2

Was doing a crackme, trying to write a keygen and I was confused about some of the FPU instructions.

fild    qword ptr ss:[esp] ; loads 4275451536.0000000000 into ST0. ESP has FED63690
lea     esp, dword ptr ss:[esp+8]
fstp    qword ptr ss:[ebp-410] ; loads D2000000 into ebp - 410
fld     qword ptr ss:[ebp-410] ; loads 4275451536.0000000000 into ST0
fstp    qword ptr ss:[esp+8] ; loads D2000000 into esp+8

I was wondering how it converted 4275451536.0000000000 into D2000000 when popping off?

nrz
  • 10,435
  • 4
  • 39
  • 71
randomname
  • 265
  • 1
  • 9
  • 20
  • FILD assumes that the 8-byte memory operand is a 64 bit integer. What is exactly at location SS:[ESP] when the first instruction is executed? – mcleod_ideafix Nov 23 '13 at 20:48

1 Answers1

7

The code writes the value 4275451536.0 as double-precision floating point into the address [ebp-410]. The representation of 4275451536.0 as IEEE-754 double-precision floating point is 41EFDAC6D2000000 (you can do the conversion here). Since you only looked at the lower 4 bytes, you saw D2000000, but you should look at the whole 8 bytes to see the entire value.

If you want to know how the value 41EFDAC6D2000000 was reached, read about double precision floating point format. The tool I linked above will give you the values for the significand and exponent.

interjay
  • 107,303
  • 21
  • 270
  • 254