\myheading{Change endianness}

\leveldown{}

What does this code do?

\begin{lstlisting}
mov     eax, ecx
mov     edx, ecx
shl     edx, 16
and     eax, 0000ff00H
or      eax, edx
mov     edx, ecx
and     edx, 00ff0000H
shr     ecx, 16
or      edx, ecx
shl     eax, 8
shr     edx, 8
or      eax, edx
\end{lstlisting}

In fact, many reverse engineers play shell game a lot, keeping track of what is stored where, at each point of time.

\begin{figure}[H]
\centering
\includegraphics[scale=2.5]{\CURPATH/2_assembly/718px-Conjurer_Bosch.jpg}
\caption{Hieronymus Bosch -- The Conjurer}
\end{figure}

Again, we can build equivalent function which can take both numerical variables and Expr() objects.
We also extend Expr() class to support many arithmetical and boolean operations.
Also, Expr() methods would take both Expr() objects on input and integer values.

\lstinputlisting[style=custompy]{\CURPATH/2_assembly/1.py}

I run it:

\begin{lstlisting}
((((initial_ECX&65280)|(initial_ECX<<16))<<8)|(((initial_ECX&16711680)|(initial_ECX>>16))>>8))
\end{lstlisting}

Now this is something more readable, however, a bit LISPy at first sight.
In fact, this is a function which change endianness in 32-bit word.

By the way, my Toy Decompiler can do this job as well, but operates on \ac{AST} instead
of plain strings: \ref{toy_decompiler}.

\myheading{A real life story}

In past, before Hex-Rays decompiler was available, the author reversed a lot of x86 code simply by rewriting
it in the text editor, in the very same manner as I've shown here.

Maybe it was primitive, but easier that trying to guess what is stored in which register at the each moment.

An example of this method: \ref{manual_decomp}.

\levelup{}