Clever Geek Handbook

HexRays - what is the purpose of __OFSUB __ ()?

In the following decompiled function using Ida pro Hex rays:

int sub_409650()
{
  int v0; // ecx@1
  int result; // eax@1
  bool v2; // zf@1
  bool v3; // sf@1
  unsigned __int8 v4; // of@1
  unsigned __int16 v5; // cx@2
  unsigned int v6; // ecx@2

  v0 = gS1_dword_62EEA8 & 7;
  result = gS1_dword_62EEA8 - v0;
  v4 = __OFSUB__(gS1_dword_62EEA8 - v0, 16);
  v2 = gS1_dword_62EEA8 - v0 == 16;
  v3 = gS1_dword_62EEA8 - v0 - 16 < 0;
  gS1_dword_62EEA8 -= v0;
  gs2_dword_62EFB4 >>= v0;
  if ( (unsigned __int8)(v3 ^ v4) | v2 )
  {
    v5 = *dword_62EFB0;
    ++dword_62EFB0;
    v6 = (v5 << result) | gs2_dword_62EFB4;
    result += 16;
    gs2_dword_62EFB4 = v6;
    gS1_dword_62EEA8 = result;
  }
  return result;
}

It calls __OFSUB__

, but what does it do? I figured it was due to overflow, but if so then why is it not a condition:

// Checking if subtracting v0 is 16 or negative?
if ( v3 | v2 )

Update: raw asm (some things have been renamed now):

.text:00409650 sub_409650 proc near      
.text:00409650                 mov     eax, gBitCounter_62EEA8
.text:00409655                 push    esi
.text:00409656                 mov     esi, gFirstAudioFrameDWORD_dword_62EFB4
.text:0040965C                 mov     ecx, eax
.text:0040965E                 and     ecx, 7
.text:00409661                 shr     esi, cl
.text:00409663                 sub     eax, ecx
.text:00409665                 cmp     eax, 10h
.text:00409668                 mov     gBitCounter_62EEA8, eax
.text:0040966D                 mov     gFirstAudioFrameDWORD_dword_62EFB4, esi
.text:00409673                 jg      short loc_4096A5
.text:00409675                 mov     edx, gAudioFrameDataPtr
.text:0040967B                 xor     ecx, ecx
.text:0040967D                 mov     cx, [edx]
.text:00409680                 add     edx, 2
.text:00409683                 mov     esi, ecx
.text:00409685                 mov     ecx, eax
.text:00409687                 shl     esi, cl
.text:00409689                 mov     ecx, gFirstAudioFrameDWORD_dword_62EFB4
.text:0040968F                 mov     gAudioFrameDataPtr, edx
.text:00409695                 or      ecx, esi
.text:00409697                 add     eax, 10h
.text:0040969A                 mov     gFirstAudioFrameDWORD_dword_62EFB4, ecx
.text:004096A0                 mov     gBitCounter_62EEA8, eax
.text:004096A5
.text:004096A5 loc_4096A5:                             ; CODE XREF: sub_409650+23j
.text:004096A5                 pop     esi
.text:004096A6                 retn
.text:004096A6 sub_409650 endp
+3


source to share


1 answer


There is nothing to say about it. HexRays did a pretty bad job of decompiling these functions into something legible, but it wasn't wrong.

A quick analysis of this assembly:

mov     eax, gBitCounter_62EEA8                 ; eax = gBitCounter_62EEA8
push    esi
mov     esi, gFirstAudioFrameDWORD_dword_62EFB4 ; esi = gFirstAudioFrameDWORD_dword_62EFB4
mov     ecx, eax                                    
and     ecx, 7                              

; esi = gFirstAudioFrameDWORD_dword_62EFB4 >> (gBitCounter_62EEA8 & 7)  
; i.e, esi got shiftted by the 3 LSB of gBitCounter_62EEA8
shr     esi, cl                                 

; eax = gBitCounter_62EEA8 - (gBitCounter_62EEA8 & 7)
sub     eax, ecx    

cmp     eax, 10h

; gBitCounter_62EEA8 -= gBitCounter_62EEA8 & 7
mov     gBitCounter_62EEA8, eax                 

; gFirstAudioFrameDWORD_dword_62EFB4 >>= gBitCounter_62EEA8 & 7
mov     gFirstAudioFrameDWORD_dword_62EFB4, esi 

; if gBitCounter_62EEA8 > 0x10 { return; }
jg      short loc_4096A5            

; else... continue work
....

loc_4096A5:                             ; CODE XREF: sub_409650+23j
pop     esi
retn

A better decompilation would be:

gBitCounter_62EEA8 -= gBitCounter_62EEA8 & 7
gFirstAudioFrameDWORD_dword_62EFB4 >>= gBitCounter_62EEA8 & 7

if (gBitCounter_62EEA8 > 0x10)
{
    return;
}
else
{
    // rest of code
}

However, you may notice that HexRays overrides the condition. It generated this condition:



if ( (unsigned __int8)(
    (gBitCounter_62EEA8 - 16 < 0)  ^ 
    (__OFSUB__(gBitCounter_62EEA8 - (gBitCounter_62EEA8 & 7), 16))) // when this is actually the gBitCounter_62EEA8 var before modifications
        | 
        (gBitCounter_62EEA8 == 16) )

According to Intel's link , it jg

is executed if ZF = 0 and SF = OF

.

The condition closely reflects this:

  • Either Counter == 16

    - this means that ZF = 0

    , therefore, it is jg

    not executed

  • Or Counter < 16 XOR __OFSUB__(gBitCounter_62EEA8 - (gBitCounter_62EEA8 & 7), 16)

    , which means:

    • Counter < 16

      (let's call it A) - which means SF=1

    • __OFSUB__(gBitCounter_62EEA8 - (gBitCounter_62EEA8 & 7), 16)

      (let it call B) which means OF=1

    If A=true

    and B=false

    , it means SF=1,OF=0 => SF!=OF

    . If A=false

    u B=true

    means SF=0,OF=1 = > SF!=OF

    that means if A^B

    then SF!=OF

    , that means if A^B => jg not taken

    .

In general, if jg

not, then "the rest of the code" is executed.

Hope this helped you understand the behavior of HexRays. The decompilation was correct, but very redundant (it didn't clean up a lot of garbage so that it could), and it couldn't predict an appropriate way to define the conditions (it took the "harder" way)

+2


source






More articles:


All Articles