issuhub.com

Reverse Engineering for Beginners

(avery) #1 
CHAPTER 38. NETWORK ADDRESS CALCULATION EXAMPLE CHAPTER 38. NETWORK ADDRESS CALCULATION EXAMPLE

28 _calc_network_address ENDP


At line 22 we see the most importantAND—here the network address is calculated.

38.2 form_IP().


Theform_IP()function just puts all 4 bytes into a 32-bit value.

Here is how it is usually done:


  • Allocate a variable for the return value. Set it to 0.

  • Take the fourth (lowest) byte, apply OR operation to this byte and return the value. The return value contain the 4th
    byte now.

  • Take the third byte, shift it left by 8 bits. You’ll get a value like0x0000bb00wherebbis your third byte. Apply the
    OR operation to the resulting value and it. The return value has contained0x000000aaso far, so ORing the values
    will produce a value like0x0000bbaa.

  • Take the second byte, shift it left by 16 bits. You’ll get a value like0x00cc0000, whereccis your second byte. Apply
    the OR operation to the resulting value and return it. The return value has contained0x0000bbaaso far, so ORing
    the values will produce a value like0x00ccbbaa.

  • Take the first byte, shift it left by 24 bits. You’ll get a value like0xdd000000, whereddis your first byte. Apply the
    OR operation to the resulting value and return it. The return value contain0x00ccbbaaso far, so ORing the values
    will produce a value like0xddccbbaa.


And this is how it’s done by non-optimizing MSVC 2012:

Listing 38.2: Non-optimizing MSVC 2012

; denote ip1 as "dd", ip2 as "cc", ip3 as "bb", ip4 as "aa".

_ip1$ = 8 ; size = 1

_ip2$ = 12 ; size = 1

_ip3$ = 16 ; size = 1

_ip4$ = 20 ; size = 1

_form_IP PROC

push ebp

mov ebp, esp

movzx eax, BYTE PTR _ip1$[ebp]

; EAX=000000dd

shl eax, 24

; EAX=dd000000

movzx ecx, BYTE PTR _ip2$[ebp]

; ECX=000000cc

shl ecx, 16

; ECX=00cc0000

or eax, ecx

; EAX=ddcc0000

movzx edx, BYTE PTR _ip3$[ebp]

; EDX=000000bb

shl edx, 8

; EDX=0000bb00

or eax, edx

; EAX=ddccbb00

movzx ecx, BYTE PTR _ip4$[ebp]

; ECX=000000aa

or eax, ecx

; EAX=ddccbbaa

pop ebp

ret 0

_form_IP ENDP

Well, the order is different, but, of course, the order of the operations doesn’t matters.

Optimizing MSVC 2012 does essentially the same, but in a different way:

Listing 38.3: Optimizing MSVC 2012 /Ob0

; denote ip1 as "dd", ip2 as "cc", ip3 as "bb", ip4 as "aa".

_ip1$ = 8 ; size = 1

_ip2$ = 12 ; size = 1
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.