Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Learn lf2.exe from C
#1
Learn lf2.exe from C

This tutorial teach you how to use C to understand what the assembly means in lf2.exe.
Please download the tool IDA and ollydbg, we use these tools to find what lf2.exe doing in this tutorial.

Stack frame

Lets checkout this function func_417400.
At begining
[Image: QrlO2jd.png]
When this function get called, the stack will pushed a return address.
The return address is where to jump back when this function is doned and ready to return.
[Image: N71RC1i.png]

When the sub esp,30 is executed, stack pointer (esp) will prepare the space for local variables usage.
[Image: JUQDQwx.png]

When the mov eax,dword ptr ss:[esp+34] is executed, we get the first argument of this function and store it in eax register.
[Image: NmmWQ5y.png]
So the definition of this function looks like:
    C-Code:
int func_417400(arg_1) {
}


When the push esi is executed, we save the data in esi register to prevent the code below from ruining the data in esi register.
We will use esi register for another purpose in code below.
[Image: A2r1M3R.png]

When the mov esi,ecx is executed, we copy the this pointer to esi register.
Because LF2 is developed by Visual C++, by convension, Visual C++ compiler uses ecx register to transfor the this pointer to the function be called.
You can regard this pointer as a first argument of this function in C.
So the definition of this function looks like:
    C-Code:
int func_417400(this, arg_1) {
}


Code in function

Now we look this code:
[Image: E2ea7Z7.png]

The first line mov eax,dword ptr ds:[esi+eax*4+194] is a little bit complicated, this instruction use two registers to locate the address which data is stored in.
We can translate this intruction to mov eax,dword ptr ds:[this+arg_1*4+194].
[Image: IwUrxzh.png]
By using this image, we know arg_1 should be index of objects and this pointer should be struct 'global' pointer, so the definition of this function becomes:
    C-Code:
int func_417400(struct global * global, uint32_t object_index) {
}


By inspecting this intruction mov eax,dword ptr ds:[this+arg_1*4+194], we know corresponding C code:
    C-Code:
struct object * a_object = global->objects[object_index];


By using the data structure, we can understand what the code below means.

The second line mov ecx,dword ptr ds:[eax+7C] means:
    C-Code:
uint32_t frame_id = a_object->frame_id;


The third line mov edx,dword ptr ds:[eax+368] means:
    C-Code:
struct file * a_file = a_object->file;


These two lines imul ecx,ecx,178 and lea ecx,dword ptr ds:[ecx+edx+7A4] means:
    C-Code:
struct frame * a_frame = &a_file->frames[frame_id];


So the function should looks like:
    C-Code:
int func_417400(struct global * global, uint32_t object_index) {
    struct object * a_object = global->objects[object_index];
    uint32_t frame_id = a_object->frame_id;
    struct file * a_file = a_object->file;
    struct frame * a_frame = &a_file->frames[frame_id];
}


If you have any question, please reply below.
Thanks you for reading this tutorial :)
Decompiled functions: [documented] Functions decompiled
Decompile lf2.exe project for documentation: https://github.com/xsoameix/lf2
Decompile lf2.exe project for implementation: https://github.com/xsoameix/openlf2
Once any function fully engineer reversed in documentation project, then we implement it in implementation project.

lf2 data structure: Updated spreadsheet, many changes made by o_g349/xsoameix, I have two different nick names.

A old project: lf2-MS
Reply
Thanks given by: Alapottra , zort , A-Man , MangaD
#2
AMAZING! I really learned a lot from that. Few questions though:
Quote:When the sub esp,30 is executed, stack pointer (esp) will prepare the space for local variables usage.
So is that actually the process of allocation of data (variables and objects)? We just subtract the stack pointer?

Quote:These two lines imul ecx,ecx,178 and lea ecx,dword ptr ds:[ecx+edx+7A4] means:
C Programming
    C-Code:
struct frame * a_frame = &a_file->frames[frame_id];
I don't understand how that would possibly be all this. The 178 is probably the size of some object being multiplied by the index to find its address. The second line though, doesn't make any sense to me. Check this out:
http://www.lf-empire.de/forum/showthread.php?tid=9316
There ^; lea together with dword ptr ds seems to actually store the sum value of ecx + edx + 7A4 into ecx; not fetch data of that address (right?). In this case though, it worked differently again 0_o. Can you get into more details with that please?

Thanks a lot!!!
[Image: signature.png]
A-Engine: A new beat em up game engine inspired by LF2. Coming soon

A-Engine Dev Blog - Update #8: Timeout

Reply
Thanks given by:
#3
Quote:So is that actually the process of allocation of data (variables and objects)? We just subtract the stack pointer?
Yes, we subtract the stack pointer.
Another reason is that we don't know if this function calls another function, so we subtract the stack pointer to prevent the local variables from ruining by the function called in this function.
[Image: cBEiqWK.png]

Quote:There ^; lea together with dword ptr ds seems to actually store the sum value of ecx + edx + 7A4 into ecx; not fetch data of that address (right?)

Right, so imul ecx,ecx,178 and lea ecx,dword ptr ds:[ecx+edx+7A4] means lea address_of_frame,dword ptr ds:[frame_id * 178 + file + 7A4]
[Image: tFAiqKZ.png]
Decompiled functions: [documented] Functions decompiled
Decompile lf2.exe project for documentation: https://github.com/xsoameix/lf2
Decompile lf2.exe project for implementation: https://github.com/xsoameix/openlf2
Once any function fully engineer reversed in documentation project, then we implement it in implementation project.

lf2 data structure: Updated spreadsheet, many changes made by o_g349/xsoameix, I have two different nick names.

A old project: lf2-MS
Reply
Thanks given by: A-Man
#4
I appreciate all the detailed explanation :3. So I got it right at the beginning, but it feels weird to see addresses calculated like that so I mixed stuff there. Thanks a lot!
[Image: signature.png]
A-Engine: A new beat em up game engine inspired by LF2. Coming soon

A-Engine Dev Blog - Update #8: Timeout

Reply
Thanks given by:
#5
No problem :)
Decompiled functions: [documented] Functions decompiled
Decompile lf2.exe project for documentation: https://github.com/xsoameix/lf2
Decompile lf2.exe project for implementation: https://github.com/xsoameix/openlf2
Once any function fully engineer reversed in documentation project, then we implement it in implementation project.

lf2 data structure: Updated spreadsheet, many changes made by o_g349/xsoameix, I have two different nick names.

A old project: lf2-MS
Reply
Thanks given by:
#6
Can I get the download link please.
New Member Just Joined "2017"
Reply
Thanks given by:
#7
There is no download link. This is a tutorial.
[Image: signature.png]
A-Engine: A new beat em up game engine inspired by LF2. Coming soon

A-Engine Dev Blog - Update #8: Timeout

Reply
Thanks given by:
#8
So,What's this about I can't understood. Can you tell me?
New Member Just Joined "2017"
Reply
Thanks given by:
#9
(02-20-2015, 04:40 AM)DARK-EVIL Wrote:  So,What's this about I can't  understood. Can you tell me?

Does this mean you are going to make your own .exe? :)

Please read the first post of this topic and use google.

In more detail:
Original character edits
Goku2021
LF2 Timelapse (open source mod)

Reply
Thanks given by:
#10
There is assembly (a programming language), and there is C (a higher-level programming language). Assembly is what you see when you open LF2 in OllyDBG. This tutorial teaches you how to interpret assembly codes as C codes. If you don't know how to program in C, then this tutorial will not make sense to you.
[Image: signature.png]
A-Engine: A new beat em up game engine inspired by LF2. Coming soon

A-Engine Dev Blog - Update #8: Timeout

Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)