C++ Reverse Disassembly

8/16/2019 C++ Reverse Disassembly

1/33

C++ Reverse Disassembly

Opcodevoid, 25 Aug 2004

4.86 (70 votes)

This article's aim is to provide material for modern day decompiling of an application written in

C++

Technical Detail

This article's aim is to provie material !or moern ay ecompilin" o! applications #ritten in C++.$e ass%me yo% have a soli %nerstan o! C++& 86 ssembly& an #ino#s.

vervie# an contents*. $hy is C++ Decompilin" possible*. ,ntro-. oern Day /ample1. Compiler 2peci!ic-. C++ 3rotocols*. ,ntro-. lobal 5ariables1. /pressions4. Ret%rn 5al%es

. %nction calls an the stac6. 9ocal 5ariables1. C++ :ey#ors*. ,ntro-. ,! statement1. or 9oop4. 2tr%ct%res. Technical l"orithms4. 3ractical Decompilin"*. ,ntro to Decompilin" $ino#s application-. Decompilin" a sample application

2pecial Case; Compiler 2peci!ic

Compiler 2peci!ic;

/ach compiler is i!!erent& s%ch as their CrtlStartUp ro%tines& their statement assemblies(switch & if &while)& an n%mero%s other thin"s mae each compiler "enerate i!!erent coe& even i!

http://www.codeproject.com/script/Membership/View.aspx?mid=412290http://www.codeproject.com/script/Membership/View.aspx?mid=412290


2/33

yo% compile the same C++ coe on t#o compilers& the en res%lt #ill be i!!erent& beca%se o! this ,#ill stic #ith one an only one compiler& #hich is the 5is%al C++ Compiler.

5is%al C++ is pro%ce by icroso!t an c%rrently elivers the !astest an most optimi%st sayin"some o! the in!ormation presente in this boo may only #or on 5is%al C++.

,! yo% on?t have 5is%al C++ that is !ine& there are many other compilers available& an most o! thisin!ormation is also acc%rate !or them

Chapter *; $hy is C++ Decompilin" possible

*.* ,ntro;

, been as many times is C++ ecompilin" even possible not only %e to the compleity o! acompiler b%t !or the mass abo%t o! in!ormation loss in compilin"& s%ch as comments & incl%e !iles&

macros >%st to name a !e#. 2o one o!ten #oners is this even #orth p%rsin". $ell , #ante to starto%t #ith the topic o! #hat is totally loss #hen yo% compile a pro"ram an #hat stays there& re!er totable *.*.* to see #hat #e loses an remains.

What is lost What remains

templates %nction calls

classes Dynamic linin" calls

arcos 2#itch statements

,ncl%e !iles 9ocal 5ariables

comments 3arameters

=ot to say everythin" that is in the @$hat remainsA sections is *00B there& it >%st means it is verysimple an practical to reverse en"ineer. eca%se o! this !act , choose to eal #ith the @$hatremainsA section !irst beca%se it?s m%ch easier.

s #e pro"ress tho%"h this boo eep in min reverse en"ineerin" is almost never practical antaes lots o! practice. ,t?s harer to reverse en"ineer somethin" create than to create it in the !irstplace.


3/33

"oo #ay to start o%t #ith reverse en"ineerin" is to ecompile yo%r o#n pro"rams an see ho#each C++ !%nction speci!ically #ors& then apply that no#le"e in other areas beca%se looin" attho%sans o! lines o! assembly coe is not really !%n.

*.- oern Day /amples;

=o# #hen yo%r reain" this boo yo% mi"ht start to thin that & @anythin" translate in!o a i!!erentlan"%a"e can be retranslate bac into the same lan"%a"eA ri"ht& #ell this is not the case in reverseen"ineerin" a lot o! thin"s #ill be lost& an a lot o! thin"s yo% m%st mae %p(ass%me) alon" the #ay.

2o , #ante to mae s%re a provie some practical eamples !or reverse en"ineerin" at thebe"innin" o! the boo& to "ive yo% a sense o! hope.

To be"in reverse en"ineerin"& , ecie to start #ith the main C++ statement

ie Copy Coe

Int main(int argc, char * argv[])

=o# #e can easily !in this statement in any eec%table !ile %e to the 3/ !ormat #hich tells %s thestart o! the eec%table& beca%se o! this #e can simply rea the 3/ !ormat in a speci!ic eec%tablean "et its start aress. r can #e

This is #here the Common R%ntime 9ibrary comes in at (CRT9)& yo% see #hen yo% compile a C++pro"ram most compilers (beca%se this is compiler speci!ic st%!!) #ill eec%te in the !ollo#in" orer

*. CrtlStartUp();-. Int main(int argc, char * argv[])1. CrtlCleanUp();

this means #e can?t loo into the 3/ !ile an "et the start o! o%r coe& #e can only "et the start o!the Crtl2tartEp()?s coe. $e have to choices& reverse en"ineer the Crt2tart%p Coe or sip over it& ,lie the latter& an #e #ill eal #ith the Common R%ntime 9ibrary later.

Chapter -; C++ 3rotocols;

-.* ,ntro

ne o! the main reason C++ is so #ell esi"n is beca%se it has a strict protocols %se in itsassemblies. C++ has some very static assemblies s%ch as #hen yo% ret%rn val%es& it is al#ays p%t

in the / re"ister& an !%nction callin" %s%ally al#ays %se the stac beca%se o! this reverseen"ineers can attac this static assemblies an "et a hea start

The !irst thin" #e sho%l eal #ith is lobal 5ariables beca%se i! yo%?re comin" !rom a lot o! hi"hlevel lan"%a"es yo% mi"ht have some miss conceptions.

-.- lobal 5ariables


4/33

Fo% no# ho# many boos say emory is store ranom on the comp%ter& #ell this is tr%e !or themost part& b%t yo%r application memory allocation !or "lobal variables is G%ite static. That?s ri"ht eachtime yo% r%n yo%r pro"ram& yo%r static allocate variables #ill al#ays en %p in the same place.

nother interestin" !act is variables on?t hol ata& they pointer to #here the ata is store.

ere is a C++ /ample;

ie Copy Coe

#include stdaf!"h#include windws"h

char * gl$alvar % &hats Up;int 'I+- &in.ain(/IS+'C hInstance,/IS+'C hrevInstance,0S+ lpCmd0ine,int nCmdShw)1 // TODO: Place code here.

gl$alvar % (char *)2!322222;return 2;4

ere is a in epth loo at the isassemblies

ie Copy Coe

223252627 gl$al8var dd 325263h223252637 gl$al8var8value d$ 9&hats Up9,2mv gl$al8var,322222h

:& this proves that variables o not hol ata& as yo% can see& the compiler a%tomatically initiali


5/33


char gl$alvar[] % &hats Up;

int 'I+- &in.ain(/IS+'C hInstance,

IS+'C hrevInstance,0S+ lpCmd0ine,

int nCmdShw)1 gl$alvar[2] % 9'9; gl$alvar[5] % :U; return 2;4

$hich #hen compile becomes

ie Copy Coe

22325262 gl$al8var d$ %st moi!yin" the val%es storeat 22325262 an 22325265.

Fo% sho%l have variables an pointer variables o#n pac& since this in!ormation #ill not be eplaina"ain& i! there is somethin" yo% on?t %nerstan& rea it over.

-.1 /pressions

:& as #e all no# C++ has near /n"lish lie synta an #hich #e can pro"ram in. $ell 86assembly coe oesn?t& !or eample tae a loo at the !ollo#in" statement

ie Copy Coe

Int s % 6 > 3 > ? > 5 > @;

o# can #e calc%late this in assembly simple& loo at the !ollo#in" C++ eample


6/33

ie Copy Coe


int s? % 6;int sA % 3;

int s6 % ?;int s3 % ?6;

int 'I+- &in.ain(/IS+'C hInstance,

/IS+'C hrevInstance,

0S+ lpCmd0ine,

int nCmdShw)1 // TODO: Place code here. s? % sA > s6 Bs3 > 63; return 2;4

$hich #hen compile becomes

ie Copy Coe

22325262 s? dd 6 22325263 sA dd 3 2232526 s6 dd ? 2232526C s3 dd ?

mv ea!, sA2232?22 add ea!, s6

2232?22 su$ ea!, s32232?2?3 add ea!, 632232?2?D mv s?, ea!

: the compiler optimi


7/33

C++ Operator X86 Instruction

I (%ltiply) %l & (%se !m%l !or !loatin" point)

J (Division) Div (%se !iv !or !loatin" point)

K (2%btraction) 2%b

+(ition)

s yo% can see& #e can easily ecipher most statements in C++ %sin" the table above.

or a test #e #ill loo at a sample isassembly %mp an ecompile it by han to C++.

ie Copy Coe

2222222 A222222? 6222222A 32222226 22222223 ?2222225 mv al, [22222222] add al, [2222222?] mv ch, [2222222A] mul ch

mv [222222226],a!

: the !irst thin" #e o is try to !i"%re o%t #hat type o! variables they are %sin"

n !rom #hat #e can see they o%r %sin" al an ch& #hich are 8 bit re"isters& so that means#henever they re!erence anythin" #ith 8 bit re"isters& it means the variable is a Char type.

n o#n yo% see that they o a @mv [222222226], a!A& an since a is a *6 bit re"ister thevariable type is short int.

ere is a small table& so yo% can map re"isters to variable types

X86 Registers C++ Type Variables

8 bit re"isters ( 9 & ) Char

*6 bit re"isters () 2hort int


8/33

1- bit re"isters (/) ,nt

2o !ar #e see 4 re!erences to memory aresses& beca%se o! this #e no# #e have 4 variables& the!irst one L000000000M is obvio%sly an char type variable since #e see&

ie Copy Coe

mv al, [22222222]=

an since al is an 8 bit re"ister.

2o lets "ive L0000000M the name o! s*& #e also see that [2222222] tho%"h[2222222A] is allre!erence by 8 bit variables meanin" they are also char type& an the last one [22222226] #hich?s%se lie @mv[222222226] , a!A is a short int type since a is *6 bits

: let?s create another table one #hich #ill hol variable names or alias !or the aresses

ltho%"h #e can never "et the ori"inal variable name #e can also create o%r o#n.

Addresses Variable namesalias!s Variable si"e

0000;0000 2* Char

0000;000* 2- Char

0000;000- 21 Char

0000;0001 24 2hort int

Fo% mi"ht be con!%se #hy 22222223 hols * an 22222226 oesn?t& #ell this is beca%se ,ntelis a little eian machine& that stores val%es in reverse #or orer.

=o# the net thin" #e sho%l o is re#rite the coe above #ith o%r alias?s #e create

ie Copy Coe

s? d$ AsA d$ 6s6 d$ 3


9/33

s3 dw ?mv al, s?add al, sAmv ch, s6mul chmv s3,a!

=o# the !irst thin" #e o is mv al, s?

: al no# hols a val%e o! -& the net thin" #e o is @add al, sAA

=o# al has a val%e o! & since sA ha a val%e o! 1 in it the net thin" #e #ant to o is mv ch, s6

=o# ch has a val%e o! 4& a!ter that #e m%l ch& no# a has the val%e o! al * ch&

n since al ha a val%e o! in it an ch ha a val%e o! 4 in at& a! has the val%e o! -0.

: #e can start to ecipher the C++ statement #hich is

ie Copy Coe

s? > sA * s6

!ter that #e see that #e see& @mv s3, a!A so the complete C++ statement is

ie Copy Coe

S3 % s? > sA * s6;

s yo% can see #e >%st #ent tho%"h a #hole b%nch o! mess to come %p #ith a simple C++statement& an this only #ors !or "lobal variables. =ot local variables or str%ct%re members. 2othin"s #ill only "et harer& %e to this , s%""est yo% rea care!%lly an i! yo% on?t %nerstansomethin" rea it over an over %ntil yo% o.

-.4. Ret%rn 5al%es

ne o! the ma>or !%namentals o! C++ is ret%rnin" val%es !rom !%nction call. This is act%ally a verysimple proce%re& beca%se it simple involves placin" a val%e into the ea re"ister.

2o #hen yo% have a statement lie this

ie Copy Coe

c % (char *) mallc (2!EE);

The !irst thin" the compiler oes is call mallc an then it assi"ns c to ea lie @mv c, ea!A

or eample i! yo% have a statement that ret%rns N #hat yo% o%r really sayin" is

ie Copy Coe


10/33

88asm1 .v ea!, 5 et4

9et?s have a little practice #ith a !%ll isassembly %mp

ie Copy Coe

.v ea!,5'dd ea!,ASu$ ea!,?et

n the C++ eG%ivalent is

ie Copy Coe

return 5 > A B ?;

This altho%"h simple is one o! the most important concepts a C++ reverse en"ineer can learn.

-. %nction Calls an the 2tac

=o# its time to "et to the bloo an "%ts o! C++ #ith !%nction calls.

%nction calls are !airly simple !or the most part beca%se they o%r >%st labels !or assemblypro"rammers eample.

ie Copy Coe

Int func () 1return ? ;4Eunc();

$o%l compile into

ie Copy Coe

Eunc7.v ea!, ?etCall Eunc

rom this #e can concl%e t#o thin"s& the !irst is;

%nction?s name or lie variables& they are >%st re!erences to some aress #hich is the same as alabel

ere is a !%ll isassembly %mp !or practice

ie Copy Coe


11/33

222272222 222227222? 222227222A 2222272226 2

222272225 mv ea!,?

22227222@ ret 2222722?2 call 222272225 :cde starts here2222722?5 mv [222272222],ea!

: the !irst thin" #e see is that at aress 2222722?5 & #e o%r assi"n a 1- bit memory aress tothe val%e o! a 1- bit re"ister #hich?s mean that #e have a 1- bit variable at han or a int typevariable to be more eact.

2o let?s create an alias !or the aress?s 222272222 O 222272226& #hich #ill be s?.

=o# let?s create a ne# isassembly #ith this ae in!ormation

ie Copy Coe

S? dw2

222272225 mv ea!,?22227222@ ret

2222722?2 call 222272225 :cde starts here2222722?5 mv S?,ea!

: the secon thin" #e see is that coe start at 2222722?2 an the !irst instr%ction iscall 222272225.

=o# #e?re at 0000;00* #e can see that the coe is movin" a val%e into ea then ret%rnin". =o# #e

o%r at aress 2222722?5 an #e >%st move s* into ea

2o #e can no# reverse en"ineer this #hole pro"ram bac into C++

ie Copy Coe

Int s? % 2; //dw 0Int sme8functin()1

return ?; //mov eax ,1 : ret 4

s? % sme8functin(); //mov s1 , eax

=o# #hat o #e o #hen !%nctions have parameters& #ell thin"s "et pretty complicate beca%se thecompiler %ses the stac to hanle parameters.

,t p%shes in parameters ri"ht to le!t& meanin" the last parameter "oes in !irst& an the !irst parameter"oes in lest.


12/33

or eample& C++ %nction;

ie Copy Coe

Eunc (?, A);

$o%l compile into

ie Copy Coe

ush Aush ?Call func

=o# let?s have an ima"inary stac !rame& #hich has a si ]A& since S eG%als -0& an the!irst parameter is store at L-8M.

• The secon thin" the compiler oes is @add ea!, [esp > ?A]A an since S eG%als -0an the secon parameter is store at 1-.

• The last thin" the compiler oes is ret


13/33

2o the !%ll compilation #o%l be

ie Copy Coe

Eunc7 .v ea!, [S > ] 'dd ea!, [S > ?A]

et

neat little reverse en"ineerin" tip is to remember that sense the stac has a !i #ith o! 4 bytes&yo% can easily tell #hat parameter they o%r accessin".

ie Copy Coe

[F] % StacG

[F >3] % eturn address

[F > ] % Eirst

[F > ?A] % Secnd

[F > ?H] % +hird

[F > A2] % Eurth

n so onQ.

-.6 9ocal 5ariables

$e >%st learn that parameters are store on the stac& no# it time to learn abo%t local variables

#hich are also store on the stac& b%t local variables are store G%ite i!!erent.

ere is an eample

ie Copy Coe

Int func ()1 int a % 5; return a;4

: to compile this coe& the compiler m%st !irst reserve space on the stac by "oin"

Su$ S, 3. 2ince 4 bytes is the si


14/33

.v e$p, S; back up EP !" ebpSu$ S, 3; reverse some space o" the stack

=ote; C++ al#ays compiles coe lie @2ettin" %p the stac !rameA in any !%nction& even i! yo% %se oron?t %se local variables& an the compiler al#ays %ses ebp to re!erence parameters an local

variables.

,n the @%nction Calls an the 2tacA section , %se esp to re!erence parameters an sip 2ettin" %pthe stac !rame coe this o%t !or clarity sae.

=o# the secon thin" the compiler oes is

ie Copy Coe

.v [e$p B 3], 5

.v ea!, [e$p 3]

,! #e ha a secon local variable #e co%l simple "o

.v [e$p B ], 5, or co%rse the compiler #o%l %se su$ S, ,nstea o! su$ S, 3.

The last thin" the compiler oes is restore the stac !rame an ret%rn

ie Copy Coe

; #lea"!"$ up the stack %rame.v S, e$p; restore stack po!"ter p e$p; restore ebpet

=ote; The compiler al#ays eec%te the @Cleanin" %p the stac !rameA coe& in every !%nction& %e tothis #e can etect a !%nction by looin" !or similar coe. , also sip this in @!%nctions call an thestacA section !or clarity sae.

ere is a !%ll isassembly %mp& !or practice

ie 2hrin Copy Coe

222272222 2222272223 push e$p222272226 mv e$p,esp222272225 su$ esp,

2222722?2 mv [e$p 3], 52222722?5 add [e$p B 3] , [e$p > ]2222722?H mv ea!,[e$p B 3]2222722? mv esp, e$p2222722A2 pp e$p2222722A? ret2222722AA push e$p2222722A6 mv e$p,esp2222722A5 add [e$p > ] , [222272222]222272262 add [e$p > ] , [e$p > ?A]


15/33

22227226? mv ea!,[e$p >]22227226A mv esp, e$p222272265 pp e$p22227226H ret22227226D push e$p ;code start 22227226 mv esp, e$p222272232 push ?222272233 call 22227222A22227223@ mv [222272222],ea!222272252 push 322227225? push 622227225A call 2222722AA22227225H add [222272222],ea!22227225 mv esp, e$p22227225@ pp e$p

: the !irst thin" #e is that memory aress [22227222] is bein" re!erence by ea a lot& meanin"#e have a 1- bit variable #hich is an int type. The net thin" #e notice is #e set %p the stac !rame1 times an clean it %p 1 times& #hich means #e have 1 !%nctions(an yes int main(J) also sets%p the stac !rame an cleans it %p).

2o #e have

ie Copy Coe

Eunc? ()EuncA ().ain ()

=et #e see Eunc? address is at 222272223 an accept one 1- bit parameter

eca%se #e see at aress 0000;0040 #e p%sh * into the stac an then at

aress 222272233 #e are callin" 0000;0004 so #e can set%p !%nc* eclaration

ie Copy Coe

2222272222A Eunc? (int a)

=o# #henever !%nc*& oes anythin" to Lebp + 8M #e no# that it is oin" somethin" to its !irstparameter. 2o loo into !%nc* coe& an #e see that it has * local variable beca%se it re!erencesLe$p B 3M.

=o# lets tae a lot at aress 0000;004& #hich is mv [22227222], ea! so #e no# that theori"inal C++ coe is somethin" lie

ie Copy Coe

[222272222] % func? (?);

=et #hen see at aress 22227225? that #e are p%shin" 4 onto the stac then a!ter that #e arep%shin" 1 onto the stac then #e all 2222722AA.

=o# #e can set%p EuncA eclarations


16/33

ie Copy Coe

2222722AA EuncA(int a, int $)

t aress 22227225H #e see add [222272222],ea! & means the ori"inal C++ coe issomethin" lie

ie Copy Coe

[222272222] >% EuncA(6,3)

Remember #e p%she 4 onto the stac !irst& an 1 onto the stac secon& beca%se parameters orpasse ri"ht to le!t.

=o# that #e have a lot o! in!ormation lets mae a ne# isassembly one #ith alias !or all localvariables an parameters in %nc* an %nc-. 2ince #e no# that #henever they %se coe

lie [e$p >J] it?s a parameter& an #hen they %se coe lie [e$p """] it?s a local variable.

ie Copy Coe

222272222 s? dw 2222272223 func?(int param8?)7 push e$p1 lcal 7 lcal8var8?4

: , no#& , mae %p a little assembly synta s%ch as !%nc*(int paramH*) an

ie Copy Coe

10cal 7 lcal8var8? 4

This is !or clarity sae that?s all.

=o# let?s start #ith !%nc* at aress 2222722?2 #e see that it is movin" lcal8var8? to & #hichin C++ it's sayin"

ie Copy Coe

int lcal8var8? % 5;

net #e see a localHvarH*& paramH* #hich in C++ its sayin"

ie Copy Coe

lcal8var8? >%param8?

The last thin" #e see be!ore #e clean %p the stac is mv ea!,lcal8var8? #hich in C++ itssayin"

ie Copy Coe

return lcal8var8?;

2o the !%ll reverse en"ineere !%nction is


17/33

ie Copy Coe

Int func?(int param?)1 int lcal8var8? % 5; lcal8var8? >% param?; return lcal8var8?;

=o# lets "o to !%nc- at aress 2222722A5 #e see a paramH*& s*& #hich in C++ its sayin"

ie Copy Coe

param8? >%s?;

a!ter that #e see a paramH*& paramH-& #hich in C++ its sayin"

ie Copy Coe

param8? >% param8A;

the last thin" #e see be!ore #e clean %p the stac is mv ea!, param8?& #hich in C++ its sayin"

ie Copy Coe

return param8?;

2o the !%ll reverse en"ineere !%nction is

ie Copy Coe

Int funcA(int param8? int param8A)1 param8? >% s?;

param8? >% param8A; return param8?;4

=o# #e o%r able to reverse en"ineer the #hole pro"ram

ie Copy Coe

Int s? % 2;Int func?(int param?)1 int lcal8var8? % 5; lcal8var8? >% param?; return lcal8var8?;

4 Int funcA(int param8? int param8A)1 param8? >% s?; param8? >% param8A; return param8?;4


18/33

int main()1 s? % func?(?); s? >% funcA(6,3);4

This Chapter mi"ht be a little har to comprehen at !irst since , presente a lot o! @strai"ht to thepointA in!ormation& a"ain i! yo% on?t %nerstan anythin" rea it over& an i! yo% still on?t%nerstan emailvbme#Shotmail.com #ith yo%r G%estion

Chapter 1; C++ :ey#ors

1.* ,ntro;

$hat #e been oin" so !ar is the easy st%!!& its time to eal #ith C++ ey#ors comple epression&an some practical real #orl eamples.

1.- ,! 2tatement

ne o! the main statements people %se is this i! statement #hich lo"ically compares val%es. Esin"this !%nction #e can choose #hich path o! eec%tion o%r pro"ram sho%l tae.

,! statement can also be very & very comple an very simple

Tae a loo at the !ollo#in" eamples.

ie Copy Coe

If(I %%2) //do %u"ct!o" //co"t!"ue

=o# #hat i! #e ha somethin" lie this

ie Copy Coe

If(I%%2)1 int iA % 2;4iA % 6; //error ca"&t access !' because !t&s "ot !" (our scope // !t&s !" the !% stateme"ts scope

eca%se o! this #e no# that compiler "enerates a stac !rame !or each ,! statement #ith bracetsri"ht $ron".

,- is accessible to main in reality b%t the compiler eeps it hien& the reason , Um tellin" yo% this isbeca%se to reverse en"ineer i! statements yo% m%st completely %nerstan them.

The secon eample is

mailto:[email protected]:[email protected]:[email protected]:[email protected]


19/33

ie Copy Coe

If( (I %%2) KK ( ( IA %% ?) LL (i6 %%A) ) )

The lo"ic !or this is i! I % 2 or i! iA % ? ani6 % A

nother /ample #o%l be

ie Copy Coe

If( (c % (char *) mallc(2!EE) ) %% U00)

This is sayin" c % mallc(2!EE) an i! mallc ret%rn U00 this conition is tr%e.

Fet another eample is

ie Copy Coe

If(mallc(2!EE)) //th!s !s sa(!"$ call malloc)0x**+ a"d !% !t retur"s //a"(th!"$ "ot eual to 0 the" Th!s co"d!t!o" !s true

The last b%t not least eample is

ie Copy Coe

If(Mmallc(2!EE)) //th!s !s sa(!"$ call malloc)0x**+ a"d !% !t retur"s // value !s eual to -ero the" th!s co"d!t!o" !s true

Than!%lly all these i! statement can be reverse en"ineer in t%rn bac into >%st the #ay theyare(almost).

=o# the i! statement maps irectly to the 86 instr%ction cmp #ith this in min tae a lot at the!ollo#in" C++ pro"ram

ie Copy Coe

int main()1 int I % 2; if (I %% 63) i>% A6; return ?;4

This compiles into the !ollo#in"

ie Copy Coe

push e$pmv e$p,esp ;setup the stack %ramesu$ esp, 3

mv [e$p B 3],2cmp [e$p B 3], 63 ; NnO cntinue8prgram


20/33

add [e$p B 3],A6

cntinue8prgram7

mv ea!,?

mv esp, e$p ;restore the stack %ramepp e$pret

Fes , no# , ecie to "ive yo% a complete binary isassembly to see i! yo% remember abo%t thestac !rame an the Lebp K4M #hich means the !irst local variable create an yes int main has toset%p the stac !rame lie every other !%nction.

=o# let?s learn ho# to t%rn this pro"ram bac into C++

The !irst thin" #e o is loo at the compare mov Lebp O 4M&0 #hich is tellin" %s that the pro"ram isinitili%mp tocontin%eHpro"ram.

'dd [e$p 3], 63 or add lcal8var8?, 63 is sayin" lcal8var8? >% 63; !ter that #e@mvea!,?A& clean %p the stac !rame an then ret%rn.

=o# lets loo !or a m%ltiple lo"ical i! statements

ie Copy Coe

If( (i%%2) KK (iA %% A6) LL (i6 %%A?) )If8$lcG8checG?7 Cmp I,2 Pne if8$lcG8checGA7 Pmp d8if

If8$lcG8checGA7 Cmp iA,A6 Pne sGip8if Cmp i6,A? Pne sGip8if Q8if7

; act!o"s heresGip8if7

: the !irst thin" #e see is that on m%lti lo"ical i! statements #hen one conition !ails it >%mps to thenet lo"ical epression to see i! that #ill eval%ate to tr%e& as sho#n in !i"%re 1.-.*


21/33

2o i! #e have a m%lti lo"ical i! statement& an part o! the epression s%ccees #e contin%e toeval%ate the epression %ntil somethin" is !alse.

! co%rse this is only tr%e !or a L;L operator. or a KK operator i! one part o! the epression is tr%e#e G%it that entire epression an the i! statement eval%ates as tr%e.

1.1 or 9oop

The !or 9oop is not only one o! the most interestin" thin"s abo%t C++ it is one o! the most %sestatements.

The interestin" !actor !or the !or loop comes in its ability to eval%ate 1 epressions

ie Copy Coe

Er( Re!pressin ?; Re!pressin A; Re!pressin 6)

The /pression o%r %s%ally

ie Copy Coe

Er( Rassignment; Rcnditinal; RincrementK decrement)

Reverse en"ineerin" the !or statement is not har& beca%se it?s really a i! statement in most cases

ie Copy Coe

If(I R 3)1 i>>; //do act!o"s4

=o# !or the !or loop eG%ivalent

ie Copy Coe

fr(int I %2;iR3;i>>)1 //do act!o"s4

: lets loo at a simple reverse isassembly !or the !or loop

ie Copy Coe

.v [e$p B 3],2 ;!"!t!l!-e the local var!able Pmp cnditin

Increment7 'dd [e$p 3],?

Cnditin7 Cmp [e$p 3],3


22/33

Pge dne

0p7 ;do act!o"s Pmp increment

Qne7

s yo% can see the !or loop is nothin" more than a hi"h level i! statement& the !irst thin" #e o isinitili


23/33

, am proviin" some al"orithms to prove an help yo% %nerstan some o! the theory , presente inthis boo.

This !ollo#in" eample proves that variables insie a i! bloc o%r tr%ly accessible to the #hole!%nction.

ie Copy Coe

#include stdaf!"h#include istream"h

int main(int argc, char* argv[])1 88asm mv dwrd ptr [e$p 3], A6 if(true) 1 int i; cut RR i RR endl; 4 return ?;4

The o%tp%t sho%l be -1 even tho%"h #e never initiali%st re"%lar variables #ith the "iven ability to be accessin parts instea o! #holes.

ie Copy Coe

#include stdaf!"h#include istream"hstruct test?1 int mem$er?; int mem$erA; int mem$er6;4;

int main(int argc, char* argv[])1 test? lcal8struct; lcal8struct"mem$er? % ?; lcal8struct"mem$erA % ?; lcal8struct"mem$er6 % ?; 88asm 1 add dwrd ptr [ e$p ?A],55 ; structure 1

add dwrd ptr [ e$p ] , ?22 ; structure ' add dwrd ptr [ e$p 3] , A6 ; structure 4 cut RR mem$er ?7 RR lcal8struct"mem$er? RR endl; cut RR mem$er A7 RR lcal8struct"mem$erA RR endl; cut RR mem$er 67 RR lcal8struct"mem$er6 RR endl; return ?;4


24/33

%tp%t sho%l be

ie Copy Coe

mem$er ?7 5Hmem$er A7 ?2?mem$er 67 A3

Chapter 4; 3ractical Decompilin"

This Chapter aims to provie no#le"e o! practical ecompilin"& in this chapter #e #ill learn to %sea isassembler& an learn to ecompile real #orl applications.

4.1 Intro to Windows decompiling

$ino#s ecompilin" is not that i!!ic%lt since all #ino#s pro"rammers !ollo# a strict pro"rammin"

metho s%ch as Create&indw!& or CreateQialg& an ll #ino#s have messa"e loops

#hich yo% can easily !in. e!ore #e really start "ettin" into ecompilin" lets "o over the basic. ,nthe vast #orl o! #ino#s there are many types o! application& an many more types o! technolo"y.

There!ore all o! it is too m%ch to cover in one t%torial. n top o! that& this in!ormation only applies to

application that %ses the basic #ino# !%nctions& s%ch as Create&indw!& an CreateQialg. pplications mae in vis%al basic& or Delphi %se there o#n en"ine& an there en"ines #ill not becover. lso there is C& #hich is simply a class #rapper to 3, calls& b%t can "reatly complethin"s. $e #ill be #orin" on an application , mae in p%re #in1- 3,& ll it oes is sho# a #ino#&b%t #e all no# sho#in" a #ino# reG%ires a si"ni!icant amo%nt o! #or.

)* Create the indo class

rom this #e can "et the $ino# 3roce%re etho& in #hich all messa"e are hanle.

lpfn&ndrc o! the &QC0'SST str%ct%re contains the aress to the $ino# proce%remetho.

,* Create the Windo itsel-*

$e can retrieve every sin"le const by name& an most o! the time the eact CJC++ eG%ivalent.

.* The message /oop

ll #e have to o is loo !or a re!erence toet.essage(J).

$e start #ith the basic seletons !irst& then move on to more comple st%!!& its import to learn thebasic !irst beca%se

They "ive yo% an ieal o! ho# the application is esi"n. $e #ill be %sin" the 35asm& #hich yo%can "et !rom my site K

• http;JJ###.cracin"isli!e.comJmo%les.phpnamePDo#nloasVHopP"etitVliP-

http://www.crackingislife.com/modules.php?name=Downloads&d_op=getit&lid=2http://www.crackingislife.com/modules.php?name=Downloads&d_op=getit&lid=2


25/33

This is a very nice !ree isassembler #hich #e #ill be %sin".

4.2 Decompiling a sample application

irst loa %p 3vDasm& an yo%r screen sho%l loo similar to i"%re 4.-.*

(i"%re 4.-.*)

rab Create$ino#- (the pro"ram #e are "oin" to ecompile by han) an pen it in theisassembler& yo%r screen sho%l loo similar to !i"%re 4.-.-

(i"%re 4.-.-)

$e see are entry point& b%t this is CRT9 coe (Common R%ntime library)& ho# can #e!in &in.ain %nction y re!erences. $e no# that in $inain !%nctions #e havea Create&indw!& or a egisterClass!& i! #e can !in #here the pro"ram is callin" these!%nctions& #e can than be"in to map o%t the pro"ram. Fo% see #hen yo% compile a pro"ram a linerlins it #ith libraries or D99 (Dynamic linin" libraries). The !%nctions yo% "et !rom these

D99?s are calle imports. The 35asm can list all the imports a pro"ram has& an sho# yo% thearess !rom #here they are calle. To %se this !eat%re press Crtl+= or press the import b%tton. Fo%r screen sho%l loo similar to !i"%re 4.-.1

• 2tep *. Clic the inp%t b%tton or press Crtl+=

• 2tep -. Fo% sho%l see a #ino# #ith a list o! importsN scroll o#n %ntil yo%

see Create&indw!.

=o# #e m%st !in the start o! the !%nction& this is pretty easy& i! #e !ollo# the !ollo#in" r%les.

*. Consist o! aie Copy Coe

push e$p mv esp,e$psu$ esp, RT

-. Ri"ht a!ter a

ie Copy Coe


26/33

mv esp,e$ppp e$pret RT

$ell i! #e scroll %p to aress 0040*04C an yo% sho%l see

ie Copy Coe

2232?23C push e$p2232?23Q mv e$p, esp2232?23E su$ esp, 52h

!ter that #e see

ie Copy Coe

mv dwrd ptr ss7[e$p 62],2222262mv dwrd ptr ss7[e$pAc],2222222226

& so #e no# #e have local variables& an it mostly loos lie a str%ct%re& to !inthe &QC0'SST str%ct%re #e nee a re!erence point. "oo re!erence to loo !oris 0adCursr. bo%t every sin"le application %ses the call& so simply press the import b%tton orCrtl+=& an select 0adCursr.

nce yo% have selecte 0adCursr yo% sho%l then see somethin" similar to

2232?2@A call ds70adCursr'

2232?2@ mv [e$p?3], ea!

& no# #e all no# the ret%rn val%e !or !%nctions are store in the ea re"ister& an #e no# thatthe hCursrmember o! &QC0'SST is bein" %se (beca%se #e are loain" a c%rsor). =o##hat position is hCursr in memory& #ell its ebpK*4h(yes that?s *4 / no ecimal)& #ith thisin!ormation #e can !i"%re o%t #here all the other member are to. ,! #e tae a G%ic loo at

the &QC0'SST str%ct%re

ie Copy Coe

tVpedef struct &QC0'SST 1UI+ c$SiOe; //0hUI+ stVle; // 'ch&QWC lpfn&ndrc; //'hint c$Cls!tra; //'hint c$&nd!tra; //'0h

/IS+'C hInstance; //1ch/ /ICW hIcn; //1h/CUSW hCursr; // ebp 21h 322tart calculat!o" here 24/FUS/ h$rFacGgrund; //ebp 210h0CS+ lpsO.enuame; //ebp 5 0ch0CS+ lpsOClassame; //ebp 2 /ICW hIcnSm; //ebp 24;


27/33

s yo% can see its easy to calc%late str%ct%re member aresses& simply a the si


28/33

mv dwrd ptr ss7[e$p A3],2

$e are simply settin" wc"c$Cls!tra to 0000000

3* cbWnd12tra

mv dwrd ptr ss7[e$pA2],2222222

#e are simply settin" wc"c$&nd!tra to 0

6* hInstance

mv ea!,dwrd ptr ss7[e$p>] XXlcal varia$le hInstance

mv dwrd ptr ss7[e$p?C],ea! XX/instance

Remember the eclaration !or the main !%nction is

&in.ain(/IS+'C hInstance, /IS+'C hrevInstance, 0S+ lpCmd0ine , intnCmdShw)

an the !irst parameter (h,nstance) is store at e$p > & an the secon parameter(h3rev,nstance) is store at e$p > ?A

=o# that ea hols the val%e o! hols hinstance& #e simply trans!er that val%e to LebpK*CM orhinstance. 2o in other #ors #e are sayin" #c.h,nstance P h,nstance

4* hIcon

mv dwrd ptr ss7[e$p?],22222222

#e are simply settin" wc"hIcn to 0

8* hCursor

ie Copy Coe

push 2222DE22mv ec!,Q&WQ ptr SS7[e$p>2]push ec!call US6AM0adCursr'mv dwrd ptr ss7[e$p?3],ea!

& the !irst thin" #e o is loo at the eclaration o! 0adCursr' an !in that it is

ie Copy Coe

0adCursr (/IS+'C hInstance, 0S+ cursrname);

an the last parameter is p%sh !irst& so c%rsorname is the !irst parameter bein" b%sh #hich is theval%e 700.


29/33

,! the %ser is not %sin" a c%stom c%rsor (most on?t) #e can retrieve its val%e in $inDasmRe! anyes& yo% can enter he val%es in $inDasmRe!& >%st mae s%re yo% p%t a 0700 not 700

re!er to !i"%re 4.-.6

(i"%re 4.-.6)

=ote; ,! yo%r #onerin" #hy 0adCursr"cursrname #asn?t in the !irst pict%re& it is beca%se ,?m#ritin" this pro"ram as ,?m typin" this boo.

mv ec!,Q&WQ ptr SS7[e$p>2]

push ec!

=et #e move ec& to 22;Lebp+8M #hich is hInstance& an then #e p%sh ec to the stac&

the stac c%rrently contains

• ,DCHRR$

• h,nstance

then #e see call US6AM0adCursr' & #e can t%rn this bac into the complete ori"inal line o!so%rce #hich is

0adCursr(hInstance,IQC8'W&);

no# #e all no# that 0adCursr ret%rns the hanle to the c%rsor in the ea re"ister so

mv dwrd ptr ss7[e$p?3],ea! , e$p?3 is the position o! hC%rsor. =o# lets ecompile theentire statement

wc"hCursr % 0adCursr(hInstance,IQC8'W&);

5* hbrac%ground

push 2?

C'00 QI6AMetStcGW$Nect

mv dwrd ptr ss7[e$p?2],ea!

& !irst #e p%sh 0* into the stac an call etStcGW$Nect & no# i! #e loo at the eclarationo! etStcGW$Nect #hich is etStcGW$Nect(int $rush) & #e no# that the 0* is speci!yin" abr%sh so loa %p $inDasmRe!& an type * in & re!er to !i"%re 4.-.7 !or more in!ormation


30/33

2o #e no# the call is lie etStcGW$Nect(0+'-8FUS/)& a!ter that #esee mv dwrd ptr ss7[e$p?2],ea! an ea hols the hanle to the br%sh ret%rnby etStcGW$Nect& an ebpK*0& is the memory location o! h$rFacGgrund& so the !%llecompile statement is

wc"h$rFacGgrund % etStcGW$Nect(0+'-8FUS/);

)7* lps"#enuame

mv dwrd ptr ss7[e$p2C],2222222

#e simply set lpsO.enuame to 0

))* lps"Classame

mv ed!,dwrd ptr ds7[2232H26C]

mv dwrd ptr ss7[e$p2],ed!

at the aress o! 0040601C& is a pointer to are class name& ho# can i tell & easy beca%se it iss%rro%nin" the aress in bracets& so it is "ettin" a val%e !rom 0040601C& #e can easily %se anyhe eitor to loo at the aress 0040601C& as lon" as #e no# the ima"e base.

The ima"e base is the location the pro"ram is loae into memory& to see the ima"e base pressCRT9+3 in 3vDasm #ino# similar to i"%re 4.-.8 sho%l come %p

(i"%re 4.-.8)

$e s%btract the ima"e base #ith is 400000 in he !rom 0040601C& an #e are le!t #ith 601C& no# i!#e "o to o!!set 601C in a !ile #e #ill see 10& #e m%st rea 1 more bytes beca%se ,ntel %ses 1- bitaress& so the !%ll aress is 10604000

=o# 10604000 is in little enian orer& #hich the 86 %ses& #e m%st convert it to bi" enian by

reverse every he byte& lie this 00406010& no# i! #e s%btract the ima"e base !rom that #e "et6010& an #e loo at aress 6010& #e #ill see a UD?& i! #e eep reain" to a n%ll terminator lieeveryone else oes #e #ill see D/C3,9/.

=o# that #e have the name o! are class& #e can !%lly ecompile the statement lie this

static char * sOClass %


31/33

wc"lpsOClassame % sOClass; since #e are "oin" mv dwrd ptr ss7[e$p2],ed! anded!

hols the aress o! sOClass& an ebpK8 is the memory location o! lpsOClassame

),* hIcon

mv dwrd ptr ss7[e$p3],2222222

this is simply settin" h,con to 0

=o# that #e are one #ith are #hole #ino# class& lets have a overvie# o! all the val%es

ie Copy Coe

&QC0'SST wc; //we do"&t k"ow the exact "ame but !t has to be someth!"$wc"c$SiOe % siOef (&QC0'SST);wc"stVle % CS8/Q'& K CS8YQ'&;wc"lpfn&ndrc % &ndrc;

wc"c$Cls!tra % 2;wc"c$&nd!tra %2;wc"hInstance % hInstance;wc"hIcn %2;wc"hCursr % 0adCursr(hInstance,IQC8'W&);wc"h$rFacGgrund % (/FUS/) etStcGW$Nect(0+'-8FUS/);wc"lpsO.enuame % U00;wc"lpsOClassame % sOClass;wc"hIcnSm % U00;

s yo% can see #e practically ecompile this bac to eact so%rce coe.

=o# #e see the !ollo#in" coe

ie Copy Coe

lea ea!,dwrd ptr ss7[e$p62]push ea!call US6AMegisterClass!'and ea!,2222EEEEtest ea!,ea! NnO 2232?23push 2push 2232H253 ; 6#778 #rappush 2232H25C ; 6#778 #a"&t re$!ster classpush 2Call US6AM.essageF!'!r ea!,ea!

Nmp 2232??DA

lets !irst be"in #ith

lea ea!,dwrd ptr ss7[e$p62]

push ea!


32/33

call US6AMegisterClass!'

no# ss;LebpK10M hols the aress o! the &QC0'SST str%ct%re& beca%se LebpK10M is the !irstmember o! the str%ct%re #hich is cb2i


33/33

• p%sh 004060CNis the aress o! the 2C,, strin" @Can?t re"ister classA

• p%sh 0N is the messa"e bo type& to see #hat type 0 is

9ets crac open $inDasmRe!

Re!er to !i"%re 4.-. !or more in!ormation

2o #e can ecompile the #hole line into

.essageF!(U00,=Cant register class=,=crap=,.F8W);

a!ter that #e see

!r ea!,ea!

Nmp 2232??DA

!r ea!,ea! clears 0 an i! #e "o see #hat?s at aress 0040**7-& #e #ill !in

mv esp,e$p

pp e$p

ret ?2

#hich is eit coe& so #e can ecompile this line to ret%rn 0. The !%ll ori"inal coe is

if(MegisterClass!(L;wc))

1

.essageF!(U00,Can9t register class,Crap,.F8W);

return 2;

4

s yo% can see ecompilin" is G%ite simple !or this basic #ino#s st%!!& so , not "oin" to bore yo%#ith the rest. ,! yo% have any G%estions & please chec o%t are !or%msat http;JJ###.eliteproy.comJmo%les.phpnamePor%ms
http://www.eliteproxy.com/modules.php?name=Forumshttp://www.eliteproxy.com/modules.php?name=Forums

Date post:	05-Jul-2018
Category:	Documents
Upload:	telephonica
View:	221 times
Download:	0 times

C++ Reverse Disassembly

Documents