7C9624EC PUSH EBX
7C9624ED PUSH ESI
7C9624EE MOV ESI,DWORD PTR [ECX+10]
7C9624F1 PUSH EDI
7C9624F2 MOV EDI,DWORD PTR [EBP+C]
7C9624F5 CMP EDI,-1
7C9624F8 LEA EBX,DWORD PTR [EDI+1]
7C9624FB JE SHORT ntdll.7C962559
7C9624FD CMP EBX,EDX
7C9624FF JA SHORT ntdll.7C962559This code starts out by pushing EBXand ESIinto the stack in order to pre-
serve their original values (we know this because there are no function calls
anywhere to be seen). The code then proceeds to load the value from offset +10
of the root structure into ESI, and then pushes EDIin order to start using it. In
the following instruction, EDIis loaded with the value pointed to by EBP + C.
You know that EBP + Cpoints to the second parameter, just like EBP + 8
pointed to the first parameter. So, the instruction at ntdll.7C9624F2loads
EDIwith the value of the second parameter passed into the function. Immedi-
ately afterward, EDIis compared against –1 and you see a classic case of inter-
leaved code, which is a very common phenomena in code generated for modern
IA-32 processors (see the section on execution environments in Chapter 2). Inter-
leaved code means that instructions aren’t placed in the code in their natural
order, but instead pairs of interdependent instructions are interleaved so that in
runtime the CPU has time to complete the first instruction before it must execute
the second one. In this case, you can tell that the code is interleaved because the
conditional jump doesn’t immediately follow the CMPinstruction. This is done
to allow the highest level of parallelism during execution.
Following the comparison is another purely arithmetical application of the
LEAinstruction. This time, LEAis used simply to perform an EBX = EDI + 1.
Typically, compilers would use INC EDI, but in this case the compiler wanted
to keep both the original and the incremented value, so LEAis an excellent
choice. It increments EDIby one and stores the result in EBX—the original
value remains in EDI.
Next you can see the JEinstruction that is related to the CMPinstruction from
7C9624F5. As a reminder, EDI(the second parameter passed to the function)
was compared against –1. This instruction jumps to ntdll.7C962559if EDI
== -1. If you go back to Listing 5.2 and take a quick look at the code at
ntdll.7C962559, you can quickly see that it is a failure or error condition of
some kind, because it sets EAX(the return value) to zero, pops the registers pre-
viously pushed onto the stack, and returns. So, if you were to translate the pre-
ceding conditional statement back into C, it would look like the following code:if (Param2 == 0xffffffff)
return 0;156 Chapter 5