Geek Answers Handbook

Reverse Engineer Build Code with Code C

I think this is actually a pretty simple problem. I need to rebuild this assembly code to c-code. I will also provide what I think will continue so that you can, hopefully, indicate where I did wrong, and now I can learn from my mistakes.

.LFBO pushq %rbp movq %rsp,%rbp movl %edi,-4(%rbp) movl %esi,-8(%rbp) movl -4(%rbp),%eax compl -8(%rbp),%eax jg .L2 movl -8(%rbp),%eax jmp .L3 .L2: movl -4(%rbp),%eax .L3: popq %rbp ret

So here is what I think of it: the first two lines after .LFBO:

 pushq %rbp movq %rsp,%rbp

just set the stack for execution, which should follow.

 movl %edi,-4(%rbp)

captures the first variable, name it x

 movl %esi,-8(%rbp)

captures the second variable calling it y

 movl -4(%rbp),%eax

captures x for comparison in the next line

 compl -8(%rbp),%eax

compares x and y variables, computing xy

 jg .L2

says jump to .L2 if x> y

if x <= y, then calculate the following lines without going to .L2

 movl -8(%rbp),%eax

copy x = y

 jmp .L3

go to .L3

if x> y on the jg line, then you go to .L2: and end this line

 movl -4(%rbp),%eax

that's where I realized that I was really embarrassed. It seems to me that you are copying x to x then .L3 is complete and I think x is returning

+8
c assembly x86-64 reverse-engineering conditional-statements
source share
3 answers

Do not overdo it. Gradually replace the assembly with C. Here is a possible sequence of transformations.

 .LFBO pushq %rbp movq %rsp,%rbp movl %edi,-4(%rbp) movl %esi,-8(%rbp) movl -4(%rbp),%eax compl -8(%rbp),%eax jg .L2 movl -8(%rbp),%eax jmp .L3 .L2: movl -4(%rbp),%eax .L3: popq %rbp ret ---- int LFBO (int edi, int esi) { rbp = rsp [rbp - 4] = edi [rbp - 8] = esi eax = [rbp - 4] if (eax > [rbp - 8]) goto L2 eax = [rbp - 8] goto L3 L2: eax = [rbp - 4] L3: return eax } ---- int LFBO (int edi, int esi) { rbp = rsp [rbp - 4] = edi [rbp - 8] = esi eax = [rbp - 4] if (eax <= [rbp - 8]) { eax = [rbp - 8] } else { eax = [rbp - 4] } return eax } ---- int LFBO (int edi, int esi) { int eax; eax = edi; if (eax <= esi) { eax = esi; } else { eax = edi; } return eax; } ---- int LFBO (int edi, int esi) { if (edi <= esi) { return esi; } else { return edi; } } ---- int LFBO (int x, int y) { if (x <= y) { return y; } else { return x; } } ---- int LFBO (int x, int y) { return (x > y) ? x : y; }

You can apply this strategy to any part of the assembly. Here I took the time to detail the various conversions. With practice, you can achieve the end result much faster.

+9
source share
 LFB0(int x, int y){ if (x<=y){ x = y; }else{ x = x; } return(x); }

That's what I think we decided to be right, with the help of the guys in the comments.

+2
source share
 .LFBO pushq %rbp prolog movq %rsp,%rbp prolog movl %edi,-4(%rbp) [ebp-4] = edi movl %esi,-8(%rbp) [ebp-8] = esi movl -4(%rbp),%eax eax = [ebp-4] ie edi compl -8(%rbp),%eax cmp eax with [ebp-8] ie esi jg .L2 ;jg requires <= movl -8(%rbp),%eax so cutting the junk jmp .L3 this effectively becomes .L2: movl -4(%rbp),%eax ( edi <= esi ) ? { eax = esi } : { eax= edi} ; return; .L3: popq %rbp epilog ret epilog

hypothesis testing

 lets compile the code in vc and test should compile unoptimized else clever compiler will cast away everything do /O1 push 10 pop eax retn; /O2 mov eax ,10 ret int main(void) { int edi=8,esi=10; if ( edi <= esi) { return esi; } else { return edi;} }

dismantling the result

 0:000> uf @eip image00400000+0x1000: 00401000 55 push ebp 00401001 8bec mov ebp,esp 00401003 83ec08 sub esp,8 00401006 c745fc08000000 mov dword ptr [ebp-4],8 0040100d c745f80a000000 mov dword ptr [ebp-8],0Ah 00401014 8b45fc mov eax,dword ptr [ebp-4] 00401017 3b45f8 cmp eax,dword ptr [ebp-8] 0040101a 7f07 jg image00400000+0x1023 (00401023) image00400000+0x101c: 0040101c 8b45f8 mov eax,dword ptr [ebp-8] 0040101f eb05 jmp image00400000+0x1026 (00401026) image00400000+0x1023: 00401023 8b45fc mov eax,dword ptr [ebp-4] image00400000+0x1026: 00401026 8be5 mov esp,ebp 00401028 5d pop ebp 00401029 c3 ret 0:000>
0
source share

More articles:


All Articles