realize that the code that follows these two jumps is only executed if ESI >
EBX, because we’ve already tested and conditionally jumped if ESI == EBX
or if ESI < EBX.
When none of the branches are taken, the code copies ESIinto EDXand
shifts it by one binary position to the right. Binary shifting is a common way to
divide or multiply numbers by powers of two. Shifting integer x to the left by
n bits is equivalent to x × 2 nand shifting right by nbits is equivalent to x/2n. In
this case, right shifting EDXby one means EDX/2^1 , or EDX/2. For more infor-
mation on how to decipher arithmetic sequences refer to Appendix B.
Let’s proceed to compare EDX(which now contains ESI/2) with EBX
(which is the incremented index of the element we’re after), and jump to
ntdll.7C96251Bif EBX ≤ EDX. Again, the comparison uses JBE, which
assumes unsigned operands, so it’s pretty safe to assume that table indexes are
defined as unsigned integers. Let’s ignore the conditional branch for a moment
and proceed to the code that follows, as if the branch is not taken.
Here EBXis subtracted from ESIand the result is stored in ESI. The fol-
lowing instruction might be a bit confusing. You can see a JE(which is jump if
equal) after the subtraction because subtraction and comparison are the same
thing, except that in a comparison the result of the subtraction is discarded,
and only the flags are kept. This JEbranch will be taken if EBX == ESIbefore
the subtraction or if ESI == 0after the subtraction (which are two different
ways of looking at what is essentially the same thing). Notice that this exposes
a redundancy in the code—you’ve already compared EBXagainst ESIearlier
and exited the function if they were equal (remember the jump to ntdll
.7C962554?), so ESIcouldn’t possibly be zero here. The programmer who
wrote this code apparently had a pretty good reason to double-check that the
code that follows this check is never reached when ESI == EBX. Let’s now see
why that is so.
Search Loop 1
At this point, you have completed the analysis of the code section starting at
ntdll.7C962501 and ending at ntdll.7c962511. The next sequence
appears to be some kind of loop. Let’s take a look at the code and try and fig-
ure out what it does.
7C962513 DEC ESI
7C962514 MOV EAX,DWORD PTR [EAX+4]
7C962517 JNZ SHORT ntdll.7C962513
7C962519 JMP SHORT ntdll.7C96254EAs I’ve mentioned, the first thing to notice about these instructions is that
they form a loop. The JNZwill keep on jumping back to ntdll.7C962513
Beyond the Documentation 161