About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> fileoffset's Blog

Created: Wednesday, January 24 2007 21:52.39 CST  
Printer Friendly ...
IDC Quirks
Author: fileoffset # Views: 1971

If trying to get the high dword of an overflow multiply calculation, i.e:

0x0aabbcc * 0x0ddeeff = 0x09403 [edx] 83c4b834 [eax]

Doing something like this in IDC:

auto a = 0x0aabbcc * 0x0ddeeff;

will result in 'a' being the lower dword only (0x083c4b834). A workaround for this is to force one of the operands to a floating point constant like such:

auto a = 11189196.0 * 0x0ddeeff;

'a' is now a floating point number. Attempting to shift it right will fail, since IDA attempts to convert the floating point to a long and fails, so we must do it the long way (divide by 0x0ffffffff):

auto a = (11189196.0 * 0x0ddeeff) / 4294967295.0;

'a' is now 0x09403, just what we wanted :)

If anyone knows a better way to do this, feel free to comment...


Blog Comments
ico Posted: Thursday, January 25 2007 03:27.52 CST
Actually shifting 32 bits right is not the same with dividing with 0xFFFF_FFFF. It should be with 0x1_0000_0000.
Anyway, here's a longer but integer-only solution:

static mul64_hi (a, b)
    {
    auto a0, a1, b0, b1, r0, r1, r01, r23;

    a0 = a & 0xFFFF;
    a1 = (a >> 0x10) & 0xFFFF;
    b0 = b & 0xFFFF;
    b1 = (b >> 0x10) & 0xFFFF;

    r0 = a0 * b0;
    r1 = a1 * b0 + a0 * b1 + ((r0 >> 0x10) & 0xFFFF);
    r23 = a1 * b1 + ((r1 >> 0x10) & 0xFFFF);
    r01 = (r0 & 0xFFFF) | (r1 << 0x10);

    Message("mul64: %08Xh * %08Xh = %08X_%08Xh", a, b, r23, r01);

    return (r23);
    }

static main ()
    {
    mul64_hi(0x0AABBCC, 0x0DDEEFF);
    }

fileoffset Posted: Monday, January 29 2007 00:20.45 CST
My bad, 0x010000000 it is.

As you say ico, yours is longer but more useful if neither of the sides of the multiplication are constants (or you cannot force either side to type float). However a revised (tested) version:

static mul64_hi(a, b)
{
  return (a * 1.0) * (b * 1.0) / 4294967296.0;
}

also seems to work well.



Add New Comment
Comment:









There are 29,893 total registered users.


Recently Created Topics
Decompiling raw bina...
May/22
Incorrect bitness wh...
May/20
PaiMei stalker modul...
May/19
Attach to program us...
May/13
IDA PRO how to make ...
May/12
FACT: OpenRCE is dead.
May/08
Int 3 anti debug?
May/05
help needed - Beginn...
May/03
Attaching IDA Pro to...
Apr/27
File type
Apr/21


Recent Forum Posts
Ollydbg 2.0 - Plugin...
openrce...
IDA PRO how to make ...
codeinject
FACT: OpenRCE is dead.
codeinject
IDA Resource Viewer ...
r2x64
FACT: OpenRCE is dead.
djnemo
FACT: OpenRCE is dead.
codeinject
FACT: OpenRCE is dead.
pedram
help needed - Beginn...
araujo
Attaching IDA Pro to...
codeinject
Int 3 anti debug?
codeinject


Recent Blog Entries
nfljerseysmart
May/23


nfljerseysmart
May/23


laangels
May/22
The Reason You Need A Mark ...
laangels
May/22
Buy Albert Pujols Jersey an...
lowpriority
Apr/13
OllyMigrate Plugin for Olly...
More ...


Recent Blog Comments
clarisonic on:
Apr/03
New version of Ollydbg!
clarisonic on:
Apr/03
New version of Ollydbg!
trackerx90 on:
Mar/04
SuppressDebugMsg As Anti-De...
coachfactory on:
Feb/25
Portable Executable Format ...
coachfactory on:
Feb/25
A new Anti-Olly trick.
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit