Jump to content
Tuts 4 You
Sign in to follow this  
kb432

compare with unknown value malware disassembly ?

Recommended Posts

kb432

1)

cmp dword_4298B8, eax
jnz short loc_xxxx

dword_4298B8 is initialized as "dd ? "

then how to compare with eax?
dword_4298B8 --->  dd ?

 

2)
Can you give me an example of array and accessing it and allocating it in ASM when i do reverse egnineering! 
Thanks
 

3) 

mov WORD PTR [ebx], 2

WHAT IS THIS ABOVE "WORD PTR"  ? 

Share this post


Link to post
evlncrn8

dword is initialized as dd ? which means its uninitialised memory, filled at runtime by something

cmp dword ptr [0x12345678], eax would be such a comparison

DWORD ptr points to a dword, so the comparison is dword

WORD ptr points to a word, so the comparison is word

BYTE ptr points to a byte, so the comparison is a byte

theres others like qword ptr, tbyte ptr and so on... this is pretty much asm 101 though, so i'd suggest you go read some asm books

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...