Question
This function uses a combination SCAS and STOS to do its work. First, explain what is the type of the [EBP+8] and [EBP+C] in line 1 and 8 respectively. Next explain what this snippet does.
01: 8B 7D 08 mov edi, [ebp+8]
02: 8B D7 mov edx, edi
03: 33 C0 xor eax, eax
04: 83 C9 FF or ecx, 0FFFFFFFFh
05: F2 AE repne scasb
06: 83 C1 02 add ecx, 2
07: F7 D9 neg ecx
08: 8A 45 0C mov al, [ebp+0Ch]
09: 8B AA mov edi, edx
10: F3 AA rep stosb
11: 8B C2 mov eax, edx
Analysis
EBP is a pointer referencing the bottom of the stack. The stack is used to create local variable, store arguments and pointer.
The first parameter of the program is EBP+8, and the second argument is EBP+C. The [] means that EDI is now addressing the value stored at [EBP+8] or [EBP+C]. It’s like a pointer in C.
Line 1
01: 8B 7D 08 mov edi, [ebp+8]
EDI is equal to the value stored at [EBP+8]
Line 2
02: 8B D7 mov edx, edi
A copy of EDI is made in EDX
Line 3
03: 33 C0 xor eax, eax
This set EAX to 0.
| Input (A | B) | Output (A xor B) |
|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 0 |
The opcode 33 C0 is shorter than mov eax, 0. However, the execution time is the same.
Line 4
04: 83 C9 FF or ecx, 0FFFFFFFFh
The result of this instruction doesn’t depend on what register is prior. or of a register with a value set to 0xFFFFFFFF, result in ECX = 0xFFFFFFFF
| Input (A | B) | Output (A or B) |
|---|---|
| 0 | 0 | 0 |
| 0 | 1 | 1 |
| 1 | 0 | 1 |
| 1 | 1 | 1 |
Line 5
05: F2 AE repne scasb
SCASB decreases the value of ECX after each byte comparison by one, and increases the value of EDI by one.
As long as AL doesn’t match the NULL byte (0x00). If EDI contain the string: “reverse engineering is cool”.
This will return: “r”,“e”,“v”,.. and end with 0x00 after “l”.
ecx is equal to -29. But why -29 ? There is 27 characters in the string + null byte = 28. We forget to talk about edi that was increased by one for each byte comparison. edi points to an address after the NULL byte, so 1 was added to ecx. This is why at line2 we saved edi in edx.
Line 6
06: 83 C1 02 add ecx, 2
2 is added to ecx. Taking the last result of ecx in line 5 with the string: “reverse engineering is cool”, ecx would be equal to -27.
Line 7
07: F7 D9 neg ecx
neg replace the value of the destination operand (here ecx) with it’s two complement. The two complement is the result of a not and add 1 to destination operand.
00001010 10
11110101 not(10) = -11
11110110 not(10)+1 = -10
This instruction is equivalent to ecx = 0 - ecx <=> ecx = -ecx Now ecx = 27. This number correspond to the length of the first parameter.
Line 8
08: 8A 45 0C mov al, [ebp+0Ch]
AL is the first 4 bytes of the eax register. [EBP+C] is equivalent to the second function parameter. The content of the address at EBP+C will be truncate to his first 4 bytes to fit in the AL register.
Line 9
09: 8B AA mov edi, edx
EDI was modified with neg instruction, pointing to the end of the string (after the NULL byte), we now restore it the it’s old value which was the beginning of the string.
Line 10
10: F3 AA rep stosb
The REP mnemonic is used to repeat an operation. The STOS instruction copies the values of AL, AX or EAX into the location pointed by EDI. stosb stores a byte from the AL register and copy it to the destination operand. EDI points to the beginning of our strings. It will replace ecx bytes of the strings with the byte in AL. ECX is equal to the length of the string. This instruction will overwrite the string content with 1 byte.
Line 11
11: 8B C2 mov eax, edx
At line 2 edx is pointing to the string we defined in the first parameter of the function. The string is now store is eax.
Conclusion
This program is used to calculate the length of the first parameter of the function and overwrite it with the second parameter. Finally the first parameter is set in eax (could be used to return the value).
To remember:
SCAS: Loop over each byte of ECX as long as we don’t meet the NULL Byte + Increase EDI (+1/byte)
STOS: Copies the values of AL, AX or EAX into the location pointed by EDI (do this ECX times)