Monday, January 23, 2012

Binary Auditing part 6, Identifying the + Operator

This one is a quicky, as it's awfully close to exercise A05. We're taking a look at the "add" instruction now.

Take a look at the assembly, you'll see four add operations in the function. But what do the four do?

At 00401009, we are adding var_4 to var_8 and putting it into eax.

At 0040101E, we are adding 8 bytes onto esp to re-align it with the variables we were using beforehand.

At 00401024, the value 1 (1 in hexidecimal!) is being added to edx (which was assigned the value of Var_C).

At 00401039, we are adding 8 bytes onto esp to re-align it to return the stack to the state it was in before calling this program.

So in this tutorial, we really just looked at the add instruction, and it's differences between stack operations and variable operations. Again, it's pretty much the same as the previous "sub" tutorial.

As always, the pseudo-C code:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [sp+4h] [bp-8h]@0
  int v5; // [sp+8h] [bp-4h]@0

  printf("%x\n", v4 + v5);
  printf("%x\n", v4 + v5 + 1);
  return 0;
}

No comments:

Post a Comment

Installing Older Versions of VeraCrypt on Linux: A Step-by-Step Guide

Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...