In the last two months, I learned basic reverse engineering, assembly, and C. I got a binary from my friend; they asked me to reverse that binary to original source. I used IDA Pro to reverse the binary file, but I have some problem with these instructions below:
mov [esp+230h+var_218], 74654D5Fh
mov [esp+230h+var_214], 754D6C61h
mov [esp+230h+var_210], 6873696Ch
mov [esp+230h+var_20C], 5F61h
I'm try to search the hex but I didn't find any results. Can someone explain?
x86 is little endianness, so in order to read it you start from right to left of the dword literal.
The string is "_MetalMulisha_", fwiw.
To elaborate on Lord Kale XI's answer, x86 is a little endian archiecture. This effectively means that we store the bytes of multi-byte integers backwards, that is, with the least significant byte first. The link I provided gives a pretty good explanation of how this works.
So in these instructions, we first move the integer 74654D5Fh to somewhere in memory. In order, this actually writes the bytes 5F 4D 65 74. Then, we write the integer 754D6C61h to the next four bytes in memory, which writes 61 6C 4D 75, and so on.
After these instructions, the memory contains the following sequence of bytes, each of which can be interpreted as an ASCII character:
0x74654D5F 0x754D6C61 0x6873696C 0x00005F61
| | | |
V V V V
[ var_218 ] [ var_214 ] [ var_210 ] [ var_20C ]
5F 4D 65 74 61 6C 4D 75 6C 69 73 68 61 5F 00 00
'_' 'M' 'e' 't' 'a' 'l' 'M' 'u' 'l' 'i' 's' 'h' 'a' '_' '\0' '\0'
So then, what these instructions are doing is writing the null-terminated string _MetalMulisha_ to memory starting at var_218.
