ASM到C - 有人可以解释一下这是什么结构吗？

Question

I am having the following ASM code (OllyDbg) which should contain a structure developed in c. Can someone tell me how the structure looks like in c programming language? Maybe with a little explanation how you figured out what is stored where in the structure and so on...

Thank you very much!

CPU Disasm
Address   Hex dump          Command                           Comments
6A27F058  /$  68 E9A6286A   PUSH 6A28A6E9                     ; Entry point
6A27F05D  |.  64:FF35 00000 PUSH DWORD PTR FS:[0]
6A27F064  |.  8B4424 10     MOV EAX,DWORD PTR SS:[ESP+10]
6A27F068  |.  896C24 10     MOV DWORD PTR SS:[ESP+10],EBP
6A27F06C  |.  8D6C24 10     LEA EBP,[ESP+10]
6A27F070  |.  2BE0          SUB ESP,EAX
6A27F072  |.  53            PUSH EBX
6A27F073  |.  56            PUSH ESI
6A27F074  |.  57            PUSH EDI
6A27F075  |.  A1 E067336A   MOV EAX,DWORD PTR DS:[6A3367E0]
6A27F07A  |.  3145 FC       XOR DWORD PTR SS:[EBP-4],EAX
6A27F07D  |.  33C5          XOR EAX,EBP
6A27F07F  |.  50            PUSH EAX
6A27F080  |.  8965 E8       MOV DWORD PTR SS:[EBP-18],ESP
6A27F083  |.  FF75 F8       PUSH DWORD PTR SS:[EBP-8]
6A27F086  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
6A27F089  |.  C745 FC FEFFF MOV DWORD PTR SS:[EBP-4],-2
6A27F090  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
6A27F093  |.  8D45 F0       LEA EAX,[EBP-10]
6A27F096  |.  64:A3 0000000 MOV DWORD PTR FS:[0],EAX
6A27F09C  \.  C3            RETN

Answer 1

This is the function __SEH_prolog4 which is a compiler helper used to set up per-function exception handler. Here's the listing from the library (RunTmChk.lib/sehprolg4.obj):

.text:00000000                   __SEH_prolog4   proc near
.text:00000000
.text:00000000                   arg_4           = dword ptr  8
.text:00000000
.text:00000000 68 60 00 00 00      push    offset __except_handler4
.text:00000005 64 FF 35 00 00 00+  push    large dword ptr fs:0
.text:0000000C 8B 44 24 10         mov     eax, [esp+8+arg_4]
.text:00000010 89 6C 24 10         mov     [esp+8+arg_4], ebp
.text:00000014 8D 6C 24 10         lea     ebp, [esp+8+arg_4]
.text:00000018 2B E0               sub     esp, eax
.text:0000001A 53                  push    ebx
.text:0000001B 56                  push    esi
.text:0000001C 57                  push    edi
.text:0000001D A1 64 00 00 00      mov     eax, ds:___security_cookie
.text:00000022 31 45 FC            xor     [ebp-4], eax
.text:00000025 33 C5               xor     eax, ebp
.text:00000027 50                  push    eax
.text:00000028 89 65 E8            mov     [ebp-18h], esp
.text:0000002B FF 75 F8            push    dword ptr [ebp-8]
.text:0000002E 8B 45 FC            mov     eax, [ebp-4]
.text:00000031 C7 45 FC FE FF FF+  mov     dword ptr [ebp-4], 0FFFFFFFEh
.text:00000038 89 45 F8            mov     [ebp-8], eax
.text:0000003B 8D 45 F0            lea     eax, [ebp-10h]
.text:0000003E 64 A3 00 00 00 00   mov     large fs:0, eax
.text:00000044 C3                  retn
.text:00000044                   __SEH_prolog4   endp

See here for more details.

This is not code written by the programmer, you're looking in the wrong place.

Answer 2

If this is really your code, you can make OllyDbg display the corresponding C code by rightclicking into the CPU window, entering the Comments submenu and selecting Show source . To make that work you'll need the pdb file belonging to the executable.

I'm unsure if Olly1.X does already support that, but the 2.X versions are definitely able to do so.

Answer 3

I'm not entirely sure, it's been a while since I've looked at C/ASM. But here are some thoughts after taking a glance. Keep in mind, I wouldn't rely on this too heavily, but it may help.

Looking at this section of ASM:

6A27F07F  |.  50            PUSH EAX
6A27F080  |.  8965 E8       MOV DWORD PTR SS:[EBP-18],ESP
6A27F083  |.  FF75 F8       PUSH DWORD PTR SS:[EBP-8]
6A27F086  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
6A27F089  |.  C745 FC FEFFF MOV DWORD PTR SS:[EBP-4],-2
6A27F090  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
6A27F093  |.  8D45 F0       LEA EAX,[EBP-10]

Based on the frame pointer offsets, I'm guessing the structure contains 2 INT's and 1 LONG or DOUBLE.

Unfortunately, I'm not currently fluent enough in X86 to give you better clarification. Again, I wouldn't rely on this too heavily as I could be completely wrong.