Reverse Engineering Continued (Am I on the right track) 
Author Message
 Reverse Engineering Continued (Am I on the right track)

Hi Again,

I've started going through these NT drivers using the rather neat IDA
3.7. However although I can see all the windows calls I still need to
understand the function calls so I wanted to check that I am sane.

1. 'Wrapper' Code for functions

I keep seeing this sort of construct:

                 push    ebp
                 mov     ebp, esp
                 mov     eax, [ebp+8]
                 mov     ecx, [ebp+0Ch]

with a load of code followed by....

                pop     ebp
                retn    18h

Given my 68k history this looks a lot like the LINK instructions role.
Am I correct in the assumption that it does:
a) Push the old frame ptr
b) Copy the stack to the frame ptr
c) Copy parameters from epb to epc+n
then
d) Restore frame ptr
e) Return, dumping n bytes of passed parameters

Am I on the right track?

2. I have seen a couple of oddities in some of the exported functions,
for example:

000107C4 MpegPortGetPhysicalAddress proc near
000107C4                 xor     eax, eax
000107C6                 xor     edx, edx
000107C8                 retn    10h
000107C8 MpegPortGetPhysicalAddress endp

No I may be missing something here but does this not do nothing and
lose you stack space. Should I be assuming some sort of Self Modifying
Code at work?

3. Tools

I think that IDA is quite neat. Have I found the best tool for the job
or does anyone have any other ones to recommend?

Cheers,

--
Alex.

Sent via Deja.com http://www.*-*-*.com/
Before you buy.



Sun, 01 Sep 2002 03:00:00 GMT  
 Reverse Engineering Continued (Am I on the right track)

Quote:

>                  push    ebp
>                  mov     ebp, esp
>                  mov     eax, [ebp+8]
>                  mov     ecx, [ebp+0Ch]

> with a load of code followed by....

>                 pop     ebp
>                 retn    18h

> Am I correct in the assumption that it does:
> a) Push the old frame ptr

   Right.

Quote:
> b) Copy the stack to the frame ptr

   Right.

Quote:
> c) Copy parameters from epb to epc+n

   Right, but in more interesting routines those parameters may be used
directly from their place in the stack frame at some later point(s) in
the code, rather than copied to registers on entry.

Quote:
> d) Restore frame ptr

  Right.

Quote:
> e) Return, dumping n bytes of passed parameters

  Right.

Quote:
> 2. I have seen a couple of oddities in some of the exported functions,
> 000107C4 MpegPortGetPhysicalAddress proc near
> 000107C4                 xor     eax, eax
> 000107C6                 xor     edx, edx
> 000107C8                 retn    10h
> 000107C8 MpegPortGetPhysicalAddress endp

> No I may be missing something here but does this not do nothing and
> lose you stack space. Should I be assuming some sort of Self Modifying
> Code at work?

  No, do not assume Self Modifying Code.  It wouldn't hurt to check my
theory by finding out what that routine is really for;  But the code
seems pretty obvious.  They defined an entry point for a more general
(possibly future) system, in which this routine takes some input (0x10
bytes of it) and returns an answer based on that input.  In this version
of the code, all the callers will follow the defined prototype and pass
the 0x10 bytes of input;  But the routine itself ignores the input and
returns a fixed answer (a 64-bit zero).

  It is fairly common to put things like that in growing code.

Quote:
> 3. Tools

> I think that IDA is quite neat. Have I found the best tool for the job

  I think so.
--
http://www.erols.com/johnfine/
http://www.geocities.com/SiliconValley/Peaks/8600/


Mon, 02 Sep 2002 03:00:00 GMT  
 Reverse Engineering Continued (Am I on the right track)

Quote:


> > push ebp
> > mov ebp, esp
> > mov eax, [ebp+8]
> > mov ecx, [ebp+0Ch]

<snip>

I've also seen code that goes:

push epb
mov epb,esp
sub eps,380h

Am I correct in thinking esp->epb contains local variables (i.e.  non
static C locals)?

Again these seem to be referenced with epb-xxh vs the parameters with
epb+xxh. This fits the way its done on the 68k.

Cheers for the confirmation of the last mail, although returning 0
still seems a little strange I will confirm once I can reassemble the
file and add my trace code to it.

--
Alex.

Sent via Deja.com http://www.deja.com/
Before you buy.



Mon, 02 Sep 2002 03:00:00 GMT  
 Reverse Engineering Continued (Am I on the right track)
Hi!
I'm no expert but here goes..

Quote:

> 2. I have seen a couple of oddities in some of the exported functions,
> for example:

> 000107C4 MpegPortGetPhysicalAddress proc near
> 000107C4                 xor     eax, eax
> 000107C6                 xor     edx, edx
> 000107C8                 retn    10h
> 000107C8 MpegPortGetPhysicalAddress endp

> No I may be missing something here but does this not do nothing and
> lose you stack space. Should I be assuming some sort of Self Modifying
> Code at work?

I guess you're aware that xor z,z = 0 for any z?
One thing you do need to know is that ret x drops x words of stack
before returning.

Quote:

> 3. Tools

> I think that IDA is quite neat. Have I found the best tool for the job
> or does anyone have any other ones to recommend?

SoftIce has a good reputation also.
Quote:

> Cheers,

> --
> Alex.

> Sent via Deja.com http://www.deja.com/
> Before you buy.



Tue, 03 Sep 2002 03:00:00 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. Am I on the right track?

2. Am I on the right track?

3. Am I on the right track?

4. Re-Engineering/Reverse Engineering Tool

5. Re-Engineering/Reverse Engineering Tool

6. could someone get me on the right track??

7. could someone get me on the right track??

8. Am I on the correct track?

9. Documentations and Reverse Engineering Tools

10. Reverse engineering RealBasic apps

11. VW reverse engineering tool exists?

12. Thoughts on a bytecode and reverse engineering code

 

 
Powered by phpBB® Forum Software