*2,4);
       for (i = 0; i < tmp3/4; ++i) {
       }
       free(p);
       isAuthenticated = 1;
       return isAuthenticated;
}

Uhm... not enough information to figure out what is really going (not to say I may did something wrong ;) ) The program contains too many "some_data", and the empty for cycle seems here just to consume CPU . Uhm... Is it a function compiled by gnu objectiveC?

Sorry, I tryed, but I cant' say much more useful. Anyway I hope it can help you. Regards

Answer 2

This Sets up a stack frame, allocates 0x48 bytes for local variables and saves off ebx, esi, and edi, this is a pretty standard function prolog.

00000c79    pushl   %ebp
00000c7a    movl    %esp,%ebp
00000c7c    subl    $0x48,%esp
00000c7f    movl    %ebx,0xf4(%ebp)
00000c82    movl    %esi,0xf8(%ebp)
00000c85    movl    %edi,0xfc(%ebp)

This is a assembler trick for getting ebx set to point to the code, when this is done ebx contains 00000c8d.

00000c88    calll   0x00000c8d
00000c8d    popl    %ebx

This bit insures that the function runs only once, if you call it a second time it just skips to the end (jel 0x00000d47)

00000c8e    cmpb    $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx)
00000c95    jel 0x00000d47
00000c9b    movb    $-[ObjSample delegate],_bDoOnce.26952-0xc8d(%ebx)

This bit is copying values relative to ebx into local (stack) variable space, remember that ebx is pointing to the current function, but the offsets from ebx are quite large. most likely this is constant data imbeded in the code and they are being setup as arguments to call a function.

00000ca2    movl    0x7dc0-0xc8d(%ebx),%eax
00000ca8    movl    %eax,0x04(%esp)
00000cac    movl    0x7df4-0xc8d(%ebx),%eax
00000cb2    movl    %eax,(%esp)

call the function.

00000cb5    calll   _objc_msgSend

more contstant values pushed onto the stack and another call to the same function, this time the return value of the function call is saved to a local variable: 0xe4(%ebp)

00000cba    movl    0x7dbc-0xc8d(%ebx),%edx
00000cc0    movl    %edx,0x04(%esp)
00000cc4    movl    %eax,(%esp)
00000cc7    calll   _objc_msgSend
00000ccc    movl    %eax,0xe4(%ebp)

more values pushed on the stack for a function call, this time one value is a constant relative to ebx, and the other value is the return value from the previous call.

00000ccf    movl    0x7db8-0xc8d(%ebx),%eax
00000cd5    movl    %eax,0x04(%esp)
00000cd9    movl    0xe4(%ebp),%eax
00000cdc    movl    %eax,(%esp)
00000cdf    calll   _objc_msgSend

take the return value from that call, double it and malloc that much memory.

00000ce4    leal    (%eax,%eax),%edi
00000ce7    movl    %edi,(%esp)
00000cea    calll   _malloc

fill the memory with the byte found at [ObjSample delegate]

00000cef    movl    %eax,%esi
00000cf1    movl    %edi,0x08(%esp)
00000cf5    movl    $-[ObjSample delegate],0x04(%esp)
00000cfd    movl    %eax,(%esp)
00000d00    calll   _memset

send another message, this one taking arguments: 0xe4(%ebp), constant from ebx, mallocd ptr, malloc size, 4. Presumably this sends the message in our malloc'd buffer, (the buffer is latter freed rather than being returned to the caller)

00000d05    movl    $0x00000004,0x10(%esp)
00000d0d    movl    %edi,0x0c(%esp)
00000d11    movl    %esi,0x08(%esp)
00000d15    movl    0x7db4-0xc8d(%ebx),%eax
00000d1b    movl    %eax,0x04(%esp)
00000d1f    movl    0xe4(%ebp),%eax
00000d22    movl    %eax,(%esp)
00000d25    calll   _objc_msgSend

clear edx and save the return value from the sendmessage call into edi.

00000d2a    xorl    %edx,%edx
00000d2c    movl    %edi,%eax

eax >> 3, then while (edx < eax) ++edx; this doesn't make a lot of sense.

00000d2e    shrl    $0x03,%eax
00000d31    jmp 0x00000d34
00000d33    incl    %edx
00000d34    cmpl    %edx,%eax
00000d36    ja  0x00000d33

free the mallocd memory

00000d38    movl    %esi,(%esp)
00000d3b    calll   _free

set _isAuthenticated to true, also set return value to true. this variable appears to be in the code, or possibly a global.

00000d40    movb    $0x01,_isAuthenticated-0xc8d(%ebx)
00000d47    movzbl  _isAuthenticated-0xc8d(%ebx),%eax

restore registers and return.

00000d4e    movl    0xf4(%ebp),%ebx
00000d51    movl    0xf8(%ebp),%esi
00000d54    movl    0xfc(%ebp),%edi
00000d57    leave
00000d58    ret