Text only | Text with Images

Clan x86

Technical (Development, Security, etc.) => General Programming => Topic started by: Newby on February 09, 2008, 03:53:49 PM

Title: Big math help!
Post by: Newby on February 09, 2008, 03:53:49 PM
Ok, so I'm reversing a function (we'll call this function functionA) and here's what it generally looks like:

Code Select
; introBlock
mov     eax, RegCode
lea     ecx, [eax+11h]
imul    ecx, eax

; bblock1
mov     eax, 85D858Bh
imul    ecx
sar     edx, 0Ah
mov     eax, edx
shr     eax, 1Fh
add     eax, edx
imul    eax, 7A69h
sub     ecx, eax
imul    ecx, 1ACFh

; bblock2
mov     eax, 85DCB87Dh
imul    ecx
add     edx, ecx
sar     edx, 0Eh
mov     eax, edx
shr     eax, 1Fh
add     eax, edx
imul    eax, 7A65h
sub     ecx, eax
imul    ecx, 1AD7h


And my C code:

Code Select
/* Necessary stuff so it makes sense. */
typedef unsigned long long int QWORD;
typedef unsigned long int DWORD;

#define HIDWORD(x) ((DWORD)((x) >> 32))

int functionA(int ArgumentOne)
{
        /* introBlock */
QWORD ecx = 0; DWORD edx = 0; DWORD eax = 0;
ecx = (ArgumentOne + 0x11) * ArgumentOne;

        /* bblock1 */
edx = HIDWORD(0x85D858B * ecx) >> 0x0A;
eax = ((edx >> 0x1F) + edx) * 0x7A69;
ecx -= eax;
ecx *= 0x1ACF;

        /* bblock2 */
edx = (HIDWORD(0x85DCB87D * ecx) + ecx) >> 0x0E;
eax = ((edx >> 0x1F) + edx) * 0x7A65;
ecx -= eax;
ecx *= 0x1AD7;
//      ...
}


I've taken the liberty of splitting the assembly/C into their respective blocks, which I will label introBlock, bblock1, and bblock2.

Side-by-side, introBlock and bblock1 are identical in output. When we get to bblock2...

Code Select
edx = (HIDWORD(0x85DCB87D * ecx) + ecx) >> 0x0E;

...it does not have the same output as this:

Code Select
mov     eax, 85DCB87Dh
imul    ecx
add     edx, ecx
sar     edx, 0Eh

I narrowed the problem down to the imul line. The value the assembly puts on register edx when it does edx:eax = eax * ecx is not the same as what I get when I try to do the same with C. I can get the exact same lower dword, but the upper dword isn't the same.

Anybody care to poke at my work and tell me where I went wrong?

Oh, and if anyone would care to explain the concept behind signed and unsigned arithmetic (not just variables, but like, imul and mul are different -- how?) as I can't wrap my mind around their differences. Thanks sidoh!
Title: Re: Big math help!
Post by: Camel on February 10, 2008, 02:25:28 PM
You seem to have already solved this, but it's still worth pointing out that your macro is mangled.
Title: Re: Big math help!
Post by: Newby on February 10, 2008, 06:07:55 PM
Quote from: Camel on February 10, 2008, 02:25:28 PM
You seem to have already solved this, but it's still worth pointing out that your macro is mangled.

I have not solved the issue (I simply did inline assembly), and can you point out how?
Title: Re: Big math help!
Post by: Camel on February 11, 2008, 03:55:49 PM
Nevermind, I miscounted.
Text only | Text with Images