OpenRCE_adityaks
December 30th, 2007, 17:51
+++++++++++++++++++++
Abstract Analysis
+++++++++++++++++++++
Traversing through various offsets to find a structure in the code is sometimes a hard process to flourish.It has been found that offsets are considered as code elements when a reverse engineering procedure to be accomplished.Generically the offsets generate vector of recognising various structures that are used in the code.Looking at the code semantics it comprise of function calls, member functions of classes , inline structures and all. So Offsets are defined for every single element. The disassemblers also work on different paradigm of initializing an offsets and making it applicable. Generally instructions or operands are dynamically used based on the conditions found in the code.Every disassembler follows the Top to Bottom approach for generating offsets for any structures. This actually follows a hierarchical way , which is very crucial for any reversing process. Basically this process is very much inculcated in the disassembling algorithms when a machine level code is required to be generated. Lets look at the top to bottom approach for normal in depth understanding:
http://www.secniche.org/structure_offsets.gif
The walking along offsets is very generic technique of an reverse engineering process. It not only provides reverse engineer with an approach of finding the destined functions but also helpful in understanding the objects used in it. This encompasses an overview of cross references too. One can find number of functions linked together and dependent on each other to perform a centralised working behavior. In determining the reala cause of infection or working its necessary to find that structure of function with the help of an offsets. Operands are used for performing the relative code simulation in machine level language. In order to reduce complexity when a code is transformed from one layout to another ceratin base is required. Thats why the structure is analyzed and undertaken from the start not from the middle or end. This is quite understandable. Lets look into the code :
++++++++++ lea ecx, [ebp-4] ++++++++++++
Just a simple layout to look into. Load Effective Address is undertaken. Certain things are to look into:
1. First of all, the thing is to check the real working of ebp individually. Where it is pointing out. This simple process is termed as
Individual Register Check.This is done to understand what actual the register is suppose to do. It will be favorable if you know the specific functioning of the register previously based on benchmarks.
2. Secondly , its crucial to look into what actual ebp-4 is meant.The very best part is 4 bytes is reduced from the ebp register as per the defined stature.One the contrary after the negation of 4 bytes which address it is pointing to or what actual the address is to be undertaken. This is really crucial. The process is called as Negated Offsets Check.. The offsets can be positive or negative sometimes. The change of signature from (-) to (+) is crucial to understand the thing.
3. Thirdly , the structure it is pointing too i.e. [ebp-4]. The index is clearly checked. It is pointing to overall strucure in which the member function is pointed by reducing 4 bytes. Sometimes you will find an error like this:
http://www.secniche.org/struct_offset1.gif
This type of problem persists when the offsets are negative. I would like you to read a beautiful blog entry by Ilfal Guilfanov in its blog about negative offsets. This will clear up the context of negative offsets and the error generated above.
URL:http://hexblog.com/2007/10/negated_structure_offsets.html#more.
So the offsets check whether negative or positive is really critical. A very simpe code in low level language is presnets as an example for offsets check.
push offset aSDisplayname
push eax
call edi ; sprintf
mov ebx, ds:RegDeleteValueA
add esp, 0Ch
lea eax, [ebp-404h]
push eax
push dword ptr [ebp-4]
call ebx ; RegDeleteValueA
push esi
lea eax, [ebp-404h]
push offset aSUninstallstri
push eax
call edi ; sprintf
add esp, 0Ch
lea eax, [ebp-404h]
push eax
push dword ptr [ebp-4]
call ebx ; RegDeleteValueA
push esi
push dword ptr [ebp-4]
call ds:RegDeleteKeyA
push dword ptr [ebp-4]
call ds:RegCloseKey
push 0
push 1
push offset unk_0_10005540
call ds:ATL_57
pop edi
pop esi
pop ebx
leave
retn
One can find many structures that are pointed by various registers with the use of operands. The registers can have address or contents.Again depends on operands and the kind of code is undertaken.
More views are welcomed.
+++++++++++
0kn0ck
https://www.openrce.org/blog/view/1008/Traversing_Offset__Semantics_:_Walking_Along_the_Curb
Abstract Analysis
+++++++++++++++++++++
Traversing through various offsets to find a structure in the code is sometimes a hard process to flourish.It has been found that offsets are considered as code elements when a reverse engineering procedure to be accomplished.Generically the offsets generate vector of recognising various structures that are used in the code.Looking at the code semantics it comprise of function calls, member functions of classes , inline structures and all. So Offsets are defined for every single element. The disassemblers also work on different paradigm of initializing an offsets and making it applicable. Generally instructions or operands are dynamically used based on the conditions found in the code.Every disassembler follows the Top to Bottom approach for generating offsets for any structures. This actually follows a hierarchical way , which is very crucial for any reversing process. Basically this process is very much inculcated in the disassembling algorithms when a machine level code is required to be generated. Lets look at the top to bottom approach for normal in depth understanding:
http://www.secniche.org/structure_offsets.gif
The walking along offsets is very generic technique of an reverse engineering process. It not only provides reverse engineer with an approach of finding the destined functions but also helpful in understanding the objects used in it. This encompasses an overview of cross references too. One can find number of functions linked together and dependent on each other to perform a centralised working behavior. In determining the reala cause of infection or working its necessary to find that structure of function with the help of an offsets. Operands are used for performing the relative code simulation in machine level language. In order to reduce complexity when a code is transformed from one layout to another ceratin base is required. Thats why the structure is analyzed and undertaken from the start not from the middle or end. This is quite understandable. Lets look into the code :
++++++++++ lea ecx, [ebp-4] ++++++++++++
Just a simple layout to look into. Load Effective Address is undertaken. Certain things are to look into:
1. First of all, the thing is to check the real working of ebp individually. Where it is pointing out. This simple process is termed as
Individual Register Check.This is done to understand what actual the register is suppose to do. It will be favorable if you know the specific functioning of the register previously based on benchmarks.
2. Secondly , its crucial to look into what actual ebp-4 is meant.The very best part is 4 bytes is reduced from the ebp register as per the defined stature.One the contrary after the negation of 4 bytes which address it is pointing to or what actual the address is to be undertaken. This is really crucial. The process is called as Negated Offsets Check.. The offsets can be positive or negative sometimes. The change of signature from (-) to (+) is crucial to understand the thing.
3. Thirdly , the structure it is pointing too i.e. [ebp-4]. The index is clearly checked. It is pointing to overall strucure in which the member function is pointed by reducing 4 bytes. Sometimes you will find an error like this:
http://www.secniche.org/struct_offset1.gif
This type of problem persists when the offsets are negative. I would like you to read a beautiful blog entry by Ilfal Guilfanov in its blog about negative offsets. This will clear up the context of negative offsets and the error generated above.
URL:http://hexblog.com/2007/10/negated_structure_offsets.html#more.
So the offsets check whether negative or positive is really critical. A very simpe code in low level language is presnets as an example for offsets check.
push offset aSDisplayname
push eax
call edi ; sprintf
mov ebx, ds:RegDeleteValueA
add esp, 0Ch
lea eax, [ebp-404h]
push eax
push dword ptr [ebp-4]
call ebx ; RegDeleteValueA
push esi
lea eax, [ebp-404h]
push offset aSUninstallstri
push eax
call edi ; sprintf
add esp, 0Ch
lea eax, [ebp-404h]
push eax
push dword ptr [ebp-4]
call ebx ; RegDeleteValueA
push esi
push dword ptr [ebp-4]
call ds:RegDeleteKeyA
push dword ptr [ebp-4]
call ds:RegCloseKey
push 0
push 1
push offset unk_0_10005540
call ds:ATL_57
pop edi
pop esi
pop ebx
leave
retn
One can find many structures that are pointed by various registers with the use of operands. The registers can have address or contents.Again depends on operands and the kind of code is undertaken.
More views are welcomed.
+++++++++++
0kn0ck
https://www.openrce.org/blog/view/1008/Traversing_Offset__Semantics_:_Walking_Along_the_Curb