Hello readers, how are you? Today I received a simple question from a student about the correct interpretation of the following assembly code:
00405035: EB 03 JMP SHORT 0040503A
00405037: 5E POP ESI
00405038: EB 05 JMP SHORT 0040503F
0040503A: E8 F8FFFFFF CALL 00405037
0040503F: 83C6 07 ADD ESI, 7
Few comments follow:
Line 1 the code is executing a short jump to address 0x0040503A (Line 4). Please, you should note that EB is the opcode to “JMP SHORT” and 03 (argument) is the number of opcode-bytes until address 0x0040503A (Line 4). Indeed, three opcode-bytes (5E, EB and 05) exist until there.
Still at Line 1, we should remember that the EIP holds the address of next instruction that would be executed (0x00405037), so the sum confirms our explanation because 0x00405037 + 03 = 0x0040503A.
Due the previous JMP from Line 1, now we are at Line 4. The CALL instruction jumps to address 0x00405037 (Line 2). Before jumping, the CALL instruction saves the EIP (0x0040503F), which would be the next instruction to be executed, on the top of stack (ESP).
Still at Line 4, the opcode E8 F8FFFFFF is interesting because E8 means “CALL” and F8FFFFFF means “minus 8”. It makes sense. At line 4, EIP is equal to 0x0040503F (Line 5) and if we count the number of opcode-bytes (in reverse is E8 F8FFFFFF, EB 05, 5E) from address 0x0040503F until 0x00405037, so we have 8 opcode-bytes. At end, it works as a backward jump of 8 opcode-bytes.
At Line 2, the POP ESI instruction saves the value of top the stack (0x0040503F) into ESI.
At Line 3, the instruction JMP SHORT 0040503F takes the execution to Line 5.
At Line 5, the content of ESI register (0x0040503F) is added to 7 (0x00405046).
Honestly, I do not know from where comes this code above (probably from a malware), but it seems a nasty trick to get the EIP (0x00405046) to execute something such as either a shellcode or similar code.
People, how are you? I wrote a document about Memory Acquisition on Windows and Linux systems, which will be a reference for next articles about the most impressive forensic memory analysis tool of the world: Volatility. Anyway, it follows the article:
Hello people, how are you? What have you been up to? I’m sorry for the long time away, but I’m working so hard to finish my book about Oracle Solaris Advanced Administration. However, I got some time to write a short document about data carving: