The preceding program copies a value from one memory location to another. At ➊, the program copies a dword value 1 into a memory address (specified by ebp-4). At ➋, the same value is copied into the eax register, which is then copied into a different memory address, ebp-8, at ➌.
The disassembled code might be difficult to understand initially, so let me break it down to make it simple. We know that in a high-level language like C, a variable that you define (for example, int val;) is just a symbolic name for a memory address (as mentioned previously). Going by that logic, let's identify the memory address references and give them a symbolic name. In the disassembled program, we have two addresses (within square brackets): ebp-4 and ebp-8. Let's label them and give them symbolic names; let's say, ebp-4 = a and ebp-8 = b. Now, the program should look like the one shown here:
mov dword ptr [a],1 ; treat it as mov [a],1
mov eax,dword ptr [a] ; treat it as mov eax,[a]
mov dword ptr [b],eax ; treat it as mov [b],eax
In a high-level language, when you assign a value to a variable, let's say val = 1, the value 1 is moved into the address represented by the val variable. In assembly, this can be represented as mov [val], 1. In other words, val = 1 in a high-level language is the same as mov [val],1 in assembly. Using this logic, the preceding program can be written into a high-level language equivalent:
a = 1
eax = a
b = eax ➍
Recall that, the registers are used by the CPU for temporary storage. So, let's replace all of the register names with their values on the right-hand side of the = sign (for example, replace eax with its value, a, at ➍). The resultant code is shown here:
a = 1
eax = a ➎
b = a
In the preceding program, the eax register is used to temporarily hold the value of a, so we can remove the entry at ➎ (that is remove the entry containing registers on the left side of the = sign). We are now left with the simplified code shown here:
a = 1
b = a
In high-level languages, variables have data types. Let's try to determine the data types of these variables: a and b. Sometimes, it is possible to determine the data type by understanding how the variables are accessed and used. From the disassembled code, we know that the dword value (4 bytes) 1 was moved into the variable a, which was then copied to b. Now that we know these variables are 4 bytes in size, it means that they could be of the type int, float, or pointer. To determine the exact data type, let's consider the following.
The variables a and b cannot be float, because, from the disassembled code, we know that eax was involved in the data transfer operation. If it was a floating point value, the floating point registers would have been used, instead of using a general purpose register such as eax.
The variables a and b cannot be a pointer in this case, because the value 1 is not a valid address. So, we can guess that a and b should be of the type int.
Based on these observations, we can now rewrite the program as follows:
int a;
int b;
a = 1;
b = a;
Now that we have solved the challenge, let's look at the original C code snippet of the disassembled output. The original C code snippet is shown as follows. Compare it with what we determined. Notice how it was possible to build a program similar to the original program (it is not always possible to get the exact C program back), and also, it's now much easier to determine the functionality of the program:
int x = 1;
int y;
y = x;
If you are disassembling a bigger program, it would be hard to label all of the memory addresses. Typically, you will use the features of the disassembler or debugger to rename memory addresses and to perform code analysis. You will learn the features offered by the disassembler and how to use it for code analysis in the next chapter. When you are dealing with bigger programs, it is a good idea to break the program into small blocks of code, translate it into some high-level language that you are familiar with, and then do the same thing for the rest of the blocks.