Reverse Engineering Asked on January 9, 2021
The disassembly of the function Winload!CmpFindNlsData whose prototype I’m trying to construct
00893c10 8bff mov edi,edi
00893c12 55 push ebp
00893c13 8bec mov ebp,esp
00893c15 83ec40 sub esp,40h
00893c18 53 push ebx
00893c19 56 push esi
00893c1a 57 push edi
00893c1b 8d45e0 lea eax,[ebp-20h]
00893c1e 8bf1 mov esi,ecx
00893c20 50 push eax
00893c21 33db xor ebx,ebx
00893c23 8975ec mov dword ptr [ebp-14h],esi
00893c26 83cfff or edi,0FFFFFFFFh
00893c29 895dcc mov dword ptr [ebp-34h],ebx
00893c2c 52 push edx
00893c2d 56 push esi
00893c2e 897dc8 mov dword ptr [ebp-38h],edi
00893c31 897dd0 mov dword ptr [ebp-30h],edi
00893c34 895dd4 mov dword ptr [ebp-2Ch],ebx
00893c37 897de0 mov dword ptr [ebp-20h],edi
00893c3a 895de4 mov dword ptr [ebp-1Ch],ebx
00893c3d 897dc0 mov dword ptr [ebp-40h],edi
00893c40 895dc4 mov dword ptr [ebp-3Ch],ebx
00893c43 895de8 mov dword ptr [ebp-18h],ebx
00893c46 ff5604 call dword ptr [esi+4]
00893c49 85c0 test eax,eax
00893c4b 0f845d010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c51 8d4df4 lea ecx,[ebp-0Ch]
00893c54 8bd0 mov edx,eax
00893c56 51 push ecx
00893c57 68b8208e00 push offset winload!CmpControlString (008e20b8)
00893c5c 8bce mov ecx,esi
00893c5e e869510000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893c63 8d45e0 lea eax,[ebp-20h]
00893c66 50 push eax
00893c67 56 push esi
00893c68 ff5608 call dword ptr [esi+8]
00893c6b 397df4 cmp dword ptr [ebp-0Ch],edi
00893c6e 0f843a010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c74 8d45e0 lea eax,[ebp-20h]
00893c77 50 push eax
00893c78 ff75f4 push dword ptr [ebp-0Ch]
00893c7b 56 push esi
00893c7c ff5604 call dword ptr [esi+4]
00893c7f 85c0 test eax,eax
00893c81 0f8427010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893c87 8d4df4 lea ecx,[ebp-0Ch]
00893c8a 8bd0 mov edx,eax
00893c8c 51 push ecx
00893c8d 68f8208e00 push offset winload!CmpNlsString (008e20f8)
00893c92 8bce mov ecx,esi
00893c94 e833510000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893c99 8d45e0 lea eax,[ebp-20h]
00893c9c 50 push eax
00893c9d 56 push esi
00893c9e ff5608 call dword ptr [esi+8]
00893ca1 397df4 cmp dword ptr [ebp-0Ch],edi
00893ca4 0f8404010000 je winload!CmpFindNLSData+0x19e (00893dae)
00893caa 8d45e0 lea eax,[ebp-20h]
00893cad 50 push eax
00893cae ff75f4 push dword ptr [ebp-0Ch]
00893cb1 56 push esi
00893cb2 ff5604 call dword ptr [esi+4]
00893cb5 85c0 test eax,eax
00893cb7 0f84f1000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893cbd 8d4df4 lea ecx,[ebp-0Ch]
00893cc0 8bd0 mov edx,eax
00893cc2 51 push ecx
00893cc3 6808218e00 push offset winload!CmpCodePageString (008e2108)
00893cc8 8bce mov ecx,esi
00893cca e8fd500000 call winload!CmpFindSubKeyByNameWithStatus (00898dcc)
00893ccf 8d45e0 lea eax,[ebp-20h]
00893cd2 50 push eax
00893cd3 56 push esi
00893cd4 ff5608 call dword ptr [esi+8]
00893cd7 397df4 cmp dword ptr [ebp-0Ch],edi
00893cda 0f84ce000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893ce0 8d45e0 lea eax,[ebp-20h]
00893ce3 50 push eax
00893ce4 ff75f4 push dword ptr [ebp-0Ch]
00893ce7 56 push esi
00893ce8 ff5604 call dword ptr [esi+4]
00893ceb 85c0 test eax,eax
00893ced 0f84bb000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893cf3 6870228e00 push offset winload!CmpAcpString (008e2270)
00893cf8 8bd0 mov edx,eax
00893cfa 8bce mov ecx,esi
00893cfc e885330000 call winload!CmpFindValueByName (00897086)
00893d01 8bf8 mov edi,eax
00893d03 8d45e0 lea eax,[ebp-20h]
00893d06 50 push eax
00893d07 56 push esi
00893d08 ff5608 call dword ptr [esi+8]
00893d0b 83ffff cmp edi,0FFFFFFFFh
00893d0e 0f849a000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893d14 8d45d0 lea eax,[ebp-30h]
00893d17 50 push eax
00893d18 57 push edi
00893d19 56 push esi
00893d1a ff5604 call dword ptr [esi+4]
00893d1d 85c0 test eax,eax
00893d1f 0f8489000000 je winload!CmpFindNLSData+0x19e (00893dae)
00893d25 8d4dc8 lea ecx,[ebp-38h]
00893d28 8bd7 mov edx,edi
00893d2a 51 push ecx
00893d2b 8d4df8 lea ecx,[ebp-8]
00893d2e 51 push ecx
00893d2f 50 push eax
00893d30 8bce mov ecx,esi
00893d32 e8c7340000 call winload!CmpValueToData (008971fe)
00893d37 8bf8 mov edi,eax
00893d39 8d45d0 lea eax,[ebp-30h]
00893d3c 50 push eax
00893d3d 56 push esi
00893d3e 897ddc mov dword ptr [ebp-24h],edi
00893d41 ff5608 call dword ptr [esi+8]
00893d44 85ff test edi,edi
00893d46 7466 je winload!CmpFindNLSData+0x19e (00893dae)
00893d48 8b55f8 mov edx,dword ptr [ebp-8]
00893d4b 33c9 xor ecx,ecx
00893d4d 33c0 xor eax,eax
00893d4f 668955da mov word ptr [ebp-26h],dx
00893d53 66894dd8 mov word ptr [ebp-28h],cx
00893d57 c745f002000000 mov dword ptr [ebp-10h],2
00893d5e 663bc2 cmp ax,dx
00893d61 731d jae winload!CmpFindNLSData+0x170 (00893d80)
00893d63 8b75f0 mov esi,dword ptr [ebp-10h]
00893d66 0fb7c1 movzx eax,cx
00893d69 d1e8 shr eax,1
00893d6b 66391c47 cmp word ptr [edi+eax*2],bx
00893d6f 740c je winload!CmpFindNLSData+0x16d (00893d7d)
00893d71 6603ce add cx,si
00893d74 66894dd8 mov word ptr [ebp-28h],cx
00893d78 663bca cmp cx,dx
00893d7b 72e9 jb winload!CmpFindNLSData+0x156 (00893d66)
00893d7d 8b75ec mov esi,dword ptr [ebp-14h]
00893d80 8b5d08 mov ebx,dword ptr [ebp+8]
00893d83 6a36 push 36h
00893d85 58 pop eax
00893d86 663907 cmp word ptr [edi],ax
00893d89 750c jne winload!CmpFindNLSData+0x187 (00893d97)
00893d8b c745e801000000 mov dword ptr [ebp-18h],1
00893d92 e992000000 jmp winload!CmpFindNLSData+0x219 (00893e29)
00893d97 8d45e0 lea eax,[ebp-20h]
00893d9a 50 push eax
00893d9b ff75f4 push dword ptr [ebp-0Ch]
00893d9e 56 push esi
00893d9f ff5604 call dword ptr [esi+4]
00893da2 85c0 test eax,eax
00893da4 7513 jne winload!CmpFindNLSData+0x1a9 (00893db9)
00893da6 8d45c8 lea eax,[ebp-38h]
00893da9 50 push eax
00893daa 56 push esi
00893dab ff5608 call dword ptr [esi+8]
00893dae 32c0 xor al,al
00893db0 5f pop edi
00893db1 5e pop esi
00893db2 5b pop ebx
00893db3 8be5 mov esp,ebp
00893db5 5d pop ebp
00893db6 c20c00 ret 0Ch
00893db9 8d4dd8 lea ecx,[ebp-28h]
00893dbc 8bd0 mov edx,eax
00893dbe 51 push ecx
00893dbf 8bce mov ecx,esi
00893dc1 e8c0320000 call winload!CmpFindValueByName (00897086)
00893dc6 8bf8 mov edi,eax
00893dc8 8d45c8 lea eax,[ebp-38h]
00893dcb 50 push eax
00893dcc 56 push esi
00893dcd ff5608 call dword ptr [esi+8]
00893dd0 33c0 xor eax,eax
00893dd2 8945dc mov dword ptr [ebp-24h],eax
00893dd5 8d45e0 lea eax,[ebp-20h]
00893dd8 50 push eax
00893dd9 56 push esi
00893dda ff5608 call dword ptr [esi+8]
00893ddd 83ffff cmp edi,0FFFFFFFFh
00893de0 74cc je winload!CmpFindNLSData+0x19e (00893dae)
00893de2 8d45d0 lea eax,[ebp-30h]
00893de5 50 push eax
00893de6 57 push edi
00893de7 56 push esi
00893de8 ff5604 call dword ptr [esi+4]
00893deb 85c0 test eax,eax
00893ded 74bf je winload!CmpFindNLSData+0x19e (00893dae)
00893def 8d4dc0 lea ecx,[ebp-40h]
00893df2 8bd7 mov edx,edi
00893df4 51 push ecx
00893df5 8d4df8 lea ecx,[ebp-8]
00893df8 51 push ecx
00893df9 50 push eax
00893dfa 8bce mov ecx,esi
00893dfc e8fd330000 call winload!CmpValueToData (008971fe)
00893e01 894304 mov dword ptr [ebx+4],eax
00893e04 85c0 test eax,eax
00893e06 7408 je winload!CmpFindNLSData+0x200 (00893e10)
00893e08 8d45c0 lea eax,[ebp-40h]
00893e0b 50 push eax
00893e0c 56 push esi
00893e0d ff5608 call dword ptr [esi+8]
00893e10 8d45d0 lea eax,[ebp-30h]
00893e13 50 push eax
00893e14 56 push esi
00893e15 ff5608 call dword ptr [esi+8]
00893e18 33c0 xor eax,eax
00893e1a 394304 cmp dword ptr [ebx+4],eax
00893e1d 748f je winload!CmpFindNLSData+0x19e (00893dae)
00893e1f 8b45f8 mov eax,dword ptr [ebp-8]
00893e22 66894302 mov word ptr [ebx+2],ax
00893e26 668903 mov word ptr [ebx],ax
00893e29 8d45e0 lea eax,[ebp-20h]
00893e2c 50 push eax
00893e2d ff75f4 push dword ptr [ebp-0Ch]
00893e30 56 push esi
00893e31 ff5604 call dword ptr [esi+4]
00893e34 85c0 test eax,eax
00893e36 0f8472ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e3c 6848228e00 push offset winload!CmpOemCpString (008e2248)
00893e41 8bd0 mov edx,eax
00893e43 8bce mov ecx,esi
00893e45 e83c320000 call winload!CmpFindValueByName (00897086)
00893e4a 8bf8 mov edi,eax
00893e4c 8d45e0 lea eax,[ebp-20h]
00893e4f 50 push eax
00893e50 56 push esi
00893e51 ff5608 call dword ptr [esi+8]
00893e54 83ffff cmp edi,0FFFFFFFFh
00893e57 0f8451ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e5d 8d45d0 lea eax,[ebp-30h]
00893e60 50 push eax
00893e61 57 push edi
00893e62 56 push esi
00893e63 ff5604 call dword ptr [esi+4]
00893e66 85c0 test eax,eax
00893e68 0f8440ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e6e 8d4dc8 lea ecx,[ebp-38h]
00893e71 8bd7 mov edx,edi
00893e73 51 push ecx
00893e74 8d4df8 lea ecx,[ebp-8]
00893e77 51 push ecx
00893e78 50 push eax
00893e79 8bce mov ecx,esi
00893e7b e87e330000 call winload!CmpValueToData (008971fe)
00893e80 8bf8 mov edi,eax
00893e82 8d45d0 lea eax,[ebp-30h]
00893e85 50 push eax
00893e86 56 push esi
00893e87 897ddc mov dword ptr [ebp-24h],edi
00893e8a ff5608 call dword ptr [esi+8]
00893e8d 85ff test edi,edi
00893e8f 0f8419ffffff je winload!CmpFindNLSData+0x19e (00893dae)
00893e95 8b55f8 mov edx,dword ptr [ebp-8]
00893e98 33c9 xor ecx,ecx
00893e9a 33c0 xor eax,eax
00893e9c 668955da mov word ptr [ebp-26h],dx
00893ea0 66894dd8 mov word ptr [ebp-28h],cx
00893ea4 663bc2 cmp ax,dx
00893ea7 7322 jae winload!CmpFindNLSData+0x2bb (00893ecb)
00893ea9 8b75f0 mov esi,dword ptr [ebp-10h]
00893eac 33db xor ebx,ebx
00893eae 0fb7c1 movzx eax,cx
00893eb1 d1e8 shr eax,1
00893eb3 66391c47 cmp word ptr [edi+eax*2],bx
00893eb7 740c je winload!CmpFindNLSData+0x2b5 (00893ec5)
00893eb9 6603ce add cx,si
00893ebc 66894dd8 mov word ptr [ebp-28h],cx
00893ec0 663bca cmp cx,dx
00893ec3 72e9 jb winload!CmpFindNLSData+0x29e (00893eae)
00893ec5 8b75ec mov esi,dword ptr [ebp-14h]
00893ec8 8b5d08 mov ebx,dword ptr [ebp+8]
00893ecb 6a36 push 36h
00893ecd 58 pop eax
00893ece 663907 cmp word ptr [edi],ax
00893ed1 8b7d0c mov edi,dword ptr [ebp+0Ch]
00893ed4 0f8496000000 je winload!CmpFindNLSData+0x360 (00893f70)
00893eda 8d45e0 lea eax,[ebp-20h]
00893edd 50 push eax
00893ede ff75f4 push dword ptr [ebp-0Ch]
00893ee1 56 push esi
00893ee2 ff5604 call dword ptr [esi+4]
00893ee5 85c0 test eax,eax
00893ee7 0f84b9feffff je winload!CmpFindNLSData+0x196 (00893da6)
00893eed 8d4dd8 lea ecx,[ebp-28h]
00893ef0 8bd0 mov edx,eax
00893ef2 51 push ecx
00893ef3 8bce mov ecx,esi
00893ef5 e88c310000 call winload!CmpFindValueByName (00897086)
00893efa 894508 mov dword ptr [ebp+8],eax
00893efd 8d45c8 lea eax,[ebp-38h]
00893f00 50 push eax
00893f01 56 push esi
00893f02 ff5608 call dword ptr [esi+8]
00893f05 8d45e0 lea eax,[ebp-20h]
00893f08 50 push eax
00893f09 56 push esi
00893f0a ff5608 call dword ptr [esi+8]
00893f0d 8b4508 mov eax,dword ptr [ebp+8]
00893f10 83f8ff cmp eax,0FFFFFFFFh
00893f13 0f8495feffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f19 8d4dd0 lea ecx,[ebp-30h]
00893f1c 51 push ecx
00893f1d 50 push eax
00893f1e 56 push esi
00893f1f ff5604 call dword ptr [esi+4]
00893f22 85c0 test eax,eax
00893f24 0f8484feffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f2a 8b5508 mov edx,dword ptr [ebp+8]
00893f2d 8d4dc0 lea ecx,[ebp-40h]
00893f30 51 push ecx
00893f31 8d4df8 lea ecx,[ebp-8]
00893f34 51 push ecx
00893f35 50 push eax
00893f36 8bce mov ecx,esi
00893f38 e8c1320000 call winload!CmpValueToData (008971fe)
00893f3d 894704 mov dword ptr [edi+4],eax
00893f40 85c0 test eax,eax
00893f42 7408 je winload!CmpFindNLSData+0x33c (00893f4c)
00893f44 8d45c0 lea eax,[ebp-40h]
00893f47 50 push eax
00893f48 56 push esi
00893f49 ff5608 call dword ptr [esi+8]
00893f4c 8d45d0 lea eax,[ebp-30h]
00893f4f 50 push eax
00893f50 56 push esi
00893f51 ff5608 call dword ptr [esi+8]
00893f54 33c9 xor ecx,ecx
00893f56 394f04 cmp dword ptr [edi+4],ecx
00893f59 0f844ffeffff je winload!CmpFindNLSData+0x19e (00893dae)
00893f5f 8b45f8 mov eax,dword ptr [ebp-8]
00893f62 66894702 mov word ptr [edi+2],ax
00893f66 668907 mov word ptr [edi],ax
00893f69 394de8 cmp dword ptr [ebp-18h],ecx
00893f6c 7412 je winload!CmpFindNLSData+0x370 (00893f80)
00893f6e eb02 jmp winload!CmpFindNLSData+0x362 (00893f72)
00893f70 33c9 xor ecx,ecx
00893f72 33c0 xor eax,eax
00893f74 894b04 mov dword ptr [ebx+4],ecx
00893f77 668903 mov word ptr [ebx],ax
00893f7a 894f04 mov dword ptr [edi+4],ecx
00893f7d 668907 mov word ptr [edi],ax
00893f80 8b4d10 mov ecx,dword ptr [ebp+10h]
00893f83 b001 mov al,1
00893f85 6a14 push 14h
00893f87 5a pop edx
00893f88 c741044c1a8e00 mov dword ptr [ecx+4],offset winload!`string' (008e1a4c)
00893f8f 66895102 mov word ptr [ecx+2],dx
00893f93 668911 mov word ptr [ecx],dx
00893f96 e915feffff jmp winload!CmpFindNLSData+0x1a0 (00893db0)
00893f9b cc int 3```
ok it is _fastCall
so this function takes 5 arguments
2 in registers ecx,edx 3 in stack 8,12,16
and As I Commented edx is used as an argument to the First Indirect call [esi+4]
copy pasted the disassembly to notepad++
used the column editor to rip out the bytes from the paste
pasted the bytes in hxd to make a bin
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 8B FF 55 8B EC 83 EC 40 53 56 57 8D 45 E0 8B F1 ‹ÿU‹ìƒì@SVW.Eà‹ñ
00000010 50 33 DB 89 75 EC 83 CF FF 89 5D CC 52 56 89 7D P3Û‰uìƒÏÿ‰]ÌRV‰}
00000020 C8 89 7D D0 89 5D D4 89 7D E0 89 5D E4 89 7D C0 ȉ}Љ]Ô‰}à‰]ä‰}À
00000030 89 5D C4 89 5D E8 FF 56 04 85 C0 0F 84 5D 01 00 ‰]ĉ]èÿV.…À.„]..
00000040 00 8D 4D F4 8B D0 51 68 B8 20 8E 00 8B CE E8 69 ..Mô‹ÐQh¸ Ž.‹Îèi
00000050 51 00 00 8D 45 E0 50 56 FF 56 08 39 7D F4 0F 84 Q...EàPVÿV.9}ô.„
00000060 3A 01 00 00 8D 45 E0 50 FF 75 F4 56 FF 56 04 85 :....EàPÿuôVÿV.…
00000070 C0 0F 84 27 01 00 00 8D 4D F4 8B D0 51 68 F8 20 À.„'....Mô‹ÐQhø
00000080 8E 00 8B CE E8 33 51 00 00 8D 45 E0 50 56 FF 56 Ž.‹Îè3Q...EàPVÿV
00000090 08 39 7D F4 0F 84 04 01 00 00 8D 45 E0 50 FF 75 .9}ô.„.....EàPÿu
000000A0 F4 56 FF 56 04 85 C0 0F 84 F1 00 00 00 8D 4D F4 ôVÿV.…À.„ñ....Mô
000000B0 8B D0 51 68 08 21 8E 00 8B CE E8 FD 50 00 00 8D ‹ÐQh.!Ž.‹ÎèýP...
000000C0 45 E0 50 56 FF 56 08 39 7D F4 0F 84 CE 00 00 00 EàPVÿV.9}ô.„Î...
000000D0 8D 45 E0 50 FF 75 F4 56 FF 56 04 85 C0 0F 84 BB .EàPÿuôVÿV.…À.„»
000000E0 00 00 00 68 70 22 8E 00 8B D0 8B CE E8 85 33 00 ...hp"Ž.‹Ð‹Îè…3.
000000F0 00 8B F8 8D 45 E0 50 56 FF 56 08 83 FF FF 0F 84 .‹ø.EàPVÿV.ƒÿÿ.„
00000100 9A 00 00 00 8D 45 D0 50 57 56 FF 56 04 85 C0 0F š....EÐPWVÿV.…À.
00000110 84 89 00 00 00 8D 4D C8 8B D7 51 8D 4D F8 51 50 „‰....MÈ‹×Q.MøQP
00000120 8B CE E8 C7 34 00 00 8B F8 8D 45 D0 50 56 89 7D ‹ÎèÇ4..‹ø.EÐPV‰}
00000130 DC FF 56 08 85 FF 74 66 8B 55 F8 33 C9 33 C0 66 ÜÿV.…ÿtf‹Uø3É3Àf
00000140 89 55 DA 66 89 4D D8 C7 45 F0 02 00 00 00 66 3B ‰UÚf‰MØÇEð....f;
00000150 C2 73 1D 8B 75 F0 0F B7 C1 D1 E8 66 39 1C 47 74 Âs.‹uð.·ÁÑèf9.Gt
00000160 0C 66 03 CE 66 89 4D D8 66 3B CA 72 E9 8B 75 EC .f.Îf‰MØf;Êré‹uì
00000170 8B 5D 08 6A 36 58 66 39 07 75 0C C7 45 E8 01 00 ‹].j6Xf9.u.ÇEè..
00000180 00 00 E9 92 00 00 00 8D 45 E0 50 FF 75 F4 56 FF ..é’....EàPÿuôVÿ
00000190 56 04 85 C0 75 13 8D 45 C8 50 56 FF 56 08 32 C0 V.…Àu..EÈPVÿV.2À
000001A0 5F 5E 5B 8B E5 5D C2 0C 00 8D 4D D8 8B D0 51 8B _^[‹å]Â...MØ‹ÐQ‹
000001B0 CE E8 C0 32 00 00 8B F8 8D 45 C8 50 56 FF 56 08 ÎèÀ2..‹ø.EÈPVÿV.
000001C0 33 C0 89 45 DC 8D 45 E0 50 56 FF 56 08 83 FF FF 3À‰EÜ.EàPVÿV.ƒÿÿ
000001D0 74 CC 8D 45 D0 50 57 56 FF 56 04 85 C0 74 BF 8D tÌ.EÐPWVÿV.…Àt¿.
000001E0 4D C0 8B D7 51 8D 4D F8 51 50 8B CE E8 FD 33 00 MÀ‹×Q.MøQP‹Îèý3.
000001F0 00 89 43 04 85 C0 74 08 8D 45 C0 50 56 FF 56 08 .‰C.…Àt..EÀPVÿV.
00000200 8D 45 D0 50 56 FF 56 08 33 C0 39 43 04 74 8F 8B .EÐPVÿV.3À9C.t.‹
00000210 45 F8 66 89 43 02 66 89 03 8D 45 E0 50 FF 75 F4 Eøf‰C.f‰..EàPÿuô
00000220 56 FF 56 04 85 C0 0F 84 72 FF FF FF 68 48 22 8E VÿV.…À.„rÿÿÿhH"Ž
00000230 00 8B D0 8B CE E8 3C 32 00 00 8B F8 8D 45 E0 50 .‹Ð‹Îè<2..‹ø.EàP
00000240 56 FF 56 08 83 FF FF 0F 84 51 FF FF FF 8D 45 D0 VÿV.ƒÿÿ.„Qÿÿÿ.EÐ
00000250 50 57 56 FF 56 04 85 C0 0F 84 40 FF FF FF 8D 4D PWVÿV.…À.„@ÿÿÿ.M
00000260 C8 8B D7 51 8D 4D F8 51 50 8B CE E8 7E 33 00 00 È‹×Q.MøQP‹Îè~3..
00000270 8B F8 8D 45 D0 50 56 89 7D DC FF 56 08 85 FF 0F ‹ø.EÐPV‰}ÜÿV.…ÿ.
00000280 84 19 FF FF FF 8B 55 F8 33 C9 33 C0 66 89 55 DA „.ÿÿÿ‹Uø3É3Àf‰UÚ
00000290 66 89 4D D8 66 3B C2 73 22 8B 75 F0 33 DB 0F B7 f‰MØf;Âs"‹uð3Û.·
000002A0 C1 D1 E8 66 39 1C 47 74 0C 66 03 CE 66 89 4D D8 ÁÑèf9.Gt.f.Îf‰MØ
000002B0 66 3B CA 72 E9 8B 75 EC 8B 5D 08 6A 36 58 66 39 f;Êré‹uì‹].j6Xf9
000002C0 07 8B 7D 0C 0F 84 96 00 00 00 8D 45 E0 50 FF 75 .‹}..„–....EàPÿu
000002D0 F4 56 FF 56 04 85 C0 0F 84 B9 FE FF FF 8D 4D D8 ôVÿV.…À.„¹þÿÿ.MØ
000002E0 8B D0 51 8B CE E8 8C 31 00 00 89 45 08 8D 45 C8 ‹ÐQ‹ÎèŒ1..‰E..EÈ
000002F0 50 56 FF 56 08 8D 45 E0 50 56 FF 56 08 8B 45 08 PVÿV..EàPVÿV.‹E.
00000300 83 F8 FF 0F 84 95 FE FF FF 8D 4D D0 51 50 56 FF ƒøÿ.„•þÿÿ.MÐQPVÿ
00000310 56 04 85 C0 0F 84 84 FE FF FF 8B 55 08 8D 4D C0 V.…À.„„þÿÿ‹U..MÀ
00000320 51 8D 4D F8 51 50 8B CE E8 C1 32 00 00 89 47 04 Q.MøQP‹ÎèÁ2..‰G.
00000330 85 C0 74 08 8D 45 C0 50 56 FF 56 08 8D 45 D0 50 …Àt..EÀPVÿV..EÐP
00000340 56 FF 56 08 33 C9 39 4F 04 0F 84 4F FE FF FF 8B VÿV.3É9O..„Oþÿÿ‹
00000350 45 F8 66 89 47 02 66 89 07 39 4D E8 74 12 EB 02 Eøf‰G.f‰.9Mèt.ë.
00000360 33 C9 33 C0 89 4B 04 66 89 03 89 4F 04 66 89 07 3É3À‰K.f‰.‰O.f‰.
00000370 8B 4D 10 B0 01 6A 14 5A C7 41 04 4C 1A 8E 00 66 ‹M.°.j.ZÇA.L.Ž.f
00000380 89 51 02 66 89 11 E9 15 FE FF FF CC ‰Q.f‰.é.þÿÿÌ
loaded the bin file as raw x86 le @base 0x893c10 added a few structs,overridesfunction declarations and a passable PseudoCode emerges as below
bool __fastcall
CmpFindNLSData(_HHIVE32 *MyHive,ulong *index,UNICODE_STRING *ACP_NSL,UNICODE_STRING *OEMHAL,
UNICODE_STRING *DEFINTL)
{
bool bVar1;
ulong *indx;
ulong uVar2;
short *psVar3;
PWSTR pWVar4;
uint uVar5;
ulong local_44;
ulong local_3c;
ulong local_34;
ushort local_2c [2];
short *local_28;
ulong local_24;
ulong local_10;
USHORT local_c [4];
local_3c = 0xffffffff;
local_34 = 0xffffffff;
local_24 = 0xffffffff;
local_44 = 0xffffffff;
bVar1 = false;
indx = (*MyHive->GetCellRoutine)(MyHive,index);
if (indx == (ulong *)0x0) {
return false;
}
func_0x00898dcc(MyHive,indx,(UNICODE_STRING *)0x8e20b8,&local_10);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (local_10 == 0xffffffff) {
return false;
}
indx = (ulong *)(*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (indx == (ulong *)0x0) {
return false;
}
func_0x00898dcc(MyHive,indx,(UNICODE_STRING *)0x8e20f8,&local_10);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (local_10 == 0xffffffff) {
return false;
}
indx = (ulong *)(*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (indx == (ulong *)0x0) {
return false;
}
func_0x00898dcc(MyHive,indx,(UNICODE_STRING *)0x8e2108,&local_10);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (local_10 == 0xffffffff) {
return false;
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (uVar2 == 0) {
return false;
}
indx = (ulong *)func_0x00897086(0x8e2270);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (indx == (ulong *)0xffffffff) {
return false;
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,indx);
if (uVar2 == 0) {
return false;
}
psVar3 = (short *)func_0x008971fe(uVar2,local_c,&local_3c);
local_28 = psVar3;
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_34);
if (psVar3 == (short *)0x0) {
return false;
}
uVar5 = 0;
local_2c[0] = 0;
if (local_c[0] != 0) {
do {
if (*(short *)((int)psVar3 + uVar5) == 0) break;
local_2c[0] = (short)uVar5 + 2;
uVar5 = (uint)local_2c[0];
} while (local_2c[0] < local_c[0]);
}
if (*psVar3 == 0x36) {
bVar1 = true;
}
else {
uVar2 = (*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (uVar2 == 0) goto LAB_00893da6;
indx = (ulong *)func_0x00897086(local_2c);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_3c);
local_28 = (short *)0x0;
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (indx == (ulong *)0xffffffff) {
return false;
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,indx);
if (uVar2 == 0) {
return false;
}
pWVar4 = (PWSTR)func_0x008971fe(uVar2,local_c,&local_44);
ACP_NSL->Buffer = pWVar4;
if (pWVar4 != (PWSTR)0x0) {
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_44);
}
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_34);
if (ACP_NSL->Buffer == (PWSTR)0x0) {
return false;
}
ACP_NSL->MaximumLength = local_c[0];
ACP_NSL->Length = local_c[0];
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (uVar2 == 0) {
return false;
}
indx = (ulong *)func_0x00897086(0x8e2248);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (indx == (ulong *)0xffffffff) {
return false;
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,indx);
if (uVar2 == 0) {
return false;
}
psVar3 = (short *)func_0x008971fe(uVar2,local_c,&local_3c);
local_28 = psVar3;
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_34);
if (psVar3 == (short *)0x0) {
return false;
}
uVar5 = 0;
local_2c[0] = 0;
if (local_c[0] != 0) {
do {
if (*(short *)((int)psVar3 + uVar5) == 0) break;
local_2c[0] = (short)uVar5 + 2;
uVar5 = (uint)local_2c[0];
} while (local_2c[0] < local_c[0]);
}
if (*psVar3 != 0x36) {
uVar2 = (*MyHive->GetCellRoutine)(MyHive,(ulong *)local_10);
if (uVar2 == 0) {
LAB_00893da6:
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_3c);
return false;
}
indx = (ulong *)func_0x00897086(local_2c);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_3c);
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_24);
if (indx == (ulong *)0xffffffff) {
return false;
}
uVar2 = (*MyHive->GetCellRoutine)(MyHive,indx);
if (uVar2 == 0) {
return false;
}
pWVar4 = (PWSTR)func_0x008971fe(uVar2,local_c,&local_44);
OEMHAL->Buffer = pWVar4;
if (pWVar4 != (PWSTR)0x0) {
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_44);
}
(*MyHive->ReleaseCellRoutine)(MyHive,(ulong)&local_34);
if (OEMHAL->Buffer == (PWSTR)0x0) {
return false;
}
OEMHAL->MaximumLength = local_c[0];
OEMHAL->Length = local_c[0];
if (!bVar1) goto LAB_00893f80;
}
ACP_NSL->Buffer = (PWSTR)0x0;
ACP_NSL->Length = 0;
OEMHAL->Buffer = (PWSTR)0x0;
OEMHAL->Length = 0;
LAB_00893f80:
DEFINTL->Buffer = (PWSTR)0x8e1a4c;
DEFINTL->MaximumLength = 0x14;
DEFINTL->Length = 0x14;
return true;
}
Correct answer by blabb on January 9, 2021
Typically, a register's value being used in a function prior to being initializing it is a hint that it may be a parameter.
Here we see ecx being used for the first time in this function:
00893c1e 8bf1 mov esi,ecx
There are a few different standard calling conventions that pass parameters in the ecx register such as fastcall. C++ compilers also can use thiscall calling convention, which passes the this pointer of an object to the function via the ecx register. Later on we see this:
00893cfa 8bce mov ecx,esi
00893cfc e885330000 call winload!CmpFindValueByName (00897086)
Placing the same value back in ecx and calling another function. It is highly likely that ecx is being used to pass parameters in these functions.
Answered by Shane Reilly on January 9, 2021
To determine if a function is using some registers as parameters: You could find the call references of the function, then see prior to the function call if those registers' values are copied from other operands and then later in the function, those values are used.
Answered by Minh-Triet Pham Tran on January 9, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP