I have this disassembled function:
PUSH EBP
MOV EBP, ESP
SUB ESP, C
PUSH 408506
MOV EAX, DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0], ESP
SUB ESP, 14
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR [EBP-C], ESP
MOV DWORD PTR [EBP-8], 4077D8
XOR EBX, EBX
MOV DWORD PTR [EBP-4], EBX
MOV EDI, DWORD PTR [EBP+8]
PUSH EDI
MOV EAX, DWORD PTR [EDI]
CALL NEAR DWORD PTR [EAX+4]
MOV ESI, DWORD PTR [EBP+C]
MOV ECX, DWORD PTR [EDI]
LEA EDX, DWORD PTR [EBP-1C]
MOV DWORD PTR [EBP-18], EBX
PUSH EDX
PUSH ESI
PUSH EDI
MOV DWORD PTR [EBP-1C], EBX
CALL NEAR DWORD PTR [ECX+37C]
CMP WORD PTR [EBP-1C], BX
JE 00558206
MOV EAX, DWORD PTR [EDI+D8]
CMP EAX, EBX
JE 0055819A
CMP WORD PTR [EAX], 1
JNZ 0055819A
MOV EDX, DWORD PTR [EAX+14]
MOV ECX, DWORD PTR [EAX+10]
MOV EBX, DWORD PTR [401190]
MOVSX ESI, SI
SUB ESI, EDX
CMP ESI, ECX
JB 0055818F
CALL NEAR EBX
LEA EAX, DWORD PTR [ESI+ESI*4]
LEA EAX, DWORD PTR [EAX+EAX*4]
SHL EAX, 5
JMP 005581A2
MOV EBX, DWORD PTR [401190]
CALL NEAR EBX
MOV ECX, DWORD PTR [EDI+D8]
MOV EDX, DWORD PTR [ECX+C]
MOV ECX, DWORD PTR [EBP+10]
MOV AX, WORD PTR [EDX+EAX+2C8]
MOV WORD PTR [ECX], AX
MOV EAX, DWORD PTR [EDI+D8]
TEST EAX, EAX
JE 005581E6
CMP WORD PTR [EAX], 1
JNZ 005581E6
MOVSX ESI, WORD PTR [EBP+C]
MOV EDX, DWORD PTR [EAX+14]
MOV ECX, DWORD PTR [EAX+10]
SUB ESI, EDX
CMP ESI, ECX
JB 005581DB
CALL NEAR EBX
LEA EAX, DWORD PTR [ESI+ESI*4]
LEA EAX, DWORD PTR [EAX+EAX*4]
SHL EAX, 5
JMP 005581E8
CALL NEAR EBX
MOV EDX, DWORD PTR [EDI+D8]
MOV DWORD PTR [EBP-18], -1
MOV ECX, DWORD PTR [EDX+C]
MOV DX, WORD PTR [ECX+EAX+2CA]
MOV EAX, DWORD PTR [EBP+14]
MOV WORD PTR [EAX], DX
MOV EAX, DWORD PTR [EBP+8]
PUSH EAX
MOV ECX, DWORD PTR [EAX]
CALL NEAR DWORD PTR [ECX+8]
MOV EDX, DWORD PTR [EBP+18]
MOV AX, WORD PTR [EBP-18]
MOV WORD PTR [EDX], AX
MOV EAX, DWORD PTR [EBP-4]
MOV ECX, DWORD PTR [EBP-14]
POP EDI
POP ESI
MOV DWORD PTR FS:[0], ECX
POP EBX
MOV ESP, EBP
POP EBP
RETN 14
I can guess that the function takes maybe 5 arguments of 4 bytes each one because of the RETN 14
(0x14
= 20
right?). Then I can also see in that disassembled code things like EBP+8
and EBP+C
so I think "Oh, those are the first and second arguments". Well, right, those are the first and second arguments of the function. But I can't guess where are the other ones. I tried EBP+16
, EBP+20
and EBP+24
but the values that they give me doesn't sound like the arguments.
How can I interpretate this disassembled code?
Thanks in advance.