How to parse an unstructured data structure

1 Preface:

This 2 days saw secrets of Reverse engineering a book, to analyze the technology of the not documented API more experience, I hope you see the following tutorial, can be a flexible application in reverse engineering and crack technology, the method is dead, but the human mind is alive, The most important is the flexible application.

2 Practice:

With ollydbg to NTDLL.DLL disassembly, if you want to join the NTDLL.DLL symbol table, so that you can better to disassemble the API, you go to Microsoft's official website to obtain the corresponding version of the Windows System symbol table.

Here is the disassembly code for the Rtlinitializegenerictable function:

MOV EDI, EDI;

Press into the stack and save the EBP value

PUSH EBP;

MOV EBP, ESP;

Gets the numeric incoming eax of [esp+8]

Here we can translate the instructions to:

MOV EAX, DWORD PTR ss:[esp+8]

Meaning: Assigns the value of the current stack top offset 8h to EAX, which is the 1th parameter of the function

Disclaimer: I like to use the ESP pointer to imagine the stack. But CPU processing, is to use EBP to offset processing

MOV EAX, DWORD PTR ss:[ebp+8];

EDX XOR, EDX;

Eax+4 values are passed into the ecx as pointers

ECX, DWORD PTR ds:[eax+4];

EdX values are passed in [EAX], indicating that the EAX value is a pointer to a struct

Suppose the punknowstruct address is a EAX value

07 The assembly instruction corresponds to the C language: punknowstruct->member1 = 0;

Modified MOV Dwrod PTR ds:[eax], EDX;

Here we can translate the instructions to:

MOV DWORD PTR ds:[eax+8], eax+4;

Note: [EAX] is the 1th variable of a struct

[Eax+4] is the 2nd variable of a struct

[Eax+8] is the 3rd variable of a struct

Meaning: The 3rd member variable of the struct is assigned a pointer value that points to the 2nd member variable of the struct
C language corresponding to the assembly instruction of 08: Punknowstruct->member3 = &punknowstruct->member2

MOV DWORD PTR ds:[ecx+4], ECX;

Here we can translate the instructions to:

MOV DWORD PTR ds:[eax+4], eax+4;

C language corresponding to the assembly instruction of 09: punknowstruct->member2 = &punknowstruct->member2

MOV DWORD PTR ds:[ecx], ECX;

Here we can translate the instructions to:

MOV DWORD PTR Ds:[eax+c], eax+4;

C language corresponding to the assembly instruction of 10: Punknowstruct->member4 = &punknowstruct->member2

MOV DWORD PTR Ds:[eax+c], ECX;

Here we can translate the instructions to:

MOV ECX, DWORD PTR Ss:[esp+c]

Meaning: Assigns the value of the current stack top to the ECX, which is the 2nd parameter of the function.

One MOV ECX, DWORD PTR ss:[ebp+c];

Meaning: Passing the 2nd argument to the 7th member variable of a struct

The C language corresponding to the assembly instruction of 12 is: Punknowstruct->member7 = Param2

MOV DWORD PTR ds:[eax+18], ECX;

Here we can translate the instructions to:

MOV ECX, DWORD PTR ss:[esp+10]

Meaning: Assigns the value of the current stack top offset 10h to ECX, which is the 3rd parameter of the function

MOV ECX, DWORD PTR ss:[ebp+10];

Meaning: Pass parameter 3 to the 8th member variable of a struct

The C language corresponding to the assembly instruction of 14 is: Punknowstruct->member8 = Param3

MOV DWORD PTR ds:[eax+1c], ECX;

Here we can translate the instructions to:

MOV ECX, DWORD PTR ss:[esp+14]

Meaning: Assigns the value of the current stack top offset 14h to ECX, which is the 4th parameter of the function
MOV ECX, DWORD PTR ss:[ebp+14];

Meaning: Pass parameter 3 to the 9th member variable of a struct

The C language corresponding to the assembly instruction of 16 is: Punknowstruct->member9 = Param4

MOV DWORD PTR ds:[eax+20], ECX;

Here we can translate the instructions to:

MOV ECX, DWORD PTR ss:[esp+18]

Meaning: Assigns the value of the current stack top offset 18h to ECX, which is the 5th parameter of the function

MOV ECX, DWORD PTR ss:[ebp+18];

Meaning: Assign the value of a edx to the 6th member variable of a struct

The C language corresponding to the assembly instruction of 18 is: PUNKNOWSTRUCT->MEMBER6 = 0