FILD QWORD PTR [EBP-10]
"Huh? What is this? This is not the asm I know! Well, just checking the registers I might be able to figure out what it does...Now what? Nothing changes? Is it a complicated looking NOP or what?"
Well, this is an instruction that deals with the 80x87 chip , also know as the FPU (Floating Point Unit) or the MCP (Math CoProcessor). Now you'll ask (yeah - I guess I am a bit of a clairvoyant) "Why havnt I seen instructions like this before while reverse engineering?". To answer that we have to have a quick look on the history of the MCP.
Back in the old days, just before fire was discovered, there existed a 80386 chip, and believe it or not - people bought computers that used that chip. Now this chip didnt have a math coprocessor and because of that (and other reasons) it tend to be a bit on the slow side. So when Intel first gave us their new CPU, the 80486 chip, back in 1989 one of their improvements was the integrated math coprocessor. Now it could have been a happy end where everyone lived happily ever after, but Intel decided to release a less expensive (I wouldnt call it cheap) version of their chip, but this time without the math coprocessor. One problem with this was that now the programmers couldnt count on that the user had a CPU with an integrated math coprocessor, so either they had to write their code "the old way", not using and new, cool MCP optimized instructions, or they had to write two versions of their program (IF MCP present THEN execute this code, ELSE execute that code). As time went by, Every new model of the 80486 chip was armed with the math coprocessor, and in 1993 when Intel gave us their new pentium chip the coprocessor was standard. And this brings us to why we first now are seeing MCP instructions in the programmers code - They can be fairly sure that everyone is using a new computer that has got a math coprocessor (how many of you are using an old 80386 or 80486 SX to crack on???).
"Well, what's so special with the MCP then?" you ask. First of all - The normal CPU can only handle integers. But the problem is that many applications wants to use floating point numbers, ie PI=3.14 or other constants. This can be done using a method called Fixed numbers but I wont talk about that here. So, here is where the MCP comes to the rescue. "Let me deal with the floating point values while you sit back and do something else" it says to the CPU. In the old days the 80x86 CPU had to deal with the floating point numbers it self, using series of integer intructions. This was ofcourse slower than normal integer calculations, and this was the main reason why math coprocessors were developed. The 80x87 math coprocessor (the one that Intel use) have eight different floating point registers which is specilized for floating point calculations. Besides the registers, there are specilized instuctions, not only for the basic arithmetic operations, but also for comparisions, square roots and other operations. So, the programmer can use the MCP to get much more out of his program, and as a bonus - he can confuse any fresh crackers trying to figure out what the hell is going on in the code.
"Ok, I get it! But how can I see what's going on in these registers?". Once again - Softice has the answer to all your needs. Using the magic command:
"WF"
(=Floating point stack window) in softice we can see
all these eight registers (ST0 - ST7). Note that the MCP uses decimals
instead of hex!
The only thing left is to learn what all the different
MCP instructions do.
A good list is available at this
page.
Well, that's it for now! As usuall, if you want to ask me something, my email is cruehead_@hotmail.com.
Cruehead / MiB'98
Copyright © MiB 1998. All rights reversed