Difference between revisions of "HOWTO-Reverse Engineering"

<syntaxhighlight lang="c">

<syntaxhighlight lang="c">

int __usercall sub_100FB<ax>(__int8 param1<al>, int param2<bx>)

int __usercall sub_100FB<ax>(__int8 param1<al>, int param2<bx>)

In this case, the method takes an 8-bit parameter in the al register, and another 16-bit value in bx, then returns a result in ax

In this case, the method takes an 8-bit parameter in the al register, and another 16-bit value in bx, then returns a result in ax

mul bx

mul bx

mov ax, [bx+2D00h]

mov ax, [bx+2D00h]

In this case, an initial index in the ax register is multiplied by 30h (30 hexadecimal = 48 decimal). So from this we can determine that the given structure is 48 bytes in size, and can create a new structure accordingly. For smaller sized structures, you may want to create as many 2 byte word fields as needed to make up the correct size for the structure. For larger sizes, the easiest way is to simply declare an array of the needed structure size - 1, and follow it with a single byte field. You can then delete/undefine the array. The remaining byte will keep the structure at the correct size, and you can then later fill in the fields as you find references to them.

In this case, an initial index in the ax register is multiplied by 30h (30 hexadecimal = 48 decimal). So from this we can determine that the given structure is 48 bytes in size, and can create a new structure accordingly. For smaller sized structures, you may want to create as many 2 byte word fields as needed to make up the correct size for the structure. For larger sizes, the easiest way is to simply declare an array of the needed structure size - 1, and follow it with a single byte field. You can then delete/undefine the array. The remaining byte will keep the structure at the correct size, and you can then later fill in the fields as you find references to them.