asm, Reverse Engineering Continued (Am I on the right track)

Alex
#1 / 4

Reverse Engineering Continued (Am I on the right track)

Hi Again,

I've started going through these NT drivers using the rather neat IDA
3.7. However although I can see all the windows calls I still need to
understand the function calls so I wanted to check that I am sane.

1. 'Wrapper' Code for functions

I keep seeing this sort of construct:

push ebp
mov ebp, esp
mov eax, [ebp+8]
mov ecx, [ebp+0Ch]

with a load of code followed by....

pop ebp
retn 18h

Given my 68k history this looks a lot like the LINK instructions role.
Am I correct in the assumption that it does:
a) Push the old frame ptr
b) Copy the stack to the frame ptr
c) Copy parameters from epb to epc+n
then
d) Restore frame ptr
e) Return, dumping n bytes of passed parameters

Am I on the right track?

2. I have seen a couple of oddities in some of the exported functions,
for example:

000107C4 MpegPortGetPhysicalAddress proc near
000107C4 xor eax, eax
000107C6 xor edx, edx
000107C8 retn 10h
000107C8 MpegPortGetPhysicalAddress endp

No I may be missing something here but does this not do nothing and
lose you stack space. Should I be assuming some sort of Self Modifying
Code at work?

3. Tools

I think that IDA is quite neat. Have I found the best tool for the job
or does anyone have any other ones to recommend?

Cheers,

--
Alex.

Sent via Deja.com http://www.*-*-*.com/
Before you buy.

Sun, 01 Sep 2002 03:00:00 GMT

John Fin
#2 / 4

Reverse Engineering Continued (Am I on the right track)

Quote:

> push ebp
> mov ebp, esp
> mov eax, [ebp+8]
> mov ecx, [ebp+0Ch]

> with a load of code followed by....

> pop ebp
> retn 18h

> Am I correct in the assumption that it does:
> a) Push the old frame ptr

Right.

Quote:

> b) Copy the stack to the frame ptr

Right.

Quote:

> c) Copy parameters from epb to epc+n

Right, but in more interesting routines those parameters may be used
directly from their place in the stack frame at some later point(s) in
the code, rather than copied to registers on entry.

Quote:

> d) Restore frame ptr

Right.

Quote:

> e) Return, dumping n bytes of passed parameters

Right.

Quote:

> 2. I have seen a couple of oddities in some of the exported functions,
> 000107C4 MpegPortGetPhysicalAddress proc near
> 000107C4 xor eax, eax
> 000107C6 xor edx, edx
> 000107C8 retn 10h
> 000107C8 MpegPortGetPhysicalAddress endp

> No I may be missing something here but does this not do nothing and
> lose you stack space. Should I be assuming some sort of Self Modifying
> Code at work?

No, do not assume Self Modifying Code. It wouldn't hurt to check my
theory by finding out what that routine is really for; But the code
seems pretty obvious. They defined an entry point for a more general
(possibly future) system, in which this routine takes some input (0x10
bytes of it) and returns an answer based on that input. In this version
of the code, all the callers will follow the defined prototype and pass
the 0x10 bytes of input; But the routine itself ignores the input and
returns a fixed answer (a 64-bit zero).

It is fairly common to put things like that in growing code.

Quote:

> 3. Tools

> I think that IDA is quite neat. Have I found the best tool for the job

I think so.
--
http://www.erols.com/johnfine/
http://www.geocities.com/SiliconValley/Peaks/8600/

Mon, 02 Sep 2002 03:00:00 GMT

Alex
#3 / 4

Reverse Engineering Continued (Am I on the right track)

Quote:

> > push ebp
> > mov ebp, esp
> > mov eax, [ebp+8]
> > mov ecx, [ebp+0Ch]

<snip>

I've also seen code that goes:

push epb
mov epb,esp
sub eps,380h

Am I correct in thinking esp->epb contains local variables (i.e. non
static C locals)?

Again these seem to be referenced with epb-xxh vs the parameters with
epb+xxh. This fits the way its done on the 68k.

Cheers for the confirmation of the last mail, although returning 0
still seems a little strange I will confirm once I can reassemble the
file and add my trace code to it.

--
Alex.

Sent via Deja.com http://www.deja.com/
Before you buy.

Mon, 02 Sep 2002 03:00:00 GMT

K.E.Elb
#4 / 4

Reverse Engineering Continued (Am I on the right track)

Hi!
I'm no expert but here goes..

Quote:

> 2. I have seen a couple of oddities in some of the exported functions,
> for example:

> 000107C4 MpegPortGetPhysicalAddress proc near
> 000107C4 xor eax, eax
> 000107C6 xor edx, edx
> 000107C8 retn 10h
> 000107C8 MpegPortGetPhysicalAddress endp

> No I may be missing something here but does this not do nothing and
> lose you stack space. Should I be assuming some sort of Self Modifying
> Code at work?

I guess you're aware that xor z,z = 0 for any z?
One thing you do need to know is that ret x drops x words of stack
before returning.

Quote:

> 3. Tools

> I think that IDA is quite neat. Have I found the best tool for the job
> or does anyone have any other ones to recommend?

SoftIce has a good reputation also.

Quote:

> Cheers,

> --
> Alex.

> Sent via Deja.com http://www.deja.com/
> Before you buy.

Tue, 03 Sep 2002 03:00:00 GMT