banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

"Learning Notes on IDA Reverse Engineering from Scratch - 9 (Function Reverse Analysis)"

9.2 Symbol File

Target file: HOLA_REVERSER.exe

View target file architecture:

The target file is a 32-bit program compiled with VC++ 2015.

Double-click to run the program and prompt for input of a number.

The program will check if the input character is correct.

9.3 Locating the main function

First, let's look at the strings.

Found some strings output by the target program at runtime, highlighted by the red line in the image above.

Arrived at the following location:

In the image above, 0x402108 is the address of this string. The hexadecimal on the right side of the address is the machine code, and "aPoneUnNumerito" is the identifier or name of this string. The "a" in front of the string indicates that it is an ASCII code, and the "db" indicates that it is a byte sequence.

Press the D key to view the value of each byte:

Press the A key to display it as a string again.

Place the mouse pointer on the arrow pointing to the right to view the specific reference location, and press the X key to enter the specific reference location.

From this reference, we can find the main function.

9.4 Function Stack

The image above shows a local variable var_4 with a size of dword.

32-bit function call stack view

First, all function parameters are passed to the stack, followed by the return address. Above the return address is the EBP of the previous function, generated by the first instruction of the function "PUSH EBP". The topmost is the local variable.

9.5 Main Function Parameters

Arrived at the main function

Press the X key to see where the main function is referenced.

Main function call

In the image above, there are three push instructions used to pass arguments. In the comments of these three instructions, you can learn that three parameters are passed, namely argc, argv, and envp, which are default parameters of the function.

9.6 Local Variables

var_c is a local variable. Press the X key to see where it is referenced. From the image below, it can be seen that this local variable is referenced in two places.

9.7 Atoi Function

The atoi function converts a string to an integer. If the number is too large to convert, an error will occur and 0 will be returned. Of course, if it is smaller than the smallest negative integer (int), an error will also occur and 0 will be returned. All input content will be converted to an integer. If the input is 41424344, it will be converted to a hexadecimal number and saved to EAX.

#include <stdlib.h> 
int atoi(const char *string);

From the image above, it can be known that the target program will convert all input strings into integers. If atoi or _wtoi cannot convert the input content to the desired type, it will return 0.

The return value of atoi

The value of eax is passed to esi. After outputting the original string entered by the user, the value of esi will be compared with 0x12457.

The user's input decimal string will be parsed and returned as a hexadecimal number, and then compared with that hardcoded value. If the input corresponds to the decimal number of the hardcoded value, it should succeed.

In the image above, the jnz instruction (not equal to/not zero) is used, so it outputs "bad reverser". If they are equal, it outputs "good reverser".

0x124578, converted from hexadecimal to decimal, is 1197432.

In the target program, if you enter this decimal number 1197432, you can see that it is successfully verified and outputs "good reverser".

The analysis of the target program ends here. In this chapter, we learned about reverse analysis of function stacks, including how functions pass parameters, local variables, and the atoi function.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.