Reverse basic Finding important/interesting stuff in the code (2) zing

Reverse basic Finding important/interesting stuff in the code (2) zing

Chapter 2

Call assert

Sometimes, the emergence of assert () macro is also useful: Usually this macro will leak the source file name, row number and condition.

The most useful information is included in the assert condition, from which we can infer the variable name or struct name. Another useful information is the file name. We can infer the type of code used. It is also possible to identify a famous open source library by file name.

.text:107D4B29 mov  dx, [ecx+42h].text:107D4B2D cmp  edx, 1.text:107D4B30 jz   short loc_107D4B4A.text:107D4B32 push 1ECh.text:107D4B37 push offset aWrite_c ; "write.c".text:107D4B3C push offset aTdTd_planarcon ; "td->td_planarconfig == PLANARCONFIG_CON"....text:107D4B41 call ds:_assert....text:107D52CA mov  edx, [ebp-4].text:107D52CD and  edx, 3.text:107D52D0 test edx, edx.text:107D52D2 jz   short loc_107D52E9.text:107D52D4 push 58h.text:107D52D6 push offset aDumpmode_c ; "dumpmode.c".text:107D52DB push offset aN30     ; "(n & 3) == 0".text:107D52E0 call ds:_assert....text:107D6759 mov  cx, [eax+6].text:107D675D cmp  ecx, 0Ch.text:107D6760 jle  short loc_107D677A.text:107D6762 push 2D8h.text:107D6767 push offset aLzw_c   ; "lzw.c".text:107D676C push offset aSpLzw_nbitsBit ; "sp->lzw_nbits <= BITS_MAX".text:107D6771 call ds:_assert

It is wise to google the conditions and file names, so you may find the open source library. For example, if we search for "sp-> lzw_nbits <= BITS_MAX" on google, some open source code related to LZW compression will be displayed.

Chapter 2 Constant

Generally, people like to use integers like 10,100,100 0 in their lives or when programmers write code.

Experienced reverse engineers will be familiar with the hexadecimal format of these numbers: 10 = 0xA, 100 = 0x64,100 0 = 0x3E8, 10000 = 0x2710.

Constants 0 xAAAAAAAA (10101010101010101010101010101010) and 0x55555555 (01010101010101010101010101010101) are also commonly used to form alternating bits. For example, 0x55AA has been used in the boot sector, MBR, and IBM compatible expansion card.

Some algorithms, especially the constants used in cryptography, are representative and can be easily found in IDA.

For example, the MD5 Algorithm initializes internal variables as follows:

var int h0 := 0x67452301var int h1 := 0xEFCDAB89var int h2 := 0x98BADCFEvar int h3 := 0x10325476

If you find these four constants in a row of the Code, it is very likely that the function is related to MD5.

Another example of the CRC16/CRC32 algorithm is usually calculated using a pre-calculated table:

/** CRC table for the CRC-16. The poly is 0x8005 (x^16 + x^15 + x^2 + 1) */u16 const crc16_table[256] = {        0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241,        0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440,        0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40,        ...

For the CRC3 pre-calculation table, see section 37th.

59.1 magic

Many file formats define standard file headers and use magic numbers.

For example, all Win32 and MS-DOS executable files start with "MZ.

The MIDI file starts with the "MThd" sign. If we have a program that uses a MIDI file, it is likely to check at least 4 bytes of file header to confirm the file type.

This can be achieved as follows:

(Buf points to the start of memory file loading)

cmp [buf], 0x6468544D ; "MThd"jnz _error_not_a_MIDI_file

It may also call code of a function such as memcmp () or CMPSB command (A.6.3) to compare memory blocks.

When you find this, you can determine the start point of the MIDI file loading. At the same time, we can see where the buffer zone stores the MIDI File Content, what content is used, and how to use it.

59.1.1 DHCP

The above method also applies to network protocols. For example, the DHCP packet contains the magic cookie: 0x6353826. Any code that generates a DHCP packet must embed this constant in the packet somewhere. Where it appears in the Code may be related to executing these operations, or not only that. Any packet that receives DHCP will check this magic cookie for the same comparison.

For example, search for this constant in the dhcpcore. dll file of Windows 7 x64. Find two places: it seems that this constant is used in the functions DhcpExtractOptionsForValidation () and DhcpExtractFullOptions:

.rdata:000007FF6483CBE8 dword_7FF6483CBE8 dd 63538263h ; DATA XREF: ⤦     DhcpExtractOptionsForValidation+79.rdata:000007FF6483CBEC dword_7                        DATA XREF: ⤦     DhcpExtractFullOptions+97

The following is the address referenced by the constant:

.text:000007FF6480875F  mov eax, [rsi].text:000007FF64808761  cmp eax, cs:dword_7FF6483CBE8.text:000007FF64808767  jnz loc_7FF64817179

Also:

.text:000007FF648082C7  mov eax, [r12].text:000007FF648082CB  cmp eax, cs:dword_7FF6483CBEC.text:000007FF648082D1  jnz loc_7FF648173AF

59.2 search Constants

Easy in IDA: Use ALT-B or ALT-I. If you are searching for constants in a large number of files or in an unexecutable file, I will write a small tool named binary grep myself.

Chapter 2 Find appropriate instructions

If the program uses the FPU command but does not use it much, you can use the debugger to manually check it one by one.

For example, we may be interested in how users enter calculation formulas in Microsoft Excel, such as Division operations.

If we compile excel.exe (Offic 2010) with 14.0.4756.1000 to IDA, list all entries and find each FDIV command (except using constants as the second operand-Obviously not of our concern ):

#!bashcat EXCEL.lst | grep fdiv | grep -v dbl_ > EXCEL.fdiv

Then we can see 144 related results.

In Excel, We can enter a string like "= (1/3)" and then check the instruction.

By using the debugger or tracer (one-time check of four commands) to check the commands, we are lucky to find that the number of target commands is 14th:

.text:3011E919 DC 33        fdiv    qword ptr [ebx]PID=13944|TID=28744|(0) 0x2f64e919 (Excel.exe!BASE+0x11e919)EAX=0x02088006 EBX=0x02088018 ECX=0x00000001 EDX=0x00000001ESI=0x02088000 EDI=0x00544804 EBP=0x0274FA3C ESP=0x0274F9F8EIP=0x2F64E919FLAGS=PF IFFPU ControlWord=IC RC=NEAR PC=64bits PM UM OM ZM DM IMFPU StatusWord=FPU ST(0): 1.000000

ST (0) stores the first parameter, and [EBX] stores the second parameter.

The command after FDIV (FSTP) writes the result in the memory:

.text:3011E91B DD 1E        fstp    qword ptr [esi]

If we set a breakpoint, we can see the result:

PID=32852|TID=36488|(0) 0x2f40e91b (Excel.exe!BASE+0x11e91b)EAX=0x00598006 EBX=0x00598018 ECX=0x00000001 EDX=0x00000001ESI=0x00598000 EDI=0x00294804 EBP=0x026CF93C ESP=0x026CF8F8EIP=0x2F40E91BFLAGS=PF IFFPU ControlWord=IC RC=NEAR PC=64bits PM UM OM ZM DM IMFPU StatusWord=C1 PFPU ST(0): 0.333333

You can also modify the value in a prank:

tracer -l:excel.exe bpx=excel.exe!BASE+0x11E91B,set(st0,666)PID=36540|TID=24056|(0) 0x2f40e91b (Excel.exe!BASE+0x11e91b)EAX=0x00680006 EBX=0x00680018 ECX=0x00000001 EDX=0x00000001ESI=0x00680000 EDI=0x00395404 EBP=0x0290FD9C ESP=0x0290FD58EIP=0x2F40E91BFLAGS=PF IFFPU ControlWord=IC RC=NEAR PC=64bits PM UM OM ZM DM IMFPU StatusWord=C1 PFPU ST(0): 0.333333Set ST0 register to 666.000000

PID=36540|TID=24056|(0) 0x2f40e91b (Excel.exe!BASE+0x11e91b)EAX=0x00680006 EBX=0x00680018 ECX=0x00000001 EDX=0x00000001ESI=0x00680000 EDI=0x00395404 EBP=0x0290FD9C ESP=0x0290FD58EIP=0x2F40E91BFLAGS=PF IFFPU ControlWord=IC RC=NEAR PC=64bits PM UM OM ZM DM IMFPU StatusWord=C1 PFPU ST(0): 0.333333Set ST0 register to 666.000000

Excel shows 666 in this unit, and we can be sure that we have found the correct position.

If we try to use the same Excel version, but it is 64-bit, we will find that there are only 12 FDIV commands, and our target command is in the third.

tracer.exe -l:excel.exe bpx=excel.exe!BASE+0x1B7FCC,set(st0,666)

It seems that many of the floating-point and double-precision Division operations have been replaced by the SSE command by the compiler, such as disealing (which occurs 268 times in total.

Chapter 2 suspicious code mode 61st XOR instructions

For commands like XOR op, op is usually used to set the register value to zero (for example, xor eax, eax), but if the operands are different, the "mutex" operation is executed. This operation is rare in common programs, but it is widely used in cryptography, including amateur ones. If the second operand is a large number, it is even more suspicious. It may point to encryption/decryption operations or checksum calculation.

This observation may also be meaningless, such as "canary" (Section 18.3 ). Canary generation and detection usually use XOR commands.

The following awk script can be used to process IDA's. list file:

Gawk-e '$2 = "xor" {tmp = substr ($3, 0, length ($3)-1); if (tmp! = $4) if ($4! = "Esp") if ($4! = "Ebp ")