need some help interpreting some dissassembled code

[*DEAD*]

Hi, its been a while since i last posted here, ive been working though icz's tutorials with much success.

This is the disassembly of a simple program i made which counts to 10 by adding 1 if counter is less than zero

Code Select Expand


00401000  | E8 07000000         | CALL 0040100C                     | Entry point for testinject.exe
00401005  | 6A 00               | PUSH NULL                         | :Arg1 0
00401007  | E8 1E000000         | CALL 0040102A                     | ExitProcess((unsigned long), (unsigned long))
0040100C  | 55                  | PUSH EBP                          |
0040100D  | 8BEC                | MOV EBP, ESP                      |
0040100F  | 83C4 FC             | ADD ESP, -4                       |
00401012  | C745 FC 00000000    | MOV DWORD PTR SS:[EBP-4], NULL    |
00401019  | 837D FC 0A          | CMP DWORD PTR SS:[EBP-4], A       |
0040101D  | 7C 02               | JL SHORT 00401021                 |
0040101F  | EB 04               | JMP SHORT 00401025                |
00401021  | 8345 FC 01          | ADD DWORD PTR SS:[EBP-4], 1       |
00401025  | EB F2               | JMP SHORT 00401019                |
00401027  | C9                  | LEAVE                             |
00401028  | C3                  | RETN                              |
00401029  | CC                  | INT3                              |
0040102A  | FF25 00204000       | JMP DWORD PTR DS:[402000]         | Entry to ExitProcess((unsigned long), (unsigned long))



thats the dissassembly and this is my code.

Code Select Expand


    .code

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

start: 
    call main

    exit

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

main proc

    LOCAL counter:DWORD

    mov counter, 0
  countup:
    cmp counter, 10
    jl countadd
    jmp over

  countadd:
    add counter, 1

  over:
    jmp countup
    ret

main endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

end start


the idea is counter will have one added to it if it is less than 10. What i cant figure out though is how the dissassembled code reads counter.

Code Select Expand


00401019  | 837D FC 0A          | CMP DWORD PTR SS:[EBP-4], A       |
0040101D  | 7C 02               | JL SHORT 00401021                 |
0040101F  | EB 04               | JMP SHORT 00401025                |
00401021  | 8345 FC 01          | ADD DWORD PTR SS:[EBP-4], 1       |
00401025  | EB F2               | JMP SHORT 00401019                |

this is the basic part of my program. What i dont understand are two things,
1) how is counter read, its obviously been replaced with "DWORD PTR SS:[EBP-4]", but i dont understand how this works.
2) what is meant by SHORT which comes after the jump statement, this ones not so much as essential but just out of curiousity

[zooba]

Be careful with the amount of background you give, certain words will automatically trigger an angry response.

To briefly answer your genuine questions, variables defined with LOCAL are placed on the stack (as they are in practically every language out there). To access these variables, EBP is set up at the start of the procedure (PUSH EBP / MOV EBP, ESP / ADD ESP, -4) to point to the start of those variables. Hence, your local variable is stored at [EBP-4]. The bit before this, (DWORD PTR SS:) means that it is a 4-byte variable (DWORD) stored in the stack segment.

Secondly, a SHORT jump is stored in less bytes (ie. EB F2) than a long jump (FF 25 00 20 40 00). This is because it uses relative addressing - the second byte is a signed (ie. positive or negative (ie. forwards or backwards)) offset from the (I think) start of the next command. So EB F2 will jump backwards by 14 bytes. This simply saves space and potentially execution time, though I doubt it makes much difference any more.

Cheers,

Zooba :U

(Disclaimer: I in no way support code injection into applications not owned by the person who is doing so. The information I have given is given since they are valid questions and are in themselves not dangerous knowledge.)

[*DEAD*]

sorry, i reread the posting rules and have removed the background info to comply with them. Thanks for the help anyway, im sure it will be helpful in other situations as well as this one.

[P1]

*DEAD*,

Welcome Aboard    :U

The forum 'Search' and your favorite seach engine will answer many questions before we can and save you time.

Use a listing to post partial disassemblies.  It somewhat proves, we are helpping the programmer.  Plus, it helps us to see source to instruction results.  Find any mistakes, if any.
\masm32\bin\ml /c /coff /Fl"%1.lst" /FR"%1.pdb" /Sa /Zd /Zf /Zi  "%1.asm" > "%1.txt"

Code Select Expand

00000000 .code
Align 4
00000000 start:
00000000 invoke GetModuleHandle, NULL
00000000  6A 00    *     push   +000000000h
00000002  E8 00000000 E   *     call   GetModuleHandleA
00000007  A3 00000000 R mov hInstance, eax

invoke NetUserEnum,NULL,0,FILTER_NORMAL_ACCOUNT,addr user_name,MAX_PREFERRED_LENGTH, addr entriesread,addr totalentries,NULL
0000000C  6A 00    *     push   +000000000h
0000000E  68 0000000C R   *     push   OFFSET totalentries
00000013  68 00000008 R   *     push   OFFSET entriesread
00000018  6A FF    *     push    -000000001h
0000001A  68 00000010 R   *     push   OFFSET user_name
0000001F  6A 02    *     push   +000000002h
00000021  6A 00    *     push   +000000000h
00000023  6A 00    *     push   +000000000h
00000025  E8 00000000 E   *     call   NetUserEnum
.IF eax==ERROR_ACCESS_DENIED


Regards,  P1  :8)