About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> RolfRolles's Blog

Created: Wednesday, February 13 2008 18:02.38 CST  
Printer Friendly ...
Array Indexing Qurik
Author: RolfRolles # Views: 2599

.text:10002D49 mov     eax, [esp+arg_0]
.text:10002D4D lea     ecx, [eax-9C40h]
.text:10002D53 cmp     ecx, 50h
.text:10002D56 ja      short loc_10002D60
.text:10002D58 mov     eax, dword ptr ds:(loc_1000EF5B+1)[eax*8]
.text:10002D5F retn
.text:10002D60
.text:10002D60 loc_10002D60:
.text:10002D60 lea     edx, [eax-0A029h]
.text:10002D66 cmp     edx, 9
.text:10002D69 ja      short loc_10002D73
.text:10002D6B mov     eax, dword ptr ds:loc_1000D344[eax*8]
.text:10002D72 retn

We don't find any arrays at the locations referenced on lines -D58 and -D6B (in fact we find code) which is unusual:

.text:1000EF57 movzx   eax, word ptr [esi+18h]
.text:1000EF5B
.text:1000EF5B loc_1000EF5B:                           ; DATA XREF: 10002D58
.text:1000EF5B add     dword_10065280, eax
.text:1000EF61 xor     eax, eax
.text:1000EF63 pop     esi
.text:1000EF64 mov     esp, ebp
.text:1000EF66 pop     ebp

.text:1000D342 mov     esp, ebp
.text:1000D344
.text:1000D344 loc_1000D344:                           ; DATA XREF: 10002D6B
.text:1000D344 pop     ebp

Looking closer at the code, the trick lies in the fact that the arrays are not being indexed starting at zero.

.text:10002D58 mov     eax, dword ptr ds:(loc_1000EF5B+1)[eax*8] ; <- 0x9C40 <= eax < 0x9C90
.text:10002D6B mov     eax, dword ptr ds:loc_1000D344[eax*8] ; <- 0xA029 <= eax < 0xA032

So the first array actually begins at 0x1000EF5B+1+0x9C40*8 == 0x1005D15C, and the second array begins at 0x1000D344+0x0A029*8 == 0x1005D48C.  What happened here is that the pointer expression has been simplified to conform to x86's instruction encoding:

[1005D15Ch + (eax - 0x9C40) * 8] => [1005D15Ch - 4E200h + eax*8] => [1000EF5Ch + eax*8]

This is pretty uncommon; I've only seen it a handful of times in my reversing endeavors over the years.




Add New Comment
Comment:









There are 29,955 total registered users.


Recently Created Topics
pydbg load vs attach
Jun/19
pydbg bp_set_mem
Jun/18
Disassembling Motoro...
Jun/13
ida plugin writing f...
Jun/02
New version of RE-Go...
May/29
Decompiling raw bina...
May/22
Incorrect bitness wh...
May/20
PaiMei stalker modul...
May/19
Attach to program us...
May/13
IDA PRO how to make ...
May/12


Recent Forum Posts
pydbg load vs attach
kitochou
pydbg bp_set_mem
kitochou
pydbg, memory breakp...
kitochou
Good Binary Code Pro...
alton
Int 3 anti debug?
SteveIRQL
Attach to program us...
SteveIRQL
Ollydbg 2.0 - Plugin...
openrce...
IDA PRO how to make ...
codeinject
FACT: OpenRCE is dead.
codeinject
IDA Resource Viewer ...
r2x64


Recent Blog Entries
26yyg1kf
Jun/19
your muscles get larger Men...
26yyg1kf
Jun/19
Mens 2011 Vibram Classic fo...
26yyg1kf
Jun/19
Vivo Barefoots up to Discou...
kitochou
Jun/18
pydbg
lowpriority
Apr/13
OllyMigrate Plugin for Olly...
More ...


Recent Blog Comments
newlulu on:
Jun/10
Branch tracing and LBR acce...
newlulu on:
Jun/10
Advanced debugging techniques
newlulu on:
Jun/10
2 anti-trace mechanisms spe...
newlulu on:
Jun/10
OllyMigrate Plugin for Olly...
clarisonic on:
Apr/03
New version of Ollydbg!
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit