3

I've been trying to reverse engineer a function of a game but I'm kinda confused. I'm pretty new to reverse engineering (I'm using ollydbg btw) so I don't really know about all the tricks and details yet.

Anyway here's my problem. This function is called when you pick up any Item in the game. It then calculates the value of the item and adds this value to your score. Before the function is called, a value is pushed which I'm quite confident is the ID of the item. This is the code that confuses me:

SHL ESI,7
MOV CX,WORD PTR DS:[EDX+ESI+42]

ESI = the ID of the item EDX = constant value FE56A0

I was guessing that EDX (FE56A0) was the start of an array of items, ESI was the index of the item somehow and 42 would be the index of the value the item holds. This would be kinda weird though since your bit shifting ESI to the left by 7. As ESI increases, it's bit shifted value doesn't grow linearly.

So if EDX represent the start of an array and ESI would be an index, the items in the array wouldn't be of equal size. The meaning of this code is puzzling me.

Anyone got an idea what this code could represent?

Shai
  • 111,146
  • 38
  • 238
  • 371
Maarten van Beek
  • 133
  • 1
  • 8

2 Answers2

3

The array might hold 128 byte long structures. Shifting by 7 multiplies the ID by 128, giving the offset required to access the structure for that ID. 42 would be the offset into the structure.

This works because multiplication actually increases the multiplied index linearly:

0 << 7 == 0
1 << 7 == 128
2 << 7 == 256
3 << 7 == 384

etc.

This code snippet simply accesses a member of a structure stored in an array.

Ori Pessach
  • 6,777
  • 6
  • 36
  • 51
  • Thank you both very much! Both have been very helpful! And you seem to be right. I've tried to predict the outcomes just before the function has been called using your information and the predictions are right! EDX point to the base of the array, the entries are 128 bytes long and the value of the items are at offset 0x42. I've been mixing up hex and decimal numbers which confused me. Now i'm going to try to figure out what else these entries hold ^^ Thanks! – Maarten van Beek Apr 19 '11 at 23:20
2

It could be that EDX points to the start of some structure which the array is part of. The data that comes before the array requires 42 bytes, and each element in the array requires 128 bytes. (1<<7 is 128 - shifting is often used as a quick way to multiply by a power of two.) For example, something like this:

// EDX points here
struct GameItems
{
   int numItems;
   int stuff;
   int moreStuff;
   char[30] data;
   GameItem[MAX_ITEMS] items;  // offset 42 bytes from start
};

struct GameItem
{
   // 128-bit structure
}
Ori Pessach
  • 6,777
  • 6
  • 36
  • 51
mdma
  • 56,943
  • 12
  • 94
  • 128