Sunday, January 22, 2012

Binary Auditing part 4, Identifying Register Variables

Sorry this post took so long. I kinda booched my VM...

In this tutorial, we take a look at identifying register variables. This tutorial is awfully close to A03; however, it differs in that variables are not declared in the C code before passing it as an argument, leaving the computer to push values onto the stack through register variables first.

The assembly looks essential the same, though the addition operation (ie. 1911 + 1638) is acted upon the register eax instead of being passed to a new function. This is demonstrated at 00401017 (the addition) and 0040103A (the subtraction).

IDA renders the pseudo-C code as:


int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf("%x + %x = %x\n", 1638, 1911, 3549);
  printf("%x - %x = %x\n", 1638, 1911, 273);
  return 0;
}

No comments:

Post a Comment