Monday, January 23, 2012

Binary Auditing part 5, Identifying the - Operator

This exercise looks easy at first. When the "sub" operation takes place, there is going to be some subtraction occuring.

Take a look at the assembly, you'll see three sub operations in the function. But what do the three do?

At 00401003, this is directed related to the first exercise provided by binary-auditing.com (the pdf). It deals with the stack and not with local variables that we are specifically using in the program. We know this for two reasons: 1) it occurs at the beginning of a function and 2) it is acting upon esp, which is the stack pointer.

At 00401009, we are taking two variables eax (which was assigned the value of var_4 in the previous instruction) and var_8. This value is then moved into var_C and pushed onto the stack.

At 00401024, the value 10 (0A in hexidecimal) is being subtracted from edx (which was assigned the value of Var_C).

So in this tutorial, we really just looked at the sub instruction, and it's differences between stack operations and variable operations.

As always, the pseudo-C code:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [sp+4h] [bp-8h]@0
  int v5; // [sp+8h] [bp-4h]@0

  printf("%x\n", v5 - v4);
  printf("%x\n", v5 - v4 - 10);
  return 0;
}

No comments:

Post a Comment

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...