https://soffensive.github.io/categories/practical-reverse-engineering/Recent content in Practical Reverse Engineering on soffensive blogHugoenThu, 07 Dec 2017 10:29:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-07-practical-reverse-engineering-exercise-solutions-page-79-exercise-11/Thu, 07 Dec 2017 10:29:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-07-practical-reverse-engineering-exercise-solutions-page-79-exercise-11/<p>Exercise 11 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery11</code> - the last exercise of the ARM chapter:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="err">010185</span><span class="nf">B0</span> <span class="nv">mystery11</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">010185</span><span class="nf">B0</span> <span class="mi">2</span><span class="nv">D</span> <span class="nv">E9</span> <span class="nv">F8</span> <span class="mi">4</span><span class="nv">F</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">010185</span><span class="nf">B4</span> <span class="mi">0</span><span class="nv">D</span> <span class="nv">F2</span> <span class="mi">20</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x20</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">010185</span><span class="nf">B8</span> <span class="nv">B0</span> <span class="nv">F9</span> <span class="mi">5</span><span class="nv">A</span> <span class="mi">30</span> <span class="nv">LDRSH.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">010185</span><span class="nf">BC</span> <span class="mi">07</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R7</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">010185</span><span class="nf">BE</span> <span class="mi">90</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R8</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">010185</span><span class="nf">C0</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">83</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span><span class="nv">LSL#2</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">010185</span><span class="nf">C4</span> <span class="nv">D3</span> <span class="nv">F8</span> <span class="mi">84</span> <span class="nv">A0</span> <span class="nv">LDR.W</span> <span class="nv">R10</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x84</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">010185</span><span class="nf">C8</span> <span class="mi">7</span><span class="nv">B</span> <span class="mi">8</span><span class="nv">F</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x3A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">010185</span><span class="nf">CA</span> <span class="mi">89</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R9</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">010185</span><span class="nf">CC</span> <span class="nv">CB</span> <span class="nv">B9</span> <span class="nv">CBNZ</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">loc_1018602</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">010185</span><span class="nf">CE</span> <span class="nv">B0</span> <span class="nv">F9</span> <span class="mi">5</span><span class="nv">A</span> <span class="mi">40</span> <span class="nv">LDRSH.W</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5A</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">010185</span><span class="nf">D2</span> <span class="mi">17</span> <span class="nv">F1</span> <span class="mi">20</span> <span class="mi">02</span> <span class="nv">ADDS.W</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R7</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x20</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">010185</span><span class="nf">D6</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">44</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#1</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">010185</span><span class="nf">DA</span> <span class="nv">B3</span> <span class="nv">F8</span> <span class="mi">5</span><span class="nv">C</span> <span class="mi">50</span> <span class="nv">LDRH.W</span> <span class="nv">R5</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x5C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">010185</span><span class="nf">DE</span> <span class="mi">00</span> <span class="nv">EB</span> <span class="mi">84</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#2</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">010185</span><span class="nf">E2</span> <span class="nv">D3</span> <span class="nv">F8</span> <span class="mi">84</span> <span class="mi">00</span> <span class="nv">LDR.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mh">0x84</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">010185</span><span class="nf">E6</span> <span class="mi">83</span> <span class="mi">89</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">010185</span><span class="nf">E8</span> <span class="mi">06</span> <span class="mi">6</span><span class="nv">C</span> <span class="nv">LDR</span> <span class="nv">R6</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x40</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">010185</span><span class="nf">EA</span> <span class="mi">03</span> <span class="nv">EB</span> <span class="mi">45</span> <span class="mi">03</span> <span class="nv">ADD.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span><span class="nv">LSL#1</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">010185</span><span class="nf">EE</span> <span class="mi">9</span><span class="nv">B</span> <span class="mi">19</span> <span class="nv">ADDS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R6</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">010185</span><span class="nf">F0</span> <span class="mi">1</span><span class="nv">C</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">010185</span><span class="nf">F2</span> <span class="mi">5</span><span class="nv">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="err">#</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">010185</span><span class="nf">F4</span> <span class="mi">43</span> <span class="nv">EA</span> <span class="mi">04</span> <span class="mi">24</span> <span class="nv">ORR.W</span> <span class="nv">R4</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span><span class="p">,</span><span class="nv">LSL#8</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">010185</span><span class="nf">F8</span> <span class="mi">43</span> <span class="mi">8</span><span class="nv">A</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x12</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="err">010185</span><span class="nf">FA</span> <span class="mi">23</span> <span class="mi">40</span> <span class="nv">ANDS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">010185</span><span class="nf">FC</span> <span class="mi">99</span> <span class="mi">19</span> <span class="nv">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R6</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">010185</span><span class="nf">FE</span> <span class="nv">FD</span> <span class="nv">F7</span> <span class="mi">8</span><span class="nv">D</span> <span class="nv">FF</span> <span class="nb">BL</span> <span class="nv">sub_101651C</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">01018602</span> <span class="nf">loc_1018602</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">01018602</span> <span class="nf">BA</span> <span class="mi">8</span><span class="nv">E</span> <span class="nv">LDRH</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x34</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">01018604</span> <span class="nf">BB</span> <span class="mi">6</span><span class="nv">A</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x28</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="err">01018606</span> <span class="nf">D0</span> <span class="mi">18</span> <span class="nv">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="err">01018608</span> <span class="err">9</span><span class="nf">A</span> <span class="nv">F8</span> <span class="mi">02</span> <span class="mi">30</span> <span class="nv">LDRB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R10</span><span class="p">,</span><span class="err">#</span><span class="mi">2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="err">0101860</span><span class="nf">C</span> <span class="mb">0B</span> <span class="nv">B1</span> <span class="nv">CBZ</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">loc_1018612</span> </span></span><span class="line"><span class="cl"><span class="err">35:</span> <span class="err">0101860</span><span class="nf">E</span> <span class="mi">00</span> <span class="mi">22</span> <span class="nv">MOVS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">36:</span> <span class="err">01018610</span> <span class="err">00</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_1018614</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">37:</span> <span class="err">01018612</span> <span class="nf">loc_1018612</span> </span></span><span class="line"><span class="cl"><span class="err">38:</span> <span class="err">01018612</span> <span class="err">3</span><span class="nf">A</span> <span class="mi">6</span><span class="nv">A</span> <span class="nv">LDR</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x20</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">39:</span> <span class="err">01018614</span> <span class="nf">loc_1018614</span> </span></span><span class="line"><span class="cl"><span class="err">40:</span> <span class="err">01018614</span> <span class="nf">FB</span> <span class="mi">8</span><span class="nv">E</span> <span class="nv">LDRH</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R7</span><span class="p">,</span><span class="err">#</span><span class="mh">0x36</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">41:</span> <span class="err">01018616</span> <span class="nf">B8</span> <span class="nv">F1</span> <span class="mi">00</span> <span class="mi">0</span><span class="nv">F</span> <span class="nv">CMP.W</span> <span class="nv">R8</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">42:</span> <span class="err">0101861</span><span class="nf">A</span> <span class="mi">01</span> <span class="nv">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1018620</span> </span></span><span class="line"><span class="cl"><span class="err">43:</span> <span class="err">0101861</span><span class="nf">C</span> <span class="mi">80</span> <span class="mi">18</span> <span class="nv">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">44:</span> <span class="err">0101861</span><span class="nf">E</span> <span class="mi">9</span><span class="nv">B</span> <span class="mi">1</span><span class="nv">A</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">45:</span> <span class="err">01018620</span> <span class="nf">loc_1018620</span> </span></span><span class="line"><span class="cl"><span class="err">46:</span> <span class="err">01018620</span> <span class="nf">C9</span> <span class="nv">F8</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">STR.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R9</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">47:</span> <span class="err">01018624</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="nv">F8</span> <span class="mi">8</span><span class="nv">F</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">48:</span> <span class="err">01018624</span> <span class="c1">; End of function mystery11</span> </span></span></code></pre></td></tr></table> </div> </div><p>According to the exercise description, the called subroutine <code>sub_101651C</code> in line 28 takes three arguments and does not return anything. Thus, we know the registers <code>R0</code>, <code>R1</code> and <code>R2</code> are prepared and passed to the function.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-06-practical-reverse-engineering-exercise-solutions-page-79-exercise-10/Wed, 06 Dec 2017 06:19:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-06-practical-reverse-engineering-exercise-solutions-page-79-exercise-10/<p>Exercise 10 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery10</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery10</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">70</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R4</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">0</span><span class="nv">C</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0xC</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">37</span> <span class="nf">F0</span> <span class="nv">CC</span> <span class="nv">F9</span> <span class="nb">BL</span> <span class="nv">__security_push_cookie</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">84</span> <span class="nf">B0</span> <span class="nv">SUB</span> <span class="nb">SP</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">0</span><span class="nf">D</span> <span class="mi">46</span> <span class="nv">MOV</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">00</span> <span class="err">24</span> <span class="nf">MOVS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">10</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">CMP</span> <span class="nv">R5</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">16</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R6</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">0</span><span class="nf">C</span> <span class="nv">D3</span> <span class="nv">BCC</span> <span class="nv">loc_1010786</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">1</span><span class="nf">A</span> <span class="mi">4</span><span class="nv">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetSystemTime</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">68</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nb">SP</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">00</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_1C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">10</span> <span class="err">24</span> <span class="nf">MOVS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">33</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">01</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_18</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">73</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">02</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_14</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">B3</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">03</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_10</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="nf">F3</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="nf">loc_1010786</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="err">04</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">04</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_1010796</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">11</span> <span class="err">4</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetCurrentProcessId</span> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">30</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="err">04</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="nf">loc_1010796</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">35:</span> <span class="err">04</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"><span class="err">36:</span> <span class="err">04</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_10107A6</span> </span></span><span class="line"><span class="cl"><span class="err">37:</span> <span class="err">0</span><span class="nf">C</span> <span class="mi">4</span><span class="nv">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_GetTickCount</span> </span></span><span class="line"><span class="cl"><span class="err">38:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">39:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">40:</span> <span class="err">30</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">41:</span> <span class="err">04</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">42:</span> <span class="nf">loc_10107A6</span> </span></span><span class="line"><span class="cl"><span class="err">43:</span> <span class="err">2</span><span class="nf">B</span> <span class="mb">1B</span> <span class="nv">SUBS</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">44:</span> <span class="err">08</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">45:</span> <span class="err">09</span> <span class="nf">D3</span> <span class="nv">BCC</span> <span class="nv">loc_10107C0</span> </span></span><span class="line"><span class="cl"><span class="err">46:</span> <span class="err">07</span> <span class="err">4</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">=</span><span class="nv">__imp_QueryPerformanceCounter</span> </span></span><span class="line"><span class="cl"><span class="err">47:</span> <span class="err">68</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nb">SP</span> </span></span><span class="line"><span class="cl"><span class="err">48:</span> <span class="err">1</span><span class="nf">B</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">49:</span> <span class="err">98</span> <span class="err">47</span> <span class="nf">BLX</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">50:</span> <span class="err">00</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_1C</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">51:</span> <span class="err">32</span> <span class="err">19</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R6</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">52:</span> <span class="err">33</span> <span class="err">51</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">53:</span> <span class="err">01</span> <span class="err">9</span><span class="nf">B</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nb">SP</span><span class="p">,</span><span class="err">#</span><span class="mh">0x1C</span><span class="o">+</span><span class="nv">var_18</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">54:</span> <span class="err">08</span> <span class="err">34</span> <span class="nf">ADDS</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">55:</span> <span class="err">53</span> <span class="err">60</span> <span class="nf">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R2</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">56:</span> <span class="nf">loc_10107C0</span> </span></span><span class="line"><span class="cl"><span class="err">57:</span> <span class="err">20</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">58:</span> <span class="err">04</span> <span class="nf">B0</span> <span class="nv">ADD</span> <span class="nb">SP</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">59:</span> <span class="err">37</span> <span class="nf">F0</span> <span class="nv">A4</span> <span class="nv">F9</span> <span class="nb">BL</span> <span class="nv">__security_pop_cookie</span> </span></span><span class="line"><span class="cl"><span class="err">60:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">70</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R4</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">61:</span> <span class="c1">; End of function mystery10</span> </span></span></code></pre></td></tr></table> </div> </div><p>Although the function looks complicated at first, we notice it does not contain any kind of loops and only executes sequentially with a couple of conditionals.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-9/Tue, 05 Dec 2017 06:47:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-9/<p>Exercise 9 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery9</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery9</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">30</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">08</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">09</span> <span class="err">4</span><span class="nf">D</span> <span class="nv">LDR</span> <span class="nv">R5</span><span class="p">,</span> <span class="err">=</span><span class="kt">byte</span><span class="nv">Array</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">06</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E312</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E304</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">5</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">63</span> <span class="err">5</span><span class="nf">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">93</span> <span class="err">42</span> <span class="nf">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">04</span> <span class="nf">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E318</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">01</span> <span class="err">30</span> <span class="nf">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">01</span> <span class="err">31</span> <span class="nf">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">loc_100E312</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">04</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">C</span> <span class="nv">CMP</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="nf">F5</span> <span class="nv">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E304</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="nf">loc_100E318</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">5</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">03</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">5</span><span class="nf">B</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">98</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">30</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="c1">; End of function mystery9</span> </span></span></code></pre></td></tr></table> </div> </div><p>First of all, <code>mystery9</code> has a striking similarity to the previously decompiled function <code>mystery8</code>. Its disassembly uses Thumb mode, as we can see for instance from the 16 bit instruction width.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-8/Tue, 05 Dec 2017 02:30:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-05-practical-reverse-engineering-exercise-solutions-page-79-exercise-8/<p>Exercise 8 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery8</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery8</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">78</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">10</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x10</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">0</span><span class="nf">C</span> <span class="mi">4</span><span class="nv">E</span> <span class="nv">LDR</span> <span class="nv">R6</span><span class="p">,</span> <span class="err">=</span><span class="kt">byte</span><span class="nv">Array</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">09</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E34C</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E338</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">05</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R5</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">01</span> <span class="err">3</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">4</span><span class="nf">D</span> <span class="nv">B1</span> <span class="nv">CBZ</span> <span class="nv">R5</span><span class="p">,</span> <span class="nv">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">9</span><span class="nf">C</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="nf">AB</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R5</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">A3</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">04</span> <span class="nf">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">01</span> <span class="err">30</span> <span class="nf">ADDS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">01</span> <span class="err">31</span> <span class="nf">ADDS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="nf">loc_100E34C</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">A</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">F3</span> <span class="nv">DC</span> <span class="nv">BGT</span> <span class="nv">loc_100E338</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">01</span> <span class="err">3</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">loc_100E352</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">A</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">01</span> <span class="nf">DA</span> <span class="nv">BGE</span> <span class="nv">loc_100E35A</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">04</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">locret_100E364</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="nf">loc_100E35A</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">78</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">28:</span> <span class="err">9</span><span class="nf">A</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R2</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">29:</span> <span class="err">03</span> <span class="err">78</span> <span class="nf">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">30:</span> <span class="err">9</span><span class="nf">B</span> <span class="mi">5</span><span class="nv">D</span> <span class="nv">LDRB</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">31:</span> <span class="err">98</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">32:</span> <span class="nf">locret_100E364</span> </span></span><span class="line"><span class="cl"><span class="err">33:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">78</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="err">–</span><span class="nv">R6</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">34:</span> <span class="c1">; End of function mystery8</span> </span></span></code></pre></td></tr></table> </div> </div><p>The function was compiled in Thumb mode, as we can see from the presence of 16 bit instructions, <code>PUSH</code> and <code>POP</code> instructions and Thumb-specific instructions, e.g. <code>CBZ</code> and instructions with the <code>.W</code> suffix.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-7/Mon, 04 Dec 2017 06:14:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-7/<p>Exercise 7 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery7</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery7</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">02</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">08</span> <span class="nf">B9</span> <span class="nv">CBNZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_100E1D8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="nf">loc_100E1D8</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">90</span> <span class="nf">F9</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">LDRSB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">02</span> <span class="nf">E0</span> <span class="nv">B</span> <span class="nv">loc_100E1E4</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="nf">loc_100E1DE</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">01</span> <span class="err">32</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">92</span> <span class="nf">F9</span> <span class="mi">00</span> <span class="mi">30</span> <span class="nv">LDRSB.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="nf">loc_100E1E4</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">FA</span> <span class="nv">D1</span> <span class="nv">BNE</span> <span class="nv">loc_100E1DE</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">10</span> <span class="err">1</span><span class="nf">A</span> <span class="nv">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">6</span><span class="nf">F</span> <span class="nv">F3</span> <span class="mi">9</span><span class="nv">F</span> <span class="mi">70</span> <span class="nv">BFC.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mh">0x1E</span><span class="p">,</span> <span class="err">#</span><span class="mi">2</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="c1">; End of function mystery7</span> </span></span></code></pre></td></tr></table> </div> </div><p>Again, the function provided is executed in Thumb mode, due to several 16 bit instructions and instructions specific to Thumb mode such as <code>CBNZ</code> and the <code>.W</code> suffix such as in line 7, 11 and 16.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-6/Mon, 04 Dec 2017 03:17:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-04-practical-reverse-engineering-exercise-solutions-page-79-exercise-6/<p>Exercise 6 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery6</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery6</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">2</span><span class="nf">D</span> <span class="nv">E9</span> <span class="mi">18</span> <span class="mi">48</span> <span class="nv">PUSH.W</span> <span class="err">{</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">LR</span><span class="err">}</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">F2</span> <span class="mi">08</span> <span class="mb">0B</span> <span class="nv">ADDW</span> <span class="nv">R11</span><span class="p">,</span> <span class="nb">SP</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">04</span> <span class="err">68</span> <span class="nf">LDR</span> <span class="nv">R4</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">00</span> <span class="err">22</span> <span class="nf">MOVS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">00</span> <span class="err">2</span><span class="nf">C</span> <span class="nv">CMP</span> <span class="nv">R4</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">06</span> <span class="kd">DD</span> <span class="nb">BL</span><span class="nv">E</span> <span class="nv">loc_103B3B6</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="nf">loc_103B3A8</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">50</span> <span class="nf">F8</span> <span class="mi">04</span> <span class="mi">3</span><span class="nv">F</span> <span class="nv">LDR.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span><span class="err">!</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">8</span><span class="nf">B</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R1</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">06</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103B3BE</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">01</span> <span class="err">32</span> <span class="nf">ADDS</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">A2</span> <span class="mi">42</span> <span class="nv">CMP</span> <span class="nv">R2</span><span class="p">,</span> <span class="nv">R4</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="nf">F8</span> <span class="nv">DB</span> <span class="nb">BL</span><span class="nv">T</span> <span class="nv">loc_103B3A8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="nf">loc_103B3B6</span> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">00</span> <span class="err">21</span> <span class="nf">MOVS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="nf">locret_103B3BA</span> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">BD</span> <span class="nv">E8</span> <span class="mi">18</span> <span class="mi">88</span> <span class="nv">POP.W</span> <span class="err">{</span><span class="nv">R3</span><span class="p">,</span><span class="nv">R4</span><span class="p">,</span><span class="nv">R11</span><span class="p">,</span><span class="nv">PC</span><span class="err">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="nf">loc_103B3BE</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="nf">B2</span> <span class="nv">F1</span> <span class="mi">20</span> <span class="mi">03</span> <span class="nv">SUBS.W</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span><span class="p">,</span> <span class="err">#</span><span class="mh">0X20</span> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="err">01</span> <span class="err">21</span> <span class="nf">MOVS</span> <span class="nv">R1</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">99</span> <span class="err">40</span> <span class="nf">LSLS</span> <span class="nv">R1</span><span class="p">,</span> <span class="nv">R3</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">01</span> <span class="err">23</span> <span class="nf">MOVS</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="err">13</span> <span class="nf">FA</span> <span class="mi">02</span> <span class="nv">F0</span> <span class="nv">LSLS.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R2</span> </span></span><span class="line"><span class="cl"><span class="err">26:</span> <span class="nf">F5</span> <span class="nv">E7</span> <span class="nv">B</span> <span class="nv">locret_103B3BA</span> </span></span><span class="line"><span class="cl"><span class="err">27:</span> <span class="c1">; End of function mystery6</span> </span></span></code></pre></td></tr></table> </div> </div><p>Due to the presence of 16 bit instructions, instructions having the <code>.W</code> suffix and function prologue and epilogue with <code>PUSH</code> and <code>POP</code> respectively, we are dealing with code in Thumb state.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-03-practical-reverse-engineering-exercise-solutions-page-79-exercise-5/Sun, 03 Dec 2017 00:01:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-03-practical-reverse-engineering-exercise-solutions-page-79-exercise-5/<p>Exercise 5 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called <code>mystery5</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery5</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">03</span> <span class="err">46</span> <span class="nf">MOV</span> <span class="nv">R3</span><span class="p">,</span> <span class="nv">R0</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">06</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">6</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">0</span><span class="nf">D</span> <span class="nv">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1032596</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">07</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">09</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_1032592</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">08</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">8</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="err">05</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103258E</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">09</span> <span class="err">2</span><span class="nf">B</span> <span class="nv">CMP</span> <span class="nv">R3</span><span class="p">,</span> <span class="err">#</span><span class="mi">9</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">01</span> <span class="nf">D0</span> <span class="nv">BEQ</span> <span class="nv">loc_103258A</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="err">09</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aA</span> <span class="c1">; &#34;A&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">12:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">13:</span> <span class="nf">loc_103258A</span> </span></span><span class="line"><span class="cl"><span class="err">14:</span> <span class="err">07</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aB</span> <span class="c1">; &#34;B&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">15:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">16:</span> <span class="nf">loc_103258E</span> </span></span><span class="line"><span class="cl"><span class="err">17:</span> <span class="err">05</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">ac</span> <span class="c1">; &#34;C&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">18:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">19:</span> <span class="nf">loc_1032592</span> </span></span><span class="line"><span class="cl"><span class="err">20:</span> <span class="err">03</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aD</span> <span class="c1">; &#34;D&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">21:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">22:</span> <span class="nf">loc_1032596</span> </span></span><span class="line"><span class="cl"><span class="err">23:</span> <span class="err">01</span> <span class="err">48</span> <span class="nf">LDR</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">=</span><span class="nv">aE</span> <span class="c1">; &#34;E&#34;</span> </span></span><span class="line"><span class="cl"><span class="err">24:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">25:</span> <span class="c1">; End of function mystery5</span> </span></span></code></pre></td></tr></table> </div> </div><p>All instructions have a width of 16 bits, so we are dealing with code in Thumb state.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-4/Sat, 02 Dec 2017 05:21:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-4/<p>Exercise 4 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function <code>mystery4</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery4</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">08</span> <span class="nf">B9</span> <span class="nv">CBNZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_100C3DA</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="nf">loc_100C3DA</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">50</span> <span class="nf">F8</span> <span class="mi">08</span> <span class="mi">0</span><span class="nv">C</span> <span class="nv">LDR.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#–</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="c1">; End of function mystery4</span> </span></span></code></pre></td></tr></table> </div> </div><p>The disassembly is in Thumb mode, as there are instructions having a width of 16 bits and some instructions specific to this mode (e.g. <code>CBNZ</code> and the <code>.W</code> suffix).</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-3/Sat, 02 Dec 2017 05:20:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-79-exercise-3/<p>Exercise 3 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function <code>mystery3</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery3</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">83</span> <span class="err">68</span> <span class="nf">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">0</span><span class="nf">B</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="nf">C3</span> <span class="mi">68</span> <span class="nv">LDR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0xC</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">00</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">4</span><span class="nf">B</span> <span class="mi">60</span> <span class="nv">STR</span> <span class="nv">R3</span><span class="p">,</span> <span class="p">[</span><span class="nv">R1</span><span class="p">,</span><span class="err">#</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="c1">; End of function mystery3</span> </span></span></code></pre></td></tr></table> </div> </div><p>It is provided in Thumb mode, as we can see from the instruction width, which is consistently 16 bits. Furthermore, the decompilation is greatly facilitated thanks to the lack of any conditional statements. Any kind of NULL-checks, for instance, are omitted.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-78-exercise-2/Sat, 02 Dec 2017 04:40:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-02-practical-reverse-engineering-exercise-solutions-page-78-exercise-2/<p>Exercise 2 of the ARM chapter has a rather short disassembly compared to the first exercise. Again, we are tasked with the decompilation of the provided function <code>mystery2</code>.</p> <p>The disassembly is as follows:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="err">01:</span> <span class="nf">mystery2</span> </span></span><span class="line"><span class="cl"><span class="err">02:</span> <span class="err">28</span> <span class="nf">B1</span> <span class="nv">CBZ</span> <span class="nv">R0</span><span class="p">,</span> <span class="nv">loc_C672</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">03:</span> <span class="err">90</span> <span class="nf">F8</span> <span class="mi">63</span> <span class="mi">00</span> <span class="nv">LDRB.W</span> <span class="nv">R0</span><span class="p">,</span> <span class="p">[</span><span class="nv">R0</span><span class="p">,</span><span class="err">#</span><span class="mh">0x63</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">04:</span> <span class="err">00</span> <span class="err">38</span> <span class="nf">SUBS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">05:</span> <span class="err">18</span> <span class="nf">BF</span> <span class="nv">IT</span> <span class="nv">NE</span> </span></span><span class="line"><span class="cl"><span class="err">06:</span> <span class="err">01</span> <span class="err">20</span> <span class="nf">MOVNE</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">07:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">08:</span> <span class="nf">loc_C672</span> </span></span><span class="line"><span class="cl"><span class="err">09:</span> <span class="err">01</span> <span class="err">20</span> <span class="nf">MOVS</span> <span class="nv">R0</span><span class="p">,</span> <span class="err">#</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="err">10:</span> <span class="err">70</span> <span class="err">47</span> <span class="nf">BX</span> <span class="nv">LR</span> </span></span><span class="line"><span class="cl"><span class="err">11:</span> <span class="c1">; End of function mystery2</span> </span></span></code></pre></td></tr></table> </div> </div><p>First of all, we notice that the function has been compiled in Thumb mode, as there are several instructions having a width of 16 bits, which is not possible in ARM mode. Furthermore, the instructions <code>CBZ</code> and <code>IT</code> are specific to Thumb mode and not available in ARM mode.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-01-practical-reverse-engineering-exercise-solutions-page-78-exercise-1/Fri, 01 Dec 2017 04:59:00 -0800https://soffensive.github.io/posts/practical-reverse-engineering/2017-12-01-practical-reverse-engineering-exercise-solutions-page-78-exercise-1/<p>This is the first blog post to a series of ARM challenges from the book Practical Reverse Engineering. In addition to the official ARM manual, the following web page turned out to be very helpful when solving the exercises, as it describes the different ARM instructions in great detail.</p> <p><a href="https://www.heyrick.co.uk/armwiki/Main_Page" target="_blank" rel="noopener noreffer ">https://www.heyrick.co.uk/armwiki/Main_Page</a></p> <p>Without further ado, let us explore the first function. The extract below shows the ARM disassembly of a function named mystery1, which we are supposed to decompile into C code.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-20-practical-reverse-engineering-exercise-solutions-page-35-exercise-11/Wed, 20 Sep 2017 02:37:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-20-practical-reverse-engineering-exercise-solutions-page-35-exercise-11/<blockquote> <p>Read the Virtual Memory chapter in Intel Software Developer Manual, Volume 3 and AMD64 Architecture Programmer’s Manual, Volume 2: System Programming. Perform a few virtual address to physical address translations yourself and verify the result with a kernel debugger. Explain how data execution prevention (DEP) works.</p></blockquote> <p>For this exercise, we first have to set up a remote kernel debugging session. (see <a href="https://codemetrix.net/windows-kernel-debugging-setup/" target="_blank" rel="noopener noreffer ">https://codemetrix.net/windows-kernel-debugging-setup/</a>, <a href="https://securityblog.gr/3253/debug-user-mode-processes-using-a-kernel-debugger/" target="_blank" rel="noopener noreffer ">https://securityblog.gr/3253/debug-user-mode-processes-using-a-kernel-debugger/</a> and <a href="http://securityblog.gr/3023/windows-kernel-debugging/" target="_blank" rel="noopener noreffer ">http://securityblog.gr/3023/windows-kernel-debugging/</a> for excellent explanations)</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-17-practical-reverse-engineering-exercise-solutions-page-35-exercise-10/Sun, 17 Sep 2017 05:34:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-17-practical-reverse-engineering-exercise-solutions-page-35-exercise-10/<p>Our task:</p> <blockquote> <p>If the current privilege level is encoded in CS, which is modifiable by user-mode code, why can’t user-mode code modify CS to change CPL?</p></blockquote> <p>For a change, this is now a more theoretical than hands-on challenge. In order to address the exercise appropriately, we have to make sure we understood it correctly.</p> <p><code>CS</code> (code segment) is the CPU segment register that contains the current ring level in bits 0 and 1. This encoded level is also commonly referred to as CPL (current privilege level).</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-15-practical-reverse-engineering-exercise-solutions-page-35-exercise-9/Fri, 15 Sep 2017 02:49:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-15-practical-reverse-engineering-exercise-solutions-page-35-exercise-9/<p>Our task:</p> <blockquote> <p>Sample L. Explain what function <code>sub_1000CEA0</code> does and then decompile it back to C.</p></blockquote> <p>Here we have the function&rsquo;s disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">ebp</span><span class="p">,</span> <span class="nb">esp</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">edi</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">or</span> <span class="nb">ecx</span><span class="p">,</span> <span class="mh">0FFFFFFFFh</span> </span></span><span class="line"><span class="cl"> <span class="nf">repne</span> <span class="nv">scasb</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">ecx</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">neg</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">sub</span> <span class="nb">edi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">al</span><span class="p">,</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mh">0Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">std</span> </span></span><span class="line"><span class="cl"> <span class="nf">repne</span> <span class="nv">scasb</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="p">[</span><span class="nb">edi</span><span class="p">],</span> <span class="nb">al</span> </span></span><span class="line"><span class="cl"> <span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1000CEC7</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_1000CEC9</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1000CEC7:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1000CEC9:</span> </span></span><span class="line"><span class="cl"> <span class="nf">cld</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">leave</span> </span></span><span class="line"><span class="cl"> <span class="nf">retn</span> </span></span><span class="line"><span class="cl"> <span class="nf">endp</span> </span></span></code></pre></td></tr></table> </div> </div><p>Firstly, the function takes two arguments, at <code>ebp+0x8</code> (arg1) and <code>ebp+0x0C</code> (arg2) respectively. It follows the <strong>stdcall</strong> convention that arguments are pushed from right to left on the stack and the callee cleaning up the stack.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-14-practical-reverse-engineering-exercise-solutions-page-35-exercise-8/Thu, 14 Sep 2017 05:12:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-09-14-practical-reverse-engineering-exercise-solutions-page-35-exercise-8/<p>Our task as formulated in exercise 8:</p> <blockquote> <p>Sample H. Decompile <code>sub_11732</code> and explain the most likely programming construct used in the original code.</p></blockquote> <p>The function&rsquo;s disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">sub_1172E:</span> </span></span><span class="line"><span class="cl"><span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1175F</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_11755</span> </span></span><span class="line"><span class="cl"><span class="nf">dec</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_1174B</span> </span></span><span class="line"><span class="cl"><span class="nf">sub</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">9</span> </span></span><span class="line"><span class="cl"><span class="nf">jnz</span> <span class="nv">short</span> <span class="nv">loc_1176B</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">0Ch</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1174B:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">5Eh</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_11755:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">44h</span> </span></span><span class="line"><span class="cl"><span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_11767</span> </span></span><span class="line"><span class="cl"><span class="c1">; ---------------------------------------------------------------------------</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1175F:</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nf">shr</span> <span class="nb">esi</span><span class="p">,</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"><span class="nf">add</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">40h</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_11767:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="p">[</span><span class="nb">ecx</span><span class="p">],</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">mov</span> <span class="p">[</span><span class="nb">edx</span><span class="p">],</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_1176B:</span> </span></span><span class="line"><span class="cl"><span class="nf">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nf">retn</span> <span class="mi">4</span> </span></span></code></pre></td></tr></table> </div> </div><p>Obviously, the sought-after programming construct in this case is a <code>switch...case</code> statement.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-30-practical-reverse-engineering-exercise-solutions-page-35-exercise-7/Sun, 30 Jul 2017 03:55:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-30-practical-reverse-engineering-exercise-solutions-page-35-exercise-7/<p>Exercise 7 on page 35:</p> <blockquote> <p>Sample H. The function <code>sub_10BB6</code> has a loop searching for something. First recover the function prototype and then infer the types based on the context. Hint: You should probably have a copy of the PE specification nearby.</p></blockquote> <p>Due to alignment issues, our routine is located at <code>10BB2</code> and has the following disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">sub_10BB2:</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mi">4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">3Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">esi</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">14h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mi">6</span><span class="p">],</span> <span class="nb">bx</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">lea</span> <span class="nb">edi</span><span class="p">,</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="nb">esi</span><span class="o">+</span><span class="mh">18h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">jbe</span> <span class="nv">short</span> <span class="nv">loc_10BEB</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BCE:</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="p">[</span><span class="nb">esp</span><span class="o">+</span><span class="mh">0Ch</span><span class="o">+</span><span class="nv">arg_4</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">push</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">call</span> <span class="nb">ds</span><span class="p">:</span><span class="kt">dword</span><span class="nv">_169A4</span> </span></span><span class="line"><span class="cl"> <span class="nf">test</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"> <span class="nf">jz</span> <span class="nv">short</span> <span class="nv">loc_10BF3</span> </span></span><span class="line"><span class="cl"> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mi">6</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="nf">add</span> <span class="nb">edi</span><span class="p">,</span> <span class="mh">28h</span> </span></span><span class="line"><span class="cl"> <span class="nf">inc</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">cmp</span> <span class="nb">ebx</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> <span class="nf">jb</span> <span class="nv">short</span> <span class="nv">loc_10BCE</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BEB:</span> </span></span><span class="line"><span class="cl"> <span class="nf">xor</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BED:</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"> <span class="nf">pop</span> <span class="nb">ebx</span> </span></span><span class="line"><span class="cl"> <span class="nf">retn</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nl">loc_10BF3:</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="nb">edi</span> </span></span><span class="line"><span class="cl"> <span class="nf">jmp</span> <span class="nv">short</span> <span class="nv">loc_10BED</span> </span></span></code></pre></td></tr></table> </div> </div><p>The PE file format and offsets have been described in detail here: <a href="http://www.sunshine2k.de/reversing/tuts/tut_pe.htm" target="_blank" rel="noopener noreffer ">http://www.sunshine2k.de/reversing/tuts/tut_pe.htm</a></p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-22-practical-reverse-engineering-exercise-solutions-page-35-exercise-6/Sat, 22 Jul 2017 23:49:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-22-practical-reverse-engineering-exercise-solutions-page-35-exercise-6/<p>Exercise 6 on page 35 of the book Practical Reverse Engineering presents us with a malware samples.</p> <p>These can be downloaded at the following page:</p> <p><a href="https://grsecurity.net/malware_research/" target="_blank" rel="noopener noreffer ">https://grsecurity.net/malware_research/</a></p> <p>In this exercise, we are expected to have a look at the following routine <code>sub_13842</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013842</span> <span class="nf">sub_13842</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013842</span> <span class="nf">mov</span> <span class="nb">eax</span><span class="p">,</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">60h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013845</span> <span class="nf">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013846</span> <span class="nf">mov</span> <span class="nb">esi</span><span class="p">,</span> <span class="p">[</span><span class="nb">edx</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013849</span> <span class="nf">dec</span> <span class="kt">byte</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">23h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001384</span><span class="nf">C</span> <span class="nv">sub</span> <span class="nb">eax</span><span class="p">,</span> <span class="mh">24h</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001384</span><span class="nf">F</span> <span class="nv">mov</span> <span class="p">[</span><span class="nb">ecx</span><span class="o">+</span><span class="mh">60h</span><span class="p">],</span> <span class="nb">eax</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013852</span> <span class="nf">mov</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">14h</span><span class="p">],</span> <span class="nb">edx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013855</span> <span class="nf">movzx</span> <span class="nb">eax</span><span class="p">,</span> <span class="kt">byte</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013858</span> <span class="nf">push</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">00013859</span> <span class="nf">push</span> <span class="nb">edx</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">A</span> <span class="nv">call</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="nb">eax</span><span class="o">*</span><span class="mi">4</span><span class="o">+</span><span class="mh">38h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">E</span> <span class="nv">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="nl">.text:</span><span class="err">0001385</span><span class="nf">F</span> <span class="nv">retn</span> </span></span></code></pre></td></tr></table> </div> </div><p>Firstly, we see that the function prototype takes two parameters, which are not saved on the stack but in the two registers <code>ecx</code> and <code>edx</code>. This can be deducted from the fact that these two registers are immediately referenced without prior initialization.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-rtlvalidateunicodestring/Sun, 16 Jul 2017 12:50:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-rtlvalidateunicodestring/<p>This blog post contains my solution for the decompilation exercise of the <code>RtlValidateUnicodeString</code> function in the Windows Kernel. The following contains the disassembly without annotations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">kd</span><span class="o">&gt;</span> <span class="nv">uf</span> <span class="nv">rtlvalidateunicodestring</span> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6c</span> <span class="mi">8</span><span class="nv">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6e</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f6f</span> <span class="mi">8</span><span class="nv">bec</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">esp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f71</span> <span class="mi">837</span><span class="nv">d0800</span> <span class="nv">cmp</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span><span class="mi">0</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f75</span> <span class="mi">0</span><span class="nv">f85fc380300</span> <span class="nv">jne</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0xb</span> <span class="p">(</span><span class="mi">776</span><span class="nv">ba877</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x12</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f7b</span> <span class="mi">6800010000</span> <span class="nv">push</span> <span class="mh">100h</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f80</span> <span class="nv">ff750c</span> <span class="nv">push</span> <span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mh">0Ch</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f83</span> <span class="nv">e809000000</span> <span class="nv">call</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlUnicodeStringValidateEx</span> <span class="p">(</span><span class="mi">77686</span><span class="nv">f91</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x1f</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f88</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">77686</span><span class="nf">f89</span> <span class="nv">c20800</span> <span class="nv">ret</span> <span class="mi">8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0xb</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">776</span><span class="nf">ba877</span> <span class="nv">b80d0000c0</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="mh">0C000000Dh</span> </span></span><span class="line"><span class="cl"><span class="err">776</span><span class="nf">ba87c</span> <span class="nv">e907c7fcff</span> <span class="nv">jmp</span> <span class="nv">ntdll</span><span class="err">!</span><span class="nv">RtlValidateUnicodeString</span><span class="o">+</span><span class="mh">0x1f</span> <span class="p">(</span><span class="mi">77686</span><span class="nv">f88</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>The function prototype is given <a href="https://github.com/CaledoniaProject/kekeo-with-asn-vs2013/blob/d926de6096d6f6d797e38ced1b5cbdf56d1734b9/modules/kull_m_string.h" target="_blank" rel="noopener noreffer ">here</a>:</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-livekd-windbg-cheat-sheet/Sun, 16 Jul 2017 05:45:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-livekd-windbg-cheat-sheet/<p>Here are a couple of commands I regularly use for reverse engineering:</p> <ul> <li><code>uf &lt;function&gt;</code>: Unassemble function</li> <li><code>dt nt!_ktss</code>: Show the definition of the data structure <code>_ktss</code></li> <li><code>?? sizeof(_ktss)</code>: Show the size the data structure <code>_ktss</code> occupies in memory</li> <li><code>.hh uf</code>: Show help for the function <code>uf</code></li> <li><code>x nt!*createfile*</code>: Search all functions having the string <code>createfile</code> in its name</li> <li><code>!vtop &lt;PDPT-pointer&gt; &lt;virtualAddress&gt;</code>: Compute physical address of given virtual address and the pointer to the page directory pointer table</li> </ul>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kiinitializetss/Sun, 16 Jul 2017 05:33:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kiinitializetss/<p>Another exercise for us is the decompilation of the <code>KiInitializeTSS</code> function:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KiInitializeTSS</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">82847359</span> <span class="err">8</span><span class="nf">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">b</span> <span class="mi">55</span> <span class="nv">push</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">c</span> <span class="mi">8</span><span class="nv">bec</span> <span class="nv">mov</span> <span class="nb">ebp</span><span class="p">,</span><span class="nb">esp</span> </span></span><span class="line"><span class="cl"><span class="err">8284735</span><span class="nf">e</span> <span class="mi">8</span><span class="nv">b4508</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">ebp</span><span class="o">+</span><span class="mi">8</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">82847361</span> <span class="nf">b9ac200000</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span><span class="mh">20ACh</span> </span></span><span class="line"><span class="cl"><span class="err">82847366</span> <span class="err">66894866</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">66h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">a</span> <span class="mi">33</span><span class="nv">c9</span> <span class="nv">xor</span> <span class="nb">ecx</span><span class="p">,</span><span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">c</span> <span class="mi">6</span><span class="nv">a10</span> <span class="nv">push</span> <span class="mh">10h</span> </span></span><span class="line"><span class="cl"><span class="err">8284736</span><span class="nf">e</span> <span class="mi">66894864</span> <span class="nv">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">64h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">82847372</span> <span class="err">66894860</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">60h</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">82847376</span> <span class="err">59</span> <span class="nf">pop</span> <span class="nb">ecx</span> </span></span><span class="line"><span class="cl"><span class="err">82847377</span> <span class="err">66894808</span> <span class="nf">mov</span> <span class="kt">word</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mi">8</span><span class="p">],</span><span class="nb">cx</span> </span></span><span class="line"><span class="cl"><span class="err">8284737</span><span class="nf">b</span> <span class="mi">5</span><span class="nv">d</span> <span class="nv">pop</span> <span class="nb">ebp</span> </span></span><span class="line"><span class="cl"><span class="err">8284737</span><span class="nf">c</span> <span class="nv">c20400</span> <span class="nv">ret</span> <span class="mi">4</span> </span></span></code></pre></td></tr></table> </div> </div><p>We obtain the function prototype: (<a href="https://github.com/hoangduit/reactos/blob/63682957b86d77c7d82e7b887797ef82ea92d271/reactos/ntoskrnl/ke/powerpc/cpu.c" target="_blank" rel="noopener noreffer ">source</a>)</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">VOID</span> </span></span><span class="line"><span class="cl"><span class="n">NTAPI</span> </span></span><span class="line"><span class="cl"><span class="nf">KiInitializeTSS</span><span class="p">(</span><span class="n">IN</span> <span class="n">PKTSS</span> <span class="n">Tss</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Structure of <code>_KTSS</code>:</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kereadythread/Sun, 16 Jul 2017 03:44:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-16-practical-reverse-engineering-exercise-solutions-kereadythread/<p>Unfortunately I had no time in the past days to continue with the exercises. We continue with the decompilation of the KeReadyThread function in Windows 7.</p> <p>The following listing shows the disassembly:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nasm" data-lang="nasm"><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8125</span> <span class="mi">8</span><span class="nv">bff</span> <span class="nv">mov</span> <span class="nb">edi</span><span class="p">,</span><span class="nb">edi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8127</span> <span class="mi">56</span> <span class="nv">push</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8128</span> <span class="mi">8</span><span class="nv">bf0</span> <span class="nv">mov</span> <span class="nb">esi</span><span class="p">,</span><span class="nb">eax</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a812a</span> <span class="mi">8</span><span class="nv">b4650</span> <span class="nv">mov</span> <span class="nb">eax</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">esi</span><span class="o">+</span><span class="mh">50h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a812d</span> <span class="mi">8</span><span class="nv">b4874</span> <span class="nv">mov</span> <span class="nb">ecx</span><span class="p">,</span><span class="kt">dword</span> <span class="nv">ptr</span> <span class="p">[</span><span class="nb">eax</span><span class="o">+</span><span class="mh">74h</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8130</span> <span class="nv">f6c107</span> <span class="nv">test</span> <span class="nb">cl</span><span class="p">,</span><span class="mi">7</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8133</span> <span class="mi">7409</span> <span class="nv">je</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x19</span> <span class="p">(</span><span class="mi">828</span><span class="nv">a813e</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x10</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8135</span> <span class="nv">e8b74af8ff</span> <span class="nv">call</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KiInSwapSingleProcess</span> <span class="p">(</span><span class="mi">8282</span><span class="nv">cbf1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813a</span> <span class="mi">84</span><span class="nv">c0</span> <span class="nv">test</span> <span class="nb">al</span><span class="p">,</span><span class="nb">al</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813c</span> <span class="mi">7505</span> <span class="nv">jne</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x1e</span> <span class="p">(</span><span class="mi">828</span><span class="nv">a8143</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x19</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a813e</span> <span class="nv">e892ef0000</span> <span class="nv">call</span> <span class="nv">nt</span><span class="err">!</span><span class="nv">KiFastReadyThread</span> <span class="p">(</span><span class="mi">828</span><span class="nv">b70d5</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nf">nt</span><span class="err">!</span><span class="nv">KeReadyThread</span><span class="o">+</span><span class="mh">0x1e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8143</span> <span class="mi">5</span><span class="nv">e</span> <span class="nv">pop</span> <span class="nb">esi</span> </span></span><span class="line"><span class="cl"><span class="err">828</span><span class="nf">a8144</span> <span class="nv">c3</span> <span class="nv">ret</span> </span></span></code></pre></td></tr></table> </div> </div><p>According to <a href="https://github.com/Zer0Mem0ry/ntoskrnl/blob/1ba25701dc670d5f63610b75b593c5841d291e7f/Ke/thredobj.c" target="_blank" rel="noopener noreffer ">this source</a>, it has the following prototype:</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue/Sat, 01 Jul 2017 05:39:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue/<p>We are tasked with decompiling the Windows Kernel routine KeInitializeQueue.</p> <p>Firstly, we obtain its disassembly:</p> <p><a href="../images/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" rel=""><img class="lazyload" src="https://soffensive.github.io/svg/loading.min.svg" data-src="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" data-srcset="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png, ../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png 1.5x, ../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png 2x" data-sizes="auto" alt="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" title="../images/thumbnails/2017-07-01-practical-reverse-engineering-exercise-solutions-keinitializequeue-001.png" /></a> </p> <p>Secondly, we consult <a href="https://msdn.microsoft.com/en-us/library/windows/hardware/ff549547%28v=vs.85%29.aspx" target="_blank" rel="noopener noreffer ">MSDN</a> for its signature:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">VOID</span> <span class="nf">KeInitializeQueue</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">_Out_</span> <span class="n">PRKQUEUE</span> <span class="n">Queue</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">_In_</span> <span class="n">ULONG</span> <span class="n">Count</span> </span></span><span class="line"><span class="cl"><span class="p">);</span> </span></span></code></pre></td></tr></table> </div> </div><p>The routine itself does not return anything. </p> <p>We learn it takes two parameters and as the assembly contains the <code>ret 8</code> instruction, the <code>KeInitializeQueue</code> function cleans up the stack and thus, it uses the <strong>stdcall</strong> convention.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-29-practical-reverse-engineering-exercise-solutions-obfastdereferenceobject/Thu, 29 Jun 2017 09:46:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-29-practical-reverse-engineering-exercise-solutions-obfastdereferenceobject/<p>First of all a quick reminder: This series of blog posts relates to exercises from the book Practical Reverse Engineering by Dang et al. Although it is called reverse engineering in general, it actually is mostly relevant to Microsoft Windows operating systems. This is simply due to the fact that Microsoft Windows is closed source in contrast to the Linux/Unix families, which means its source code is publicly available and so no reverse engineering endeavours are necessary.</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-19-practical-reverse-engineering-exercise-solutions-keinitializeapc-routine/Mon, 19 Jun 2017 02:36:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-19-practical-reverse-engineering-exercise-solutions-keinitializeapc-routine/<p>To keep me motivated and document my progress, I will create a series of blog posts with answers to some of the exercises from the book &ldquo;Practical Reverse Engineering&rdquo; by Dang, Gazet and Bachaalany.</p> <p>In the last post, we introduced the Windows Kernel Debugger (KD) and some of the functions. I have learned that rather than using KD directly, we can use WinDbg&rsquo;s interface which is more user-friendly. When calling livekd, simply append the &ldquo;-w&rdquo; parameter and WinDbg will start up:</p>https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-17-practical-reverse-engineering-exercise-solutions-windows-kernel-routines/Sat, 17 Jun 2017 00:01:00 -0700https://soffensive.github.io/posts/practical-reverse-engineering/2017-06-17-practical-reverse-engineering-exercise-solutions-windows-kernel-routines/<p>I am currently developing my reverse engineering skills and want to keep some important parts of this journey as well in this blog.</p> <p>The first step of this series relates to disassembling Windows kernel routines, in my case Windows 7.</p> <p>What are the prerequisites for this exercise?</p> <ul> <li>Ideally, install Windows inside a virtual machine</li> <li>From Windows Vista onwards, the Kernel debugging mode has to be enabled with: <code>bcdedit /debug on</code></li> <li>Install Debugging Tools for Windows (for example, as part of the Windows SDK - <a href="https://www.microsoft.com/en-us/download/details.aspx?id=3138" target="_blank" rel="noopener noreffer ">https://www.microsoft.com/en-us/download/details.aspx?id=3138</a> for Windows 7, which contains the Kernel Debugger (KD))</li> <li>Install LiveKD from the SysInternals Suite  <ul> <li><strong>IMPORTANT: the livekd.exe file should be placed in the system32 folder</strong></li> </ul> </li> </ul> <p>Notice that since we use LiveKD, we are essentially debugging the Kernel locally without a second system. With this approach, functions cannot be debugged as LiveKD uses a Kernel read-only memory dump as a basis.</p>