ASM Community

push edx [color=green]; lstrcpy will mess up edx so we perserve it[/color]

invoke lstrcpy, pszDestination, ecx

pop edx [color=green]; restore edx[/color]

invoke lstrcat, pszDestination, edx [color=green]; notice we use lstrcat, not lstrcpy[/color]

invoke lstrcpy, edx, ecx

    mov   edi, ecx ; load destination register with pointer to destination string

    mov   esi, edx ; load source register with pointer to source string

@@: lodsb          ; copy byte pointed to by esi to al, and increment esi

    stosb          ; copy al to byte pointed to by edi, and increment edi

    test  al,al    ; did we just copy a null char?

    jnz   @B       ; if not copy the next char

This is how I look at it...



For explanation purposes im using the string [color=blue]"?ou", 0[/color] (you'll see why i used that strange character later)



Basically the function is loading 4 bytes of a string into a register... so in that register the data looks like this...



eax = 00[b]75[/b]6F[b]FF[/b]

       ^ ^ ^ ^

       0 u o ?



Now we need to determine if a null character is in the register (in this case there is)



First thing we do is subtract 1 from each character code.



eax = 00756FFF

     -01010101

     ---------

     =FF746EFE

       ^     ^

       |-----|--bit 8 set for the null char and ?



What does this accomplish? Well if the character code is any number between 81h - 0h then bit 8 will be set... 

here is a breakout



80h - 1 = 7F = [color=red]0[/color]111 1111 <-- bit 8 not set for numbers below 81h

81h - 1 = 80 = [color=red]1[/color]000 0000

82h - 1 = 81 = [color=red]1[/color]000 0001

etc...

FFh - 1 = FE = [color=red]1[/color]111 1110

00h - 1 = FF = [color=red]1[/color]111 1111 <-- this case is whats special, if char = 0 then bit 8 = set

01h - 1 = 00 = [color=red]0[/color]000 0000 <-- bit 8 not set for numbers above 0



Now we can test for bit 8 and determine if any of the characters were 81h - 0h, but thats not enough. We need 

to be able to test for 0h only.



Secondly we xor what we had before with what we got aftwards.



eax = FF746EFE 

     ^00756FFF <-- org value stored in edx

     ---------

     =FF010101

       ^

       |-- bit 8 set



Ok, forget about every bit but bit 8. Remember before that if you subtract 1 from any number between 81h - 0h 

bit 8 is set? Well of the numbers 81h - 0h the only number where bit 8 is not set is the number 0...



81h = [color=red]1[/color]000 0001 <-- bit 8 set

82h = [color=red]1[/color]000 0010 <-- bit 8 set

etc...

FFh = [color=red]1[/color]111 1111 <-- bit 8 set

00h = [color=red]0[/color]000 0000 <-- bit 8 not set, special case !! only number where bit 8 is not set



So, what does xor mean? It means only keep a bit if its set on one operand and not set on the other...



1 ^ 1 = 0

1 ^ 0 = 1

0 ^ 1 = 1

0 ^ 0 = 0



Now when you put it all together...

eax - 1      = bit 8 set if character code is 81h - 0h

xor eax, edx = in edx (which is prev eax value) bit 8 is not set for character codes 0h-79h, so when you xor 

these two registers bit 8 will be different for a character code only when that character code is 0...



    

bit bit

 8   8

set not

    set

--- ---

81h

 ^

 |

00h 00h = 0 is the only number that doesn't have bit 8 set, but after subtracting 1 it does.

     ^

     |

    79h



So back to our example...



We and whatever value we come up with in eax with 80808080h (80 = 1000 0000, aka only bit 8 set)



eax = FF010101

     &80808080

     ---------

     =80000000



So you see bit 8 is set ONLY when a null character was in eax, this is because 0 is the only number where 

bit 8 is not set, but when you subtract 1 it is set.



Now the jz instruction falls through because eax is not zero.



Set up multiple examples, and then step through the code with a debugger... its a lot easier to understand 

when you actually see it happen.