snowman icon indicating copy to clipboard operation
snowman copied to clipboard

Published 20 hours ago verified publisher icon yegord

Return values

Open Rourke101 opened this issue 8 years ago • 11 comments

I have used x64dbg to check a function and launch snowman from there. Snowman was able to recognise a return 1, but why it doesn't recognise the alternative return 0?

XXXXXX30  56                        PUSH    ESI                                       
XXXXXX31  83 EC 18                  SUB     ESP, 18                                   
XXXXXX34  8B F1                     MOV     ESI, ECX                                  
XXXXXX36  8B D4                     MOV     EDX, ESP                                  
XXXXXX38  FF 74 24 20               PUSH    DWORD PTR SS:[ESP + 20]                   
XXXXXX3C  C7 02 50 E9 18 04         MOV     DWORD PTR DS:[EDX], program.418E950       
XXXXXX42  C7 42 04 38 E9 18 04      MOV     DWORD PTR DS:[EDX + 4], program.418E938   
XXXXXX49  8B 44 24 34               MOV     EAX, DWORD PTR SS:[ESP + 34]              
XXXXXX4D  89 42 08                  MOV     DWORD PTR DS:[EDX + 8], EAX               
XXXXXX50  8A 44 24 38               MOV     AL, BYTE PTR SS:[ESP + 38]                
XXXXXX54  88 42 0C                  MOV     BYTE PTR DS:[EDX + C], AL                 
XXXXXX57  8A 44 24 39               MOV     AL, BYTE PTR SS:[ESP + 39]                
XXXXXX5B  88 42 0D                  MOV     BYTE PTR DS:[EDX + D], AL                 
XXXXXX5E  C7 42 10 40 E9 18 04      MOV     DWORD PTR DS:[EDX + 10], program.418E940  
XXXXXX65  8A 44 24 40               MOV     AL, BYTE PTR SS:[ESP + 40]                
XXXXXX69  88 42 14                  MOV     BYTE PTR DS:[EDX + 14], AL                
XXXXXX6C  8A 44 24 41               MOV     AL, BYTE PTR SS:[ESP + 41]                
XXXXXX70  88 42 15                  MOV     BYTE PTR DS:[EDX + 15], AL                
XXXXXX73  8A 44 24 42               MOV     AL, BYTE PTR SS:[ESP + 42]                
XXXXXX77  88 42 16                  MOV     BYTE PTR DS:[EDX + 16], AL                
XXXXXX7A  E8 61 00 00 00            CALL    <program.vs>                              
XXXXXX7F  84 C0                     TEST    AL, AL                                    
XXXXXX81  74 15                     JE      program.1956698                           
XXXXXX83  FF 74 24 0C               PUSH    DWORD PTR SS:[ESP + C]                    
XXXXXX87  8B CE                     MOV     ECX, ESI                                  
XXXXXX89  E8 12 0B 00 00            CALL    program.19571A0                           
XXXXXX8E  84 C0                     TEST    AL, AL                                    
XXXXXX90  75 0C                     JNE     program.195669E                           
XXXXXX92  33 C0                     XOR     EAX, EAX                                  
XXXXXX94  66 89 46 0C               MOV     WORD PTR DS:[ESI + C], AX                 
XXXXXX98  32 C0                     XOR     AL, AL                                    
XXXXXX9A  5E                        POP     ESI                                       
XXXXXX9B  C2 20 00                  RET     20                                        
XXXXXX9E  E8 4D 98 C9 FF            CALL    program.15EFEF0                           
XXXXXXA3  84 C0                     TEST    AL, AL                                    
XXXXXXA5  74 10                     JE      program.19566B7                           
XXXXXXA7  83 7E 4C 11               CMP     DWORD PTR DS:[ESI + 4C], 11               
XXXXXXAB  75 0A                     JNE     program.19566B7                           
XXXXXXAD  6A 11                     PUSH    11                                        
XXXXXXAF  E8 9C 9F C9 FF            CALL    program.15F0650                           
XXXXXXB4  83 C4 04                  ADD     ESP, 4                                    
XXXXXXB7  E8 E4 9B C9 FF            CALL    program.15F02A0                           
XXXXXXBC  84 C0                     TEST    AL, AL                                    
XXXXXXBE  74 11                     JE      program.19566D1                           
XXXXXXC0  FF 76 4C                  PUSH    DWORD PTR DS:[ESI + 4C]                   
XXXXXXC3  E8 48 96 C9 FF            CALL    program.15EFD10                           
XXXXXXC8  50                        PUSH    EAX                                       
XXXXXXC9  E8 82 9F C9 FF            CALL    program.15F0650                           
XXXXXXCE  83 C4 08                  ADD     ESP, 8                                    
XXXXXXD1  B0 01                     MOV     AL, 1                                     
XXXXXXD3  5E                        POP     ESI                                       
XXXXXXD4  C2 20 00                  RET     20  

struct s0 {
    int8_t[12] pad12;
    int16_t f12;
    int8_t[62] pad76;
    int32_t f76;
};

int8_t vs();

int8_t fun_19571a0(struct s0* ecx);

int8_t fun_15efef0(struct s0* ecx);

void fun_15f0650(struct s0* ecx, int32_t a2, int32_t a3, ...);

int8_t fun_15f02a0(struct s0* ecx);

int32_t fun_15efd10(struct s0* ecx, int32_t a2);

int8_t 2da_comprobacion(struct s0* ecx) {
    int8_t al2;
    int8_t al3;
    int8_t al4;
    int8_t al5;
    int32_t v6;
    int32_t eax7;

    al2 = vs();
    if (al2) {
        al3 = fun_19571a0(ecx);
        if (al3) {
            al4 = fun_15efef0(ecx);
            if (al4 && ecx->f76 == 17) {
                fun_15f0650(ecx, 17, 0x418e938, ecx, 17, 0x418e938);
            }
            al5 = fun_15f02a0(ecx);
            if (al5) {
                v6 = ecx->f76;
                eax7 = fun_15efd10(ecx, v6);
                fun_15f0650(ecx, eax7, v6, ecx, eax7, v6);
            }
            return 1;
        } else {
            ecx->f12 = 0;
        }
    }
    goto 0x418e950;
}

Rourke101 avatar Feb 14 '17 09:02 Rourke101