Hello readers, how are you? Today I received a simple question from a student about the correct interpretation of the following assembly code:
- 00405035: EB 03 JMP SHORT 0040503A
- 00405037: 5E POP ESI
- 00405038: EB 05 JMP SHORT 0040503F
- 0040503A: E8 F8FFFFFF CALL 00405037
- 0040503F: 83C6 07 ADD ESI, 7
Few comments follow:
- Line 1 the code is executing a short jump to address 0x0040503A (Line 4). Please, you should note that EB is the opcode to “JMP SHORT” and 03 (argument) is the number of opcode-bytes until address 0x0040503A (Line 4). Indeed, three opcode-bytes (5E, EB and 05) exist until there.
- Still at Line 1, we should remember that the EIP holds the address of next instruction that would be executed (0x00405037), so the sum confirms our explanation because 0x00405037 + 03 = 0x0040503A.
- Due the previous JMP from Line 1, now we are at Line 4. The CALL instruction jumps to address 0x00405037 (Line 2). Before jumping, the CALL instruction saves the EIP (0x0040503F), which would be the next instruction to be executed, on the top of stack (ESP).
- Still at Line 4, the opcode E8 F8FFFFFF
is interesting because E8 means “CALL” and F8FFFFFF means “minus 8”. It makes sense. At line 4, EIP is equal to 0x0040503F (Line 5) and if we count the number of opcode-bytes (in reverse is E8 F8FFFFFF, EB 05, 5E) from address 0x0040503F until 0x00405037, so we have 8 opcode-bytes. At end, it works as a backward jump of 8 opcode-bytes.
- At Line 2, the POP ESI instruction saves the value of top the stack (0x0040503F) into ESI.
- At Line 3, the instruction JMP SHORT 0040503F takes the execution to Line 5.
- At Line 5, the content of ESI register (0x0040503F) is added to 7 (0x00405046).
Honestly, I do not know from where comes this code above (probably from a malware), but it seems a nasty trick to get the EIP (0x00405046) to execute something such as either a shellcode or similar code.
Have a nice day.
(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil)