Log in

View Full Version : how to intrepret this code

devsec
July 7th, 2005, 15:17
Hi @,

i found in an target:
Code:


.text:00401100            push   ebp 

.text:00401101            mov    ebp, esp 

.text:00401103            push   ebx 

.text:00401104            sub    esp, 24h      ;lpTopLevelExceptionFilter 

.text:00401107            lea    ebx, [ebp+var_8] 

.text:0040110A            mov    [esp+28h+var_28], offset sub_401000 

.text:00401111            call   SetUnhandledExceptionFilter 

.text:00401116            sub    esp, 4       ; uExitCode 

.text:00401119            call   sub_4013C0 

.text:0040111E            mov    [ebp+var_8], 0 

.text:00401125            mov    eax, offset dword_404000 

.text:0040112A            lea    edx, [ebp+var_C] 

.text:0040112D            mov    [esp+28h+var_18], ebx 

.text:00401131            mov    ecx, dword_402020 

.text:00401137            mov    [esp+28h+var_24], eax 

.text:0040113B            mov    [esp+28h+var_20], edx 

.text:0040113F            mov    [esp+28h+var_1C], ecx 

.text:00401143            mov    [esp+28h+var_28], offset dword_404004 

.text:0040114A            call   __getmainargs



when i interpret it right, uExitCode is pushed on the Stack and then
sub_4013C0 is Called with uExitCode as Parameter.

But an push is (decrease Stack and then MOVE Adress on ESP or EBP) ?
Why is no "MOVE" here ? Or how can i interpret this line
.text:00401116 sub esp, 4 ; uExitCode

But how can IDA know that it is uExitCode when the next Procedure (sub_4013C0) is unknown. How can i find what the next Procedure is and
the name of ....


Code:


.text:004013C0 sub_4013C0      proc near               ; CODE XREF: sub_401000+C6p

.text:004013C0                                         ; sub_401100+19p

.text:004013C0                 push    ebp

.text:004013C1                 mov     ebp, esp

.text:004013C3 This instruction initializes the FPU by resetting all the registers

.text:004013C3 and flags to their default values

.text:004013C3                 fninit

.text:004013C5                 pop     ebp

.text:004013C6                 retn

.text:004013C6 sub_4013C0      endp


THX
bilbo
July 8th, 2005, 01:37
Hi, devsec,

the code you posted is taken from some standard runtime initialization and it is executed before the main() or WinMain() entry point, so it is not of great interest, but anyway the questions are interesting...

Quote:
uExitCode is pushed on the Stack and then sub_4013C0 is Called with uExitCode as Parameter
this is not correct: if you look at sub_4013C0, it does not accept any parameter; it can be prototyped as void FPU_initialize(void).

sub esp,4 can instead be interpreted as "make space for a 4-byte local variable on the stack"; that variable is not used by the following function FPU_initialize().

Quote:
But how can IDA know that it is uExitCode when the next Procedure (sub_4013C0) is unknown
surely enough, that local variable, after having been set in some place of the program, is passed as argument to a following ExitProcess(). Now, if you look at M$ doc, ExitProcess() is prototyped as VOID ExitProcess(UINT uExitCode). IDA has a database with nearly all Windows API prototypes, and she will show you the variable name at its very first occurrence.

Best regards, bilbo
devsec
July 8th, 2005, 03:00
Hi bilbo,

thx for the reply. I am reversing an simply programm and i want to understand each instruction. Yes it is before main is called.

How do you found out that it is "void FPU_initialize(void)"... i have googeld around and doesnt found that.

Where can i go to found more about "standard runtime initialization". It is very interesting and nearly in every programm. I found a lot in msvrtc (VC+ source ) and on M$ doc, but which procedure calls what .... i mean in which order.

THX a lot
bilbo
July 8th, 2005, 04:27
Quote:
I am reversing an simply programm and i want to understand each instruction.
My appreciation for your project. It should be a project for beginners and less-beginners, in my opinion...

Quote:
How do you found out that it is "void FPU_initialize(void)"... i have googeld around and doesnt found that.
This is just the first name I could think of, instead of calling that sub_4013c0.
It does not take any argument from stack (you don't see any reference to EBP+XXX: that's the way the argument are used from a function which builds a frame - PUSH EBP) so I put "void" between parenthesis.
It does not return any value, because it does not touch EAX: so I put void as return value.
The name comes from the fact that FPU instruction "fninit" is used, but as I said it is a pure fiction name!

Quote:
Where can i go to found more about "standard runtime initialization". It is very interesting and nearly in every programm. I found a lot in msvrtc (VC+ source ) and on M$ doc, but which procedure calls what .... i mean in which order.
That is a very obscure subject and it is depending on the specific runtime library your app is using.
Microsoft gives out sources and some (incomplete) doc, but the snippet you posted is not from Microsoft. IDA pretend to recognize __getmainargs() - from a statically linked M$ MSVCRT but sometimes she is wrong...
Try to run your app with some PE identifier tool or to search for some interesting string in your .EXE...

Best regards, bilbo
blabberer
July 8th, 2005, 08:40
well as bilbo correctly said its an obscure thing
it seems there are certain info about crt init codes in crt0dat.c
ida uses flirt to identify most of those lib functions

some of these links may or may not help
http://www.codeguru.com/Cpp/misc/misc/threadsprocesses/article.php/c6945__2/

http://support.microsoft.com/default.aspx?scid=kb;en-us;94248

http://www.alexfedotov.com/articles/launch.asp
<-- this link is put here coz it referances matpietreks libctiny.lib and has some
goo sources
take a look at it too

if you are using ollydbg you can make it analyse the .libs
and it will help to certain extent (buggy and incorrect info can be expected ;
to identify the lib functions

edit

ollydbg with its objscan gets pretty close to idas flirt
ida definately labels fnmerge etc ollydbg logs in saying possible match
if it is not sure thats the major differance
also ollydbg doesnt identify the nullsubs like call blah and in blah just a retn
Possible locations of object module 'wexparg.c':

Found 142 matching segments
Scanning object file 'D:\borland\bcc\Lib\cw32i.lib'
Found 4 matching segments
Scanning object file 'D:\borland\bcc\Lib\cw32mt.lib'
Possible locations of object module 'defhandl.c':
Aimless
July 8th, 2005, 09:23
Hey Bilbo,

Here's your quote:

"IDA has a database with nearly all Windows API prototypes, and she will show you the variable name at its very first occurrence."

I beg to differ.

Its actually a "HE" and not a "SHE". Waddya say?

Have Phun,

bilbo
July 8th, 2005, 10:04
maybe I've been deceived by her icon... maybe it's just a wish: to be sorrounded by girls at least on the desktop...

but I'm afraid you're right... RCE is not for girls... or girls or RCE: we cannot have both...

sob (that was a cry, not a swear)
bilbo
JMI
July 8th, 2005, 11:48
Hum:

The "IDA" in the picture is clearly a female. But in English usage, the "program" would clearly be an "it" and neither "he" nor "she". So, if we are relying on English usage, it would have to be:

"IDA has a database with nearly all Windows API prototypes, and it will show you the variable name at its very first occurrence."

And let's not even start with "die; der; den; dessen; die"

Regards,
sarge
July 9th, 2005, 10:15
Let us remember (or, at least, make a good guess) that such a wonderful program that has, as it's icon, a definite female figure, must of course be in tribute to "Ida" Lovelace.

(ouch!)

Sarge
Polaris
July 9th, 2005, 11:47
Quote:
[Originally Posted by bilbo]maybe I've been deceived by her icon... maybe it's just a wish: to be sorrounded by girls at least on the desktop...

but I'm afraid you're right... RCE is not for girls... or girls or RCE: we cannot have both...

sob (that was a cry, not a swear)
bilbo


LOL