

# Introduction to x86-64 Reverse Engineering

Marion Marschalek | @pinkflawd | @blackhoodie\_re



# What is assembly?

Assembly is textual representation of machine code instructions Assembler creates executable from assembly source file Disassembler creates (dis)assembly from machine code bytes

Intel 64 and IA-32 Architectures Software Developer's Manuals
http://www.intel.com/content/www/us/en/processors/architectures-softwaredeveloper-manuals.html

x86 Opcode and Instruction Reference http://ref.x86asm.net/coder32.html

x86-64 Cheatsheet from Brown University https://cs.brown.edu/courses/cs033/docs/guides/x64\_cheatsheet.pdf

## **Hello World!**

```
.LC0:
         .string "Hello world!"
main:
        push
                 rbp
                 rbp, rsp
        mov
                 edi, OFFSET FLAT:.LC0
        mov
        call
                 puts
                 eax, 0
        MOV
                 rbp
        pop
        ret
```

### **Instruction Flow 101**

Fetch instruction at program counter

Decode instruction

Increment program counter

Prepare components (ALU, memory, I/O)

**Execute instruction** 

Store results

## Program counter, byte code, assembly, sry wot?





FRAUNHOFER-INSTITUT FÜR KOMMUNIKATION, INFORMATIONSVERARBEITUNG UND ERGONOMIE FKIE

#### **x86 Opcode Structure and Instruction Overview**

Main Opcode bits

Operand length bit +

Direction bit +



→ Scale field

→ Register/Opcode modifier, defined by primary opcode

v1.0 - 30.08.2011

Stack

Control Flow

& Conditional

Contact: Daniel Plohmann - +49 228 73 54 228 - daniel.plohmann@fkie.fraunhofer.de

**Extended Instruction Set** 

111

ESI

EDI

100 [SI] SIB [SI]+disp8 SIB+disp8 [SI]+disp16 SIB+disp32

101 [Di] disp32 [Di]+disp8 [EBP]+disp8 [Di]+disp16 [EBP]+disp32

110 disp16 [ESI] [BP]+disp8 [ESI]+disp8 [BP]+disp16 [ESI]+disp32

111 [BX] [EDI] [BX]+disp8 [EDI]+disp8 [BX]+disp16 [EDI]+disp32

#### INC-Increment by 1

| Opcode        | Instruction | Op/<br>En | 64-Bit<br>Mode | Compat/<br>Leg Mode | Description                         |
|---------------|-------------|-----------|----------------|---------------------|-------------------------------------|
| FE /0         | INC r/m8    | М         | Valid          | Valid               | Increment r/m byte by 1.            |
| REX + FE /0   | INC r/m8*   | М         | Valid          | N.E.                | Increment r/m byte by 1.            |
| FF /0         | INC r/m16   | М         | Valid          | Valid               | Increment r/m word by 1.            |
| FF /0         | INC r/m32   | М         | Valid          | Valid               | Increment r/m doubleword by 1.      |
| REX.W + FF /0 | INC r/m64   | М         | Valid          | N.E.                | Increment <i>r/m</i> quadword by 1. |
| 40+ rw**      | INC r16     | 0         | N.E.           | Valid               | Increment word register by 1.       |
| 40+ rd        | INC r32     | 0         | N.E.           | Valid               | Increment doubleword register by 1. |

#### NOTES:

#### Instruction Operand Encoding

| Op/En | Operand 1          | Operand 2 | Operand 3 | Operand 4 |
|-------|--------------------|-----------|-----------|-----------|
| М     | ModRM:r/m (r, w)   | NA        | NA        | NA        |
| 0     | opcode + rd (r, w) | NA        | NA        | NA        |

#### Description

Adds 1 to the destination operand, while preserving the state of the CF flag. The destination operand can be a register or a memory location. This instruction allows a loop counter to be updated without disturbing the CF flag. (Use a ADD instruction with an immediate operand of 1 to perform an increment operation that does updates the CF flag.)

This instruction can be used with a LOCK prefix to allow the instruction to be executed atomically.

In 64-bit mode, INC r16 and INC r32 are not encodable (because opcodes 40H through 47H are REX prefixes). Otherwise, the instruction's 64-bit mode default operation size is 32 bits. Use of the REX.R prefix permits access to additional registers (R8-R15). Use of the REX.W prefix promotes operation to 64 bits.

#### Operation

 $\mathsf{DEST} \leftarrow \mathsf{DEST} + 1;$ 

### Intel SDM

#### **INC** instruction

<sup>\*</sup> In 64-bit mode, r/m8 can not be encoded to access the following byte registers if a REX prefix is used: AH, BH, CH, DH.

<sup>\*\* 40</sup>H through 47H are REX prefixes in 64-bit mode.

# Registers Memory Instructions

# General Purpose Registers

Eight 32-bit registers:

EAX: Accumulator

EBX: Base

ECX: Counter

EDX: Data

ESI: Source Index

EDI: Destination Index

EBP: Base pointer

ESP: Stack pointer



Byte, Word, DoubleWord, (64-bit) QuadWord

# General Purpose Registers

```
Sixteen 64-bit registers:
```

| RAX | R8  |
|-----|-----|
| RBX | R9  |
| RCX | R10 |
| RDX | R11 |
| RSI | R12 |
| RDI | R13 |
| RBP | R14 |
| RSP | R15 |

```
Access modes, eg.:
```

Etc. Etc.

Etc. Etc.

Register purpose decided by system ABI, compiler convention and instruction set convention

There's also 128bit SSE registers etc. etc.

## Instruction Pointer

#### EIP or RIP

- Points to the next instruction
- Cannot be accessed directly
- Can be modified by control flow instructions
- Can be read by function call and popping from stack

## FLAGS, EFLAGS and RFLAGS

Status register

Respectively 16, 32 or 64 bits wide (although 64b RFLAGS' upper 32 bit aren't currently used)

Carry flag (CF, bit 0): unsigned overflow

Parity flag (PF, bit 2): LSByte contains even amount of 1s

**Zero** flag (ZF, bit 6): result is zero

Sign flag (SF, bit 7): MSBit is 1

**Trap** flag (TF, bit 8): single-step mode

Direction flag (DF, bit 10): increment or decrement on string instructions

Overflow flag (OF, bit 11): signedoverflow

## Example

```
. . .
            eax, DWORD PTR [rbp-24]
   mov
   movsx
            rdx, eax
            rax, QWORD PTR [rbp-32]
   mov
    add
            rax, rdx
            eax, BYTE PTR [rax]
   movzx
            al, 95
    cmp
    jne
            .L5
    add
            DWORD PTR [rbp-20], 1
.L5:
    add
            DWORD PTR [rbp-24], 1
```

#### **CMP** instruction

Compares the first source operand with the second source operand and sets the status flags in the EFLAGS register according to the results. The comparison is performed by subtracting the second operand from the first operand and then setting the status flags [...] => Will set ZF (ZF=1) if result is 0

#### JNE instruction

Jump near if not equal (ZF=0)

# Registers Memory Instructions

### **Data Endianness**

Byte order

Memory: Little Endian (least significant byte first)

Register: Big Endian most significant byte first)

Bit order: Big Endian (most significant bit first)

| BIG-I | ENDIA                | AN  |     | Mei | mory |     |     |     |     |  |
|-------|----------------------|-----|-----|-----|------|-----|-----|-----|-----|--|
|       | 00                   | 01  | 02  | 03  | 04   | 05  | 06  | 07  | ••• |  |
|       | а                    | a+1 | a+2 | a+3 | a+4  | a+5 | a+6 | a+7 |     |  |
| LITTL | LITTLE-ENDIAN Memory |     |     |     |      |     |     |     |     |  |
| •••   | 07                   | 06  | 05  | 04  | 03   | 02  | 01  | 00  | ••• |  |
|       | а                    | a+1 | a+2 | a+3 | a+4  | a+5 | a+6 | a+7 |     |  |

https://thebittheories.com/little-endian-vs-big-endian-b4046c63e1f2

### **Executable File Formats**

Portable Executable (**PE**)
Executable and Linkable
Format (**ELF**)

TL;DR Loader fetches executable, maps it into virtual memory space

Entry point, sections, imports/exports, many many other things => executable file header



| Name                   | Start            | End              | R | W | X | D I | L | Align | Base | Туре   | Class | AD   | es    | SS   | ds   | fs      | gs      |
|------------------------|------------------|------------------|---|---|---|-----|---|-------|------|--------|-------|------|-------|------|------|---------|---------|
| 🔒 debug024             | 00000014CBDD6000 | 00000014CBE00000 | ? | ? | ? | D . |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug005             | 00000014CBE00000 | 00000014CBEF9000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| Stack_PAGE_GUARD[00006 | 00000014CBEF9000 | 00000014CBEFC000 | R | W |   | D.  |   | byte  | 0000 | public | STACK | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 Stack[000066A4]      | 00000014CBEFC000 | 00000014CBF00000 | R | W |   | D.  |   | byte  | 0000 | public | STACK | 64   | 00    | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug025             | 00000014CBF00000 | 00000014CBFFC000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   |       |      | 00   | 00      | 10      |
| 🔒 debug026             | 00000014CBFFC000 | 00000014CBFFF000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 000   | 0000 | 0000 | 0000    | 0 0     |
| 🔒 debug027             | 00000014CBFFF000 | 00000014CC000000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug020             | 000001FF20E40000 | 000001FF20E50000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 00      |
| 🔒 debug007             | 000001FF20E60000 | 000001FF20E7A000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 00   | 0    | 0 (     | 00      |
| 🔒 debug008             | 000001FF20E80000 | 000001FF20E84000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0    | 0000    | 0000    |
| 🔒 debug009             | 000001FF20E90000 | 000001FF20E91000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug010             | 000001FF20EA0000 | 000001FF20EA2000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 locale.nls           | 000001FF20EB0000 | 000001FF20F75000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug030             | 000001FF20FD0000 | 000001FF20FE1000 | R | W |   | D.  |   | byte  | 0000 | public | [AT   | 34 V | Win ( | dou  | 0.00 | FOCE    | 355     |
| 🔒 debug031             | 000001FF20FE1000 | 000001FF210D0000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 |      |         | 0000    |
| 🔒 debug022             | 00007FF4A94C0000 | 00007FF4A94C5000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug023             | 00007FF4A94C5000 | 00007FF4A95C0000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug017             | 00007FF4A95C0000 | 00007FF5A95E0000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug018             | 00007FF5A95E0000 | 00007FF5AB5E0000 | ? | ? | ? | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug019             | 00007FF5AB5E0000 | 00007FF5AB5E1000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug011             | 00007FF5AB5F0000 | 00007FF5AB5F1000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 debug012             | 00007FF5AB600000 | 00007FF5AB623000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 VirtualBH.exe        | 00007FF61BB80000 | 00007FF61BB81000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| 🔒 .text                | 00007FF61BB81000 | 00007FF61BB82000 | R |   | X | . L |   | para  | 0001 | public | CODE  | 64   | 0000  | 0000 | 0003 | FFFFFFF | FFFFFFF |
| 🔒 .idata               | 00007FF61BB82000 | 00007FF61BB82100 | R |   |   | . L | - | para  | 0005 | public | DATA  | 64   | 0000  | 0000 | 0003 | FFFFFFF | FFFFFFF |
| 🔒 .rdata               | 00007FF61BB82100 | 00007FF61BB83000 | R |   |   | . L | - | para  | 0002 | public | DATA  | 64   | 0000  | 0000 | 0003 | FFFFFFF | FFFFFFF |
| 🔒 .data                | 00007FF61BB83000 | 00007FF61BB84000 | R | W |   | . L | - | para  | 0003 | public | DATA  | 64   | 0000  | 0000 | 0003 | FFFFFFF | FFFFFFF |
| 🔒 .pdata               | 00007FF61BB84000 | 00007FF61BB85000 | R |   |   | . L | - | para  | 0004 | public | DATA  | 64   | 0000  | 0000 | 0003 | FFFFFFF | FFFFFFF |
| 🔒 VirtualBH.exe        | 00007FF61BB85000 | 00007FF61BB87000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF910000 | 00007FFCBF911000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF911000 | 00007FFCBF9A3000 | R |   | X | D.  |   | byte  | 0000 | public | CODE  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF9A3000 | 00007FFCBF9D1000 | R |   |   | D.  |   | byte  | 0000 | public | CONST | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF9D1000 | 00007FFCBF9D3000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF9D3000 | 00007FFCBF9D4000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| MSVCR110.dll           | 00007FFCBF9D4000 | 00007FFCBF9D7000 | R | W |   | D.  |   | byte  | 0000 | public | DATA  | 64   | 0000  | 0000 | 0000 | 0000    | 0000    |
| _                      |                  |                  |   |   |   |     |   |       |      |        |       |      |       |      |      |         |         |

## Memory Manipulation in Assembly

Instruction (+ Operand)

Immediate values e.g. mov r8d, 6Eh

Registers e.g. mov rcx, rbx

Memory addresses

Virtual address e.g. mov rax, [0x7FF6AB373000]

Pointer dereferentiation e.g. mov rax, [rax]

Calculation e.g. mov rax, [rbx+rdx+10h]

# Heap

Memory that can be dynamically allocated (eg. malloc)

One heap per process

Operating system provides functions for memory de-/allocation

Threads need to synchronize memory de-/allocation

```
int a = 25;
char* b = (char*) malloc(250);
heap buffer
```

# Stack

One stack per thread

PUSH and POP instructions interact with the stack, direct access of stack variables common too

Operating system provides stack memory block, and guard page

It's a 64 bit wide LIFO buffer (64b systems.., 32 on 32 bit)

RSP and RBP manage function frame on stack

## **Abstract Depiction of Stack**

RBP = Base Pointer

RSP = Stack Pointer

PUSH/POP increment/decrement RSP



## Calling Conventions and ABIs

Application Binary Interface – defines how functions are called (parameter handling, stack usage, special register designation)

History: "convention madness" on Windows x86 cdecl, stdcall, fastcall, thiscall, safecall,....

#### Calling conventions define:

How arguments are passed to the callee

Which registers may be used, which must be saved before use

How function stack is set up and torn down after callee is done

# Little Less Abstract Depiction of Stack

Low Addresses

ESP

The classic: **32-bit cdecl** calling convention

Caller pushes function arguments, in reverse order

CALL instruction pushes return address

Callee sets up local stack variables

Return: Stack cleanup & jump to stored FIP

EBP

Local Variables Function2

**Return Address** 

Arguments Function2

Local Variables
Function1

Return Address

Arguments Function1

Stack Frame for Function 1

Stack grows

downwards

High Addresses



## Windows x64 Calling Convention & Stack

One convention to rule them all!

First 4 function arguments are handed over via registers

RCX, RDX, R8, R9 (if integers, in that order!)

XMM0L, XMM1L, XMM2L, XMM3L (if floating point)

Arguments 5+ are pushed to stack (in reverse order.. as usual)

And yet: also "home space" reserved for register arguments on stack

**RAX** is return register (or XMM0)

RCX will hold "this" pointer for member functions

R10, R11 volatile (as are RAX, RCX, RDX, R8, R9)

R12-R15, RDI, RSI, RBX, RBP, RSP nonvolatile

## Other x64 "Eastereggs"

Vararg functions

Tailcall optimization

Creative home space utilization

RIP-relative addressing

Struct arguments

Fancy processor extensions

Alignment ftw...

Etc. etc. lots of things I'm not aware of myself;)

# Registers Memory Instructions

#### - Data transfer

- MOV
- PUSH/POP
- PUSHA/POPA
- PUSHF/POPF
- XCHG

#### - Control transfer

- JMP
- Jxx
- LOOP
- CALL
- LEAVE
- RET

# - Logical instructions

- AND
- TEST
- OR
- XOR
- NOT

## - Arithmetic instructions

- ADD/SUB
- CMP
- INC/DEC
- MUL/DIV
- NEG

#### - Other instructions

- NOP
- LEA
- RDTSC
- SYSCALL/SYSENTER
- SYSRET/SYSEXIT
- IN/OUT
- ROL/ROR
- SHL/SHR
- SETxx
- LODS
- STOS
- MOVS

And many MANY more Intel SDM, Volume 2;)

## Jump variations

| Instruction | Jump if/on                | Flag conditions    |
|-------------|---------------------------|--------------------|
| JE          | equal                     | ZF = 1             |
| JG          | greater (signed)          | ZF = 0 and SF = OF |
| JGE         | greater or equal (signed) | SF = OF            |
| JL          | less (signed)             | SF != OF           |
| JLE         | less or equal (signed)    | ZF = 1 or SF != OF |
| JA          | above (unsigned)          | CF = 0 and ZF = 0  |
| JAE         | above or equal (unsigned) | CF = 0             |
| JB          | below (unsigned)          | CF = 1             |
| JBE         | below or equal (unsigned) | CF = 1 or ZF = 1   |
| JC          | carry                     | CF = 1             |
| JO          | overflow                  | OF = 1             |
| JP          | parity                    | PF = 1             |
| JS          | sign                      | SF = 1             |
| JZ          | zero                      | ZF = 1             |

| Instruction | Jump if/on                    | Flag conditions    |
|-------------|-------------------------------|--------------------|
| JNE         | not equal                     | ZF = 0             |
| JNG         | not greater (signed)          | ZF = 1 or SF != OF |
| JNGE        | not greater or equal (signed) | SF != OF           |
| JNL         | not less (signed)             | SF = OF            |
| JNLE        | not less or equal (signed)    | ZF = 0 and SF = OF |
| JNA         | not above (unsigned)          | CF = 1 or ZF = 1   |
| JNAE        | not above or equal (unsigned) | CF = 1             |
| JNB         | not below (unsigned)          | CF = 0             |
| JNBE        | not below or equal (unsigned) | CF = 0 and ZF = 0  |
| JNC         | not carry                     | CF = 0             |
| JNO         | not overflow                  | OF = 0             |
| JNP         | not parity                    | PF = 0             |
| JNS         | not sign                      | SF = 0             |
| JNZ         | not zero                      | ZF = 0             |

## **Control Flow**



## **Branches**

```
int show_branch(int val)
    int ret;
    if (val < 10)
        ret = 10;
    else
        ret = 5;
    return ret;
```

```
u 🚾 🚾
          : Attributes: bp-based frame
          sub 401001 proc near
          var 4= dword ptr -4
          arg 4= dword ptr 8
                  ebp, esp
          mov
          push
                  ecx
                  [ebp+arg_4], OAh
          cmp
                  short loc_401013
          jge
                          🔤 🎿 🚾
4
mov
        [ebp+var_4], 0Ah
jmp
                         loc_401013:
        short loc 40101A
                                 [ebp+var_4], 5
                         mov
            4
            loc 40101A:
                   eax, [ebp+var_4]
           mov
                   esp, ebp
           mov
           pop
                   ebp
           retn
           sub 401001 endp
```

# Switch

```
int multibranch(int val)
    int ret = 0;
    switch (val)
    case 0:
        ret = 1; break;
    case 1:
        ret = 2; break;
    case 2:
        ret = 4; break;
    case 3:
        ret = 8; break;
    return ret;
```

```
: Attributes: bp-based frame
                                             sub_401030 proc near
                                             var 8= dword ptr -8
                                             var 4= dword ptr -4
                                             arg 0= dword ptr 8
                                             push
                                                     ebp, esp
                                                     esp, 8
                                                     [ebp+var_4], 0
                                                     eax, [ebp+arg_0]
                                                     [ebp+var 8], eax
                                             mov
                                                     [ebp+var_8], 3 ; switch 4 cases
                                                     short loc 401075
                                            🜃 🎮 😘
                                                    ecx, [ebp+var_8]
                                                   ds:off_401080[ecx*4] ; switch jump
                                                                                                  🖼 🎮 🖼
🔤 🎮 🖼
                                                                 🜃 pai 😘
                       ; case 0 10c_40105C:
                                                                                        ; case 2 loc 40106E:
                                                                                                                         ; case 3
1oc 401053:
                                                       ; case 1 10c_401065:
                                        [ebp+var_4], 2
       [ebp+var 4], 1
                                mov
                                                                         [ebp+var_4], 4
                                                                                                         [ebp+var_4], 8
       short loc 401075
                                        short loc 401075
                                                                         short loc 401075
                                                           * * * * *
                                                     ii ii
                                                     loc 401075:
                                                             eax, [ebp+var 4]
                                                             esp, ebp
                                                     retn
                                                     sub_401030 endp
                                                   align 10h
                  .text:0040107E
                                                                            ; DATA XREF: sub 401030+1C1r
                                                   dd offset loc 401053
                  .text:00401080 off 401080
                                                   dd offset loc 40105C
                                                                            ; jump table for switch statement
                  .text:00401080
                                                   dd offset loc 401065
                  .text:00401080
                                                   dd offset loc 40106E
                  .text:00401080
```

# Loops

```
int show_loop(int val)
{
   int ret = 0;

   for (; val > 0; val--)
      ret += val;

   return ret;
}
```

```
; Attributes: bp-based frame
         sub 401090 proc near
         var 4= dword ptr -4
         arg 0= dword ptr 8
         push
                 ebp
         MOV
                 ebp, esp
         push
                 ecx
                 [ebp+var 4], 0
         MOV
                 short loc 4010A6
            loc 4010A6:
                    [ebp+arg_0], 0
                   short loc 4010B7
ecx, [ebp+var_4]
mov
       ecx, [ebp+arg_0] | loc_4010B7:
add
       [ebp+var 4], ecx mov
                                eax, [ebp+var_4]
mov
       short loc 40109D
jmp
                                esp, ebp
                        pop
                                ebp
                        retn
                        sub 401090 endp
loc_40109D:
       eax, [ebp+arg 0]
mov
       eax, 1
sub
       [ebp+arg_0], eax
MOV
```