This exercise looks easy at first. When the "sub" operation takes place, there is going to be some subtraction occuring.
Take a look at the assembly, you'll see three sub operations in the function. But what do the three do?
At 00401003, this is directed related to the first exercise provided by binary-auditing.com (the pdf). It deals with the stack and not with local variables that we are specifically using in the program. We know this for two reasons: 1) it occurs at the beginning of a function and 2) it is acting upon esp, which is the stack pointer.
At 00401009, we are taking two variables eax (which was assigned the value of var_4 in the previous instruction) and var_8. This value is then moved into var_C and pushed onto the stack.
At 00401024, the value 10 (0A in hexidecimal) is being subtracted from edx (which was assigned the value of Var_C).
So in this tutorial, we really just looked at the sub instruction, and it's differences between stack operations and variable operations.
As always, the pseudo-C code:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [sp+4h] [bp-8h]@0
int v5; // [sp+8h] [bp-4h]@0
printf("%x\n", v5 - v4);
printf("%x\n", v5 - v4 - 10);
return 0;
}
Subscribe to:
Post Comments (Atom)
-
Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...
-
Live Linux forensics in a KVM based environment (part 1) Most of this blog will be based on a image that I created that I will be walking... -
Starting Linux analysis with volatility When working in the security field you will eventually come across a time that you will need to do...
No comments:
Post a Comment