Wednesday, January 4, 2012

Binary Auditing part 3, Identifying Local Variables

In this tutorial, we are reviewing how to identify local variables. Local variables are variables that are defined in a function and are not accessible by other functions. In programming languages, this is defined as scoping (see: and

The main function in this program starts at 00401040.

** For an additional exercise, use PEview ( to find the "Address of Entry Point", then follow that until you get to the main function **

After the stack prologue, we see that two numbers are being assigned to var_4 and var_8. Each are then loaded into ecx and eax, respectively, and pushed onto the stack. var_8 (a.k.a. ecx) is pushed first onto the stack, so it will be the last of the two to be popped off the stack. These two variables, now placed on the stack, are being passed to the function 00401000, which is being called.

In 00401000, you see that arg_0 and arg_4 have been passed. Next to each declaration of the varibles, you have a positive number (8 and 0Ch). Since the stack grows down, it typical operations to the stack are subtracting from the base and stack pointers (ebp and esp). Since we're utilizing a positive number, this means we are accessing areas of the stack that have been filled by previous functions, or programs.

If you're following along at home with a debugger, a quick tip is to step OVER (short cut is F8) call to _ltoa: otherwise you go into msvcr80.dll, which is a Microsoft DLL.

The last item to go over is the 'lea' instruction at 00401011 and 00401022 as we haven't encountered this before. LEA stands for Load Effective Address and is mostly used with pointers. With pointers, we are dealing with the addresses of variables, instead of the value of the variable. (Further reading: and

Our code for this program looks roughly like this:

int __cdecl main(int argc, const char **argv, const char **envp)
  int v4; // [sp+0h] [bp-Ch]@1
  int v5; // [sp+4h] [bp-8h]@1
  int v6; // [sp+8h] [bp-4h]@1

  v6 = 1638;
  v5 = 1911;
  v4 = sub_401000(v6, v5);
  printf("%x\n", &v4);
  return 0;

int __cdecl sub_401000(int a1, int a2)
  char DstBuf; // [sp+4h] [bp-34h]@1

  ltoa(a2 + a1, &DstBuf, 16);
  printf("%x == %s == ", a2 + a1, &DstBuf);
  return a2 + a1;

No comments:

Post a Comment

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...