-1

I use IDAPro disassembly a elf file. In a function sub_8210884, I have noticed some strange code:

sub_8049DB6:

...
call    sub_8210884

sub_8210884:

push    ebp
mov     ebp, esp
push    esi
push    ebx
mov     ebx, [ebp+arg_0]
mov     eax, [ebx+0Ch]
cmp     eax, 1
...  (not modify ebp)
cmp     ebp, ds:dword_84B8844

What's the meaning? I guess it's reference to a local variable in sub_8049DB6, but not sure.

Here is complete assembly code:

LOAD:08049DB6 sub_8049DB6 proc near               ; CODE XREF: sub_8049D8A+21p
LOAD:08049DB6                                         ; sub_8049F74+Ep ...
LOAD:08049DB6
LOAD:08049DB6 arg_0           = dword ptr  8
LOAD:08049DB6
LOAD:08049DB6                 push    ebp
LOAD:08049DB7                 mov     ebp, esp
LOAD:08049DB9                 sub     esp, 8
LOAD:08049DBC                 sub     esp, 0Ch
LOAD:08049DBF                 mov     eax, [ebp+arg_0]
LOAD:08049DC2                 add     eax, 4
LOAD:08049DC5                 push    eax
LOAD:08049DC6                 call    sub_8210884 
LOAD:08049DCB                 add     esp, 10h
LOAD:08049DCE                 leave
LOAD:08049DCF                 retn
LOAD:08049DCF sub_8049DB6     endp


LOAD:08210884 sub_8210884 proc near   ; CODE XREF: sub_8049DB6+10p
LOAD:08210884                                         ; sub_8056626+16p ...
LOAD:08210884
LOAD:08210884 arg_0           = dword ptr  8
LOAD:08210884
LOAD:08210884                 push    ebp
LOAD:08210885                 mov     ebp, esp
LOAD:08210887                 push    esi
LOAD:08210888                 push    ebx
LOAD:08210889                 mov     ebx, [ebp+arg_0]
LOAD:0821088C                 mov     eax, [ebx+0Ch]
LOAD:0821088F                 cmp     eax, 1
LOAD:08210892                 jz      short loc_82108B4
LOAD:08210894                 jle     loc_8210970
LOAD:0821089A                 cmp     eax, 2
LOAD:0821089D                 jz      short loc_8210918
LOAD:0821089F                 cmp     eax, 3
LOAD:082108A2                 jz      loc_8210962
LOAD:082108A8
LOAD:082108A8 loc_82108A8:                            ; CODE XREF: sub_8210884+EEj
LOAD:082108A8                 mov     eax, 16h
LOAD:082108AD
LOAD:082108AD loc_82108AD:                            ; CODE XREF: sub_8210884+C4j
LOAD:082108AD                 lea     esp, [ebp-8]
LOAD:082108B0                 pop     ebx
LOAD:082108B1                 pop     esi
LOAD:082108B2                 leave
LOAD:082108B3                 retn
LOAD:082108B4 ; ---------------------------------------------------------------------------
LOAD:082108B4
LOAD:082108B4 loc_82108B4:                            ; CODE XREF: sub_8210884+Ej
LOAD:082108B4                 cmp     ebp, ds:dword_84B8844
LOAD:082108BA                 mov     eax, ebp
LOAD:082108BC                 mov     esi, offset unk_83A44C0
LOAD:082108C1                 jnb     short loc_82108F0
LOAD:082108C3                 cmp     ebp, ds:dword_84B883C
LOAD:082108C9                 jb      short loc_82108D8
LOAD:082108CB                 cmp     ebp, ds:dword_84B8854
LOAD:082108D1                 mov     esi, offset unk_83A40A0
LOAD:082108D6                 jb      short loc_82108F0
LOAD:082108D8
LOAD:082108D8 loc_82108D8:                            ; CODE XREF: sub_8210884+45j
LOAD:082108D8                 mov     edx, ds:dword_84B8820
LOAD:082108DE                 test    edx, edx
LOAD:082108E0                 jz      loc_8210996
LOAD:082108E6                 call    search_in_array_84B8880
LOAD:082108EB                 mov     esi, eax
LOAD:082108ED                 lea     esi, [esi+0]
LOAD:082108F0
LOAD:082108F0 loc_82108F0:                            ; CODE XREF: sub_8210884+3Dj
LOAD:082108F0                                         ; sub_8210884+52j ...
LOAD:082108F0                 cmp     [ebx+8], esi
LOAD:082108F3                 jz      loc_821098C
LOAD:082108F9                 lea     eax, [ebx+10h]
LOAD:082108FC                 mov     edx, esi
LOAD:082108FE                 call    sub_8213CC8
LOAD:08210903                 mov     [ebx+8], esi
LOAD:08210906                 mov     dword ptr [ebx+4], 0
LOAD:0821090D                 xor     eax, eax
LOAD:0821090F
LOAD:0821090F loc_821090F:                            ; CODE XREF: sub_8210884+DCj
LOAD:0821090F                                         ; sub_8210884+EAj ...
LOAD:0821090F                 lea     esp, [ebp-8]
LOAD:08210912                 pop     ebx
LOAD:08210913                 pop     esi
LOAD:08210914                 leave
LOAD:08210915                 retn
LOAD:08210915 ; ---------------------------------------------------------------------------
LOAD:08210916                 align 4
LOAD:08210918
LOAD:08210918 loc_8210918:                            ; CODE XREF: sub_8210884+19j
LOAD:08210918                 cmp     ebp, ds:dword_84B8844
LOAD:0821091E                 mov     eax, ebp
LOAD:08210920                 mov     esi, offset unk_83A44C0
LOAD:08210925                 jnb     short loc_8210940
LOAD:08210927                 cmp     ebp, ds:dword_84B883C
LOAD:0821092D                 jnb     short loc_82109A6
LOAD:0821092F
LOAD:0821092F loc_821092F:                            ; CODE XREF: sub_8210884+12Fj
LOAD:0821092F                 mov     esi, ds:dword_84B8820
LOAD:08210935                 test    esi, esi
LOAD:08210937                 jz      short loc_82109B8
LOAD:08210939                 call    search_in_array_84B8880
LOAD:0821093E                 mov     esi, eax
LOAD:08210940
LOAD:08210940 loc_8210940:                            ; CODE XREF: sub_8210884+A1j
LOAD:08210940                                         ; sub_8210884+12Dj ...
LOAD:08210940                 cmp     [ebx+8], esi
LOAD:08210943                 mov     eax, 23h
LOAD:08210948                 jz      loc_82108AD
LOAD:0821094E                 sub     esp, 8
LOAD:08210951                 lea     eax, [ebx+10h]
LOAD:08210954                 push    esi
LOAD:08210955                 push    eax
LOAD:08210956                 call    sub_82137F0
LOAD:0821095B                 xor     eax, eax
LOAD:0821095D                 mov     [ebx+8], esi
LOAD:08210960                 jmp     short loc_821090F
LOAD:08210962 ; ---------------------------------------------------------------------------
LOAD:08210962
LOAD:08210962 loc_8210962:                            ; CODE XREF: sub_8210884+1Ej
LOAD:08210962                 lea     eax, [ebx+10h]
LOAD:08210965                 xor     edx, edx
LOAD:08210967                 call    sub_8213CC8
LOAD:0821096C                 xor     eax, eax
LOAD:0821096E                 jmp     short loc_821090F
LOAD:08210970 ; ---------------------------------------------------------------------------
LOAD:08210970
LOAD:08210970 loc_8210970:                            ; CODE XREF: sub_8210884+10j
LOAD:08210970                 test    eax, eax
LOAD:08210972                 jnz     loc_82108A8
LOAD:08210978                 sub     esp, 8
LOAD:0821097B                 push    0
LOAD:0821097D                 lea     ecx, [ebx+10h]
LOAD:08210980                 push    ecx
LOAD:08210981                 call    sub_82137F0
LOAD:08210986                 xor     eax, eax
LOAD:08210988                 jmp     short loc_821090F
LOAD:08210988 ; ---------------------------------------------------------------------------
LOAD:0821098A                 align 4
LOAD:0821098C
LOAD:0821098C loc_821098C:                            ; CODE XREF: sub_8210884+6Fj
LOAD:0821098C                 inc     dword ptr [ebx+4]
LOAD:0821098F                 xor     eax, eax
LOAD:08210991                 jmp     loc_821090F
LOAD:08210996 ; ---------------------------------------------------------------------------
LOAD:08210996
LOAD:08210996 loc_8210996:                            ; CODE XREF: sub_8210884+5Cj
LOAD:08210996                 or      eax, 1FFFFFh
LOAD:0821099B                 lea     esi, [eax-41Fh]
LOAD:082109A1                 jmp     loc_82108F0
LOAD:082109A6 ; ---------------------------------------------------------------------------
LOAD:082109A6
LOAD:082109A6 loc_82109A6:                            ; CODE XREF: sub_8210884+A9j
LOAD:082109A6                 cmp     ebp, ds:dword_84B8854
LOAD:082109AC                 mov     esi, offset unk_83A40A0
LOAD:082109B1                 jb      short loc_8210940
LOAD:082109B3                 jmp     loc_821092F
LOAD:082109B8 ; ---------------------------------------------------------------------------
LOAD:082109B8
LOAD:082109B8 loc_82109B8:                            ; CODE XREF: sub_8210884+B3j
LOAD:082109B8                 or      eax, 1FFFFFh
LOAD:082109BD                 lea     esi, [eax-41Fh]
LOAD:082109C3                 jmp     loc_8210940
LOAD:082109C3 sub_8210884 endp
LOAD:082109C3
Carl Norum
  • 219,201
  • 40
  • 422
  • 469
brucexin
  • 435
  • 4
  • 5
  • 1
    This code alone doesn't make much sense. It's possible that the disassembly isn't correct. Can you include what's represented by the ellipsis? – Alexey Frunze Jul 13 '12 at 08:44
  • `dword_84B8844` is a global variable. And I'm pretty certain `ebp` is modified, you just missed it. – Igor Skochinsky Jul 13 '12 at 11:12
  • I can't make much of this.. what's it doing with the result of the comparison? Anything that might give a clue as to why the comparison exists? – harold Jul 13 '12 at 12:53
  • That code essentially checks the stack pointer value against several ranges and does different things depending on the range. Indeed that looks strange. Stack-growing code should be simpler than that, IMO. Recursive code with things like this would be odd too. Could it be some anti-debugging/disassembling/reverse-engineering code? Maybe. – Alexey Frunze Aug 17 '12 at 10:01

1 Answers1

1

cmp ebp, ds:dword_84B8844 tells us that the value stored in ebp is compared (or will be if the instruction isn't yet executed) with the value stored in DS:dword_84B8844 (the dword named by dword_84B4884), dword_84B8844 will contain a value and that value is used (cfr. variablename, variablevalue)

Agguro
  • 348
  • 3
  • 11