## Thursday, December 29, 2011

### Binary Auditing part 2, Identifying For Loops

In this exercise, we are concentraing on identifying For Loops. In assembly, they can look considerably different than while and do loops.

We start at the address 00401004, where the author of the program is setting up a variable to count how many times we've iterated through the loop:

move [ebp+var_4], 0

The next instruction is a jump to 00401016, where we compare the value of what's in var_4 with 0Ah (which is 10, written in hexidecimal and denoted as such with the 'h'). If that comparision is true, it will jump to 0040102C; however, the value of var_4 is current 0, so the evaluation returns false and we move on to the next instructions:

push offset Format
call ds:printf

The two above commands simply push what's at the value of Format (which is the text "The for loop\n") and then call printf. For a referesher on this, take a look at the previous exercise.

The program then adds 4 to the current stack pointer (esp) and performs a jump to location 0040100D, which is technically the end of the for loop. At this location, the program is keeping track of how many times we've iterated through the loop by adding 1 to the counter, which is var_4:

mov eax, [ebp+var_4]
mov [ebp+var_4], eax

In the next instruction, we return to the beginning of the for loop where it is comparing if var_4 (our loop counter variable) is equal to 10. At this point in the tutorial, it's equal to 1, so the for loop continues.

In C, this program looks like:

for (i = 0; i < 10; ++i)
printf("The for loop\n");
return 0;