• Bloodshed Dev-C++ 4.9.9.2 Compiler Analysis [Reversing Engineering Tips] Part-II

    Okay now if we closely analyse all the C source codes and their corresponding ASM files we seem to see a pattern in the generated ASM source codes which pretty much same all the time.

    What we see is that
    Code:
    var_18=    dword ptr -18h
    var_14=    dword ptr -14h
    var_10=    dword ptr -10h
    var_C= dword ptr -0Ch
    var_8= dword ptr -8
    var_4= dword ptr -4
    argc= dword ptr     8
    argv= dword ptr     0Ch
    envp= dword ptr     10h
    the bold ASM instructions are repeating. And the first variable assignment in a program i.e.

    Code:
    a=4;
    in 1.c,
    Code:
    a = "hello there";
    in 2.c and
    Code:
    b = 10;
    in 3.c

    is translated by IDA as

    Code:
    mov    [ebp+var_4], <value>
    the value is in HEX if integer or it stores the offset address in case of string.

    Next thing to note is that

    Code:
    push    ebp
    mov    ebp, esp
    sub    esp, 18h    ; char *
    and    esp, 0FFFFFFF0h
    mov    eax, 0
    add    eax, 0Fh
    add    eax, 0Fh
    shr    eax, 4
    shl    eax, 4
    mov    [ebp+var_8], eax
    mov    eax, [ebp+var_8]
    call    sub_40****
    call    sub_40****
    are common to all three of the ASM source codes. And the actual program logic begins right after these instructions. I do understand that the 1st three lines i.e.

    Code:
    push    ebp
    mov    ebp, esp
    sub    esp, 18h
    are for preparing the stack as the main() starts to execute and its the standard function prologue of the main() in C.

    And the

    Code:
    leave
    retn
    _main endp
    is the standard function epilogue which is there at the end of all the source code and the main() has completed execution and the control is logically returned to the kernel.

    I did this on Windows 7 x64 and I will try and see on different Windows versions and try to confirm if the pattern remains the same. In the meantime please clarify me if something I assumed is wrong or mistaken. And would request you to share any more information that you may have on the is topic.

    Thanks
    Nishant
    This article was originally published in forum thread: Bloodshed Dev-C++ 4.9.9.2 Compiler Analysis [Reversing Engineering Tips] started by nishant View original post
  • G4H Facebook

  • G4H Twitter