SSpoke SSpoke - 24 days ago 6
C Question

Assembly JP / JNP to C code

How would I go about converting a assembly snippet like this to C code, without any ASM inlining as I would like to convert it to .NET too.

JP example..

seg000:0041FA29 jp short near ptr loc_41FA2B+2
seg000:0041FA2B
seg000:0041FA2B loc_41FA2B: ; CODE XREF: seg000:0041FA29j
seg000:0041FA2B mov eax, 104E8B00h
seg000:0041FA30 mov eax, ebx


JNP example

seg000:0041FB8B mov eax, 0x40F009
seg000:0041FB90 sub [ebp-18h], eax
seg000:0041FB93 jnp short near ptr loc_41FB95+2
seg000:0041FB95
seg000:0041FB95 loc_41FB95: ; CODE XREF: seg000:0041FB93j
seg000:0041FB95 mov eax, 1C468B00h


I noticed these opcodes behave pretty stange in IDA PRO like they alter themselves.. I dont know how to explain this but they become different instructions when you run them..

At first I stepped them and Nopped them out thinking it was some sort of obfuscation.. But it turns out to be something pretty interesting probably optimized code.

I know they are same like Jumps JE/JMP/JNZ etc.. But they don't deal with registers but with flag for overflow checking how I transform this into C code?

I thought then maybe it was like this,

JP example

int eax = 0x4E8688;
ebp_18 |= eax;
if(ebp_18 % 2)
eax = ebx;
else
eax = 0x104E8B00;


JNP example

int eax = 0x40F009;
ebp_18 = eax;
if(!(ebp_18 % 1))
ebp_18 -= eax;
else
eax = 0x1C468B00;


Whats worse I cannot even step this line by line in ollydebugger or IDA PRO because it keeps modifying the instructions in realtime

Bytes:


55 8B EC 6A FF 68 D0 58 4A 00 64 A1 00 00 00 00 50 64 89 25 00 00 00
00 83 EC 1C 53 56 57 8B F1 89 65 F0 89 55 E4 89 75 EC C7 45 FC 00 00
00 00 7A 03 7B 03 C7 7B FB 8B 7E 1C 8B 5E 2C 8B 56 34 33 FB 33 FA C7
45 E8 95 3B 58 3A 83 E7 0F 83 FF 07 75 37 B8 80 05 42 00 2D F0 5C 00
00 BA A1 50 36 F4 8B 4D EC FF D0 F7 D8 05 3A 4A 17 08 BA 18 AC 52 82
8B 4D EC FF D0 F7 D8 05 55 44 6A 21 89 45 E0 8B 56 20 8B CE FF 55 E0
83 FF 04 75 37 B8 70 3B 42 00 2D F0 9E 00 00 BA 35 48 BB E6 8B 4D EC
FF D0 F7 D8 05 58 C7 8E 0A BA B0 A4 8C 72 8B 4D EC FF D0 F7 D8 05 7F
C6 61 1D 89 45 E0 8B 56 1C 8B CE FF 55 E0 B8 21 4F 4B 00 29 45 E8 7A
02 B8 00 8B 5E 18 8B 4D E8 03 D9 0F AF 5D E4 85 FF 89 5D E4 75 37 B8
90 B0 41 00 2D 80 0E 00 00 BA 66 25 11 EF 8B 4D EC FF D0 F7 D8 05 52
2A A9 17 BA 5D DB 73 DD 8B 4D EC FF D0 F7 D8 05 FC 37 78 0B 89 45 E0
8B 56 34 8B CE FF 55 E0 83 FF 03 75 36 B8 80 B4 41 00 2D 80 16 00 00
BA 56 38 38 43 8B 4D EC FF D0 F7 D8 05 92 1B 7C 00 BA ED 14 2F EA 8B
4D EC FF D0 F7 D8 05 68 81 D5 06 89 45 E0 8B D3 8B CE FF 55 E0 83 FF
04 75 36 B8 D0 C9 41 00 2D 60 23 00 00 BA 84 2C 04 D8 8B 4D EC FF D0
F7 D8 05 CF C0 F2 2D BA 26 D0 C0 33 8B 4D EC FF D0 F7 D8 05 B1 B3 6E
07 89 45 E0 8B D3 8B CE FF 55 E0 B8 2D 51 46 00 01 45 E8 7B 02 B8 00
8B 06 C7 45 E0 00 00 00 00 25 FF 00 00 00 89 45 DC DF 6D DC D9 FE DC
1D B8 91 4A 00 DF E0 F6 C4 01 8B 45 E8 75 03 8B 46 08 8B 4E 08 2B C8
83 FF 08 89 4E 08 75 37 B8 20 57 42 00 2D A0 AD 00 00 BA ED 0D F1 39
8B 4D EC FF D0 F7 D8 05 9F 37 9C 24 BA 30 FB 56 D3 8B 4D EC FF D0 F7
D8 05 92 46 66 00 89 45 E0 8B 56 24 8B CE FF 55 E0 83 FF 02 75 36 B8
70 BD 41 00 2D C0 1B 00 00 BA 27 17 9E D4 8B 4D EC FF D0 F7 D8 05 16
10 BA 01 BA 2B E4 43 DD 8B 4D EC FF D0 F7 D8 05 52 62 43 36 89 45 E0
8B D3 8B CE FF 55 E0 8B 4D E8 8B D3 D3 C2 8B 4E 38 03 CA 83 FF 05 89
4E 38 75 36 B8 F0 12 42 00 2D D0 6E 00 00 BA C7 BD 5E 4D 8B 4D EC FF
D0 F7 D8 05 3D FB 97 74 BA 45 B1 48 FF 8B 4D EC FF D0 F7 D8 05 4E F7
24 09 89 45 E0 8B D3 8B CE FF 55 E0 83 FF 0F 75 37 B8 40 F9 41 00 2D
B0 50 00 00 BA 64 3F CF FA 8B 4D EC FF D0 F7 D8 05 1F 3B BE 0C BA 06
F2 FE CE 8B 4D EC FF D0 F7 D8 05 F9 87 A7 02 89 45 E0 8B 56 34 8B CE
FF 55 E0 85 FF 75 37 B8 F0 37 42 00 2D 50 9C 00 00 BA 33 9F FF 77 8B
4D EC FF D0 F7 D8 05 ED 30 75 02 BA 22 12 AB 2B 8B 4D EC FF D0 F7 D8
05 65 38 C9 2A 89 45 E0 8B 56 48 8B CE FF 55 E0 B8 56 11 4A 00 29 45
E8 7A 02 B8 00 8B 46 08 8B 4E 04 C1 C8 2A 03 C8 83 FF 06 89 4E 04 75
37 B8 D0 D8 41 00 2D E0 38 00 00 BA D2 B7 41 7D 8B 4D EC FF D0 F7 D8
05 BE 4A 08 46 BA 09 63 01 19 8B 4D EC FF D0 F7 D8 05 AE 75 31 27 89
45 E0 8B 56 30 8B CE FF 55 E0 83 FF 05 75 37 B8 A0 2F 42 00 2D 10 8C
00 00 BA 3E B1 68 38 8B 4D EC FF D0 F7 D8 05 87 8A 52 4F BA ED 64 32
38 8B 4D EC FF D0 F7 D8 05 90 3D DB 02 89 45 E0 8B 56 28 8B CE FF 55
E0 B8 26 03 4B 00 09 45 E8 7A 02 B8 00 8B 4E 48 C7 45 E0 00 00 00 00
8B D1 81 E2 FF 00 00 00 89 55 DC DF 6D DC D9 FF DC 1D B8 91 4A 00 DF
E0 F6 C4 01 8B 45 E8 75 03 8B 46 38 2B C8 83 FF 0A 89 4E 48 75 37 B8
70 57 42 00 2D 10 B9 00 00 BA E6 41 C8 1C 8B 4D EC FF D0 F7 D8 05 DE
4B C7 0B BA A4 2B B2 0F 8B 4D EC FF D0 F7 D8 05 6E CC 6D 43 89 45 E0
8B 56 38 8B CE FF 55 E0 83 FF 01 75 6D B8 90 F4 41 00 2D B0 57 00 00
BA B7 F4 83 F7 8B 4D EC FF D0 F7 D8 05 8D EC E0 24 BA 07 0C F1 F2 8B
4D EC FF D0 F7 D8 05 03 70 70 13 89 45 E0 8B 56 08 8B CE FF 55 E0 B8
50 C5 41 00 2D F0 1C 00 00 BA 2C 0D A6 89 8B 4D EC FF D0 F7 D8 05 56
7D 64 28 BA E5 B2 75 76 8B 4D EC FF D0 F7 D8 05 4F 3E 2E 3B 89 45 E0
8B D3 8B CE FF 55 E0 8B 46 3C 8B 56 40 8D 0C 40 C1 E1 03 2B C8 F7 D9
D1 E1 03 D1 83 FF 0C 89 56 40 75 36 B8 A0 11 42 00 2D 60 76 00 00 BA
13 97 03 AE 8B 4D EC FF D0 F7 D8 05 5D B7 5E 27 BA 60 25 FE F9 8B 4D
EC FF D0 F7 D8 05 EF 9B 1C 05 89 45 E0 8B D3 8B CE FF 55 E0 83 FF 09
75 36 B8 D0 61 42 00 2D F0 C6 00 00 BA 46 B7 54 E3 8B 4D EC FF D0 F7
D8 05 C5 94 03 23 BA AF C6 A3 DD 8B 4D EC FF D0 F7 D8 05 88 3B 83 38
89 45 E0 8B D3 8B CE FF 55 E0 B8 2D 99 46 00 21 45 E8 7B 02 B8 00 0F
9F DB 8B 46 08 8B 4E 10 8D 14 C0 8D 04 90 8D 04 40 03 C8 83 FF 06 89
4E 10 75 37 B8 A0 4F 42 00 2D F0 B2 00 00 BA B5 12 5F DE 8B 4D EC FF
D0 F7 D8 05 61 7F 90 38 BA 6F 86 71 46 8B 4D EC FF D0 F7 D8 05 0B D2
C5 2A 89 45 E0 8B 56 44 8B CE FF 55 E0 83 FF 02 75 37 B8 A0 AA 41 00
2D 00 0A 00 00 BA 31 5A 5C F8 8B 4D EC FF D0 F7 D8 05 A4 E3 FF 1D BA
1B 9E 8D AB 8B 4D EC FF D0 F7 D8 05 C8 E1 37 34 89 45 E0 8B 56 28 8B
CE FF 55 E0 83 FF 0B 75 37 B8 70 48 42 00 2D B0 9D 00 00 BA 12 0B D6
72 8B 4D EC FF D0 F7 D8 05 9F 86 B4 00 BA D4 7F 57 E0 8B 4D EC FF D0
F7 D8 05 52 56 30 51 89 45 E0 8B 56 38 8B CE FF 55 E0 B8 46 93 48 00
09 45 E8 7B 02 B8 00 8B 46 44 8B 4E 0C 8B 56 4C C1 E1 06 0B D1 83 FF
03 89 56 4C 75 37 B8 A0 F8 41 00 2D 20 4F 00 00 BA 73 0A 63 F9 8B 4D
EC FF D0 F7 D8 05 AE F9 FB 67 BA BE 6B 95 37 8B 4D EC FF D0 F7 D8 05
7D 24 78 02 89 45 E0 8B 56 08 8B CE FF 55 E0 83 FF 0E 75 36 B8 20 6A
42 00 2D 60 C1 00 00 BA C2 F6 D8 04 8B 4D EC FF D0 F7 D8 05 AC 5E 3D
0F BA 15 B8 2D 87 8B 4D EC FF D0 F7 D8 05 2E F0 EC 1C 89 45 E0 8B D3
8B CE FF 55 E0 8B 46 20 8B 4D E8 3B C1 72 02 8B C3 8B 4E 30 23 C8 83
FF 07 89 4E 30 75 37 B8 00 E2 41 00 2D 80 3A 00 00 BA 60 B3 48 A7 8B
4D EC FF D0 F7 D8 05 38 6F B0 38 BA AA 10 45 FF 8B 4D EC FF D0 F7 D8
05 AC 6C 0C 1C 89 45 E0 8B 56 2C 8B CE FF 55 E0 83 FF 0D 75 36 B8 B0
4F 42 00 2D 20 A7 00 00 BA CC 0C 35 F6 8B 4D EC FF D0 F7 D8 05 F7 81
18 02 BA 02 78 86 E9 8B 4D EC FF D0 F7 D8 05 33 92 7B 01 89 45 E0 8B
16 8B CE FF 55 E0 B8 E6 6C 4B 00 09 45 E8 7A 02 B8 00 8B 46 38 8B 4E
44 8B C3 35 06 98 44 07 2B C8 8B C3 89 4E 44 8B 4D F4 64 89 0D 00 00
00 00 5F 5E 5B 8B E5 5D C3 8B 55 D8 8B 45 E4 33 C2 89 45 E4 B8 6A 1C
42 00 C3 8B 5D E4 8B 4D F4 5F 8B C3 5E 64 89 0D 00 00 00 00 5B 8B E5
5D C3

Answer

This is definitely obfuscation code. Look at the destination of the jump:

    jp      short near ptr loc_41FA2B+2
loc_41FA2B:
    mov     eax, 104E8B00h

Notice that the destination of the jump is 2 bytes into the next instruction. This means that the actual instruction you should be looking at starts two bytes in. The machine code of the mov instruction would be B8 00 8B 4E 10. If you skip the first two bytes, you have 8B 4E 10. The disassembly of this is:

mov ecx,[esi+16]

The calculation before the jp instruction must have a known result so that the proper instruction is used. Since NOPing it failed, I will assume that the calculation should result in the parity flag being set. This means that you could get the right result by NOPing the jp instruction and the first 2 bytes of the mov instruction.

The second snippet is the same type of thing, except that the result of the calculation should have the parity flag cleared. After skipping the first two bytes, the disassembly is:

mov eax,[esi+28]