• Bloodshed Dev-C++ 4.9.9.2 Compiler Analysis [Reversing Engineering Tips] Part-I

    Okay folks,

    This is one idea that came to my mind. Its pretty simple, I'm trying to write some sample programs in a particular compiler, this time it is Bloodshed Dev-C++ 4.9.9.2, and then analyse the compiled binary in IDA to figure out the code that compiler adds to the binary automatically and create a pattern out of it (if possible) through multiple analysis. This IMHO shall definitely help while reversing binaries that are compiled with that particular compiler so that the reverse engineer can save some time ignoring the unnecessary codes. I don't know if this has been done before or there are any tools that do this but its just my try. Hope it may be useful to some of you.

    So lets get started. I have 3 C programs.

    File: 1.c

    Code:
    #include <stdio.h>
    #include <conio.h>
    
    int main()
    {
         int a,b,c;
         a=4;
         b=5;
         c=a+b;
         printf("c=%d",c);
         return 0;
    }
    PEiD Signature for 1.exe



    And its assembler file generated by IDA, for 1.exe (NOTE: This not the entire ASM file but only the extracted IDA View, which is afterall all we are interested in)

    File: 1.asm

    Code:
    ; Attributes: bp-based frame
    
    ; int __cdecl main(int argc,const char **argv,const char *envp)
    _main proc near
    
    var_18=    dword ptr -18h
    var_14=    dword ptr -14h
    var_10=    dword ptr -10h
    var_C= dword ptr -0Ch
    var_8= dword ptr -8
    var_4= dword ptr -4
    argc= dword ptr     8
    argv= dword ptr     0Ch
    envp= dword ptr     10h
    
    push    ebp
    mov    ebp, esp
    sub    esp, 18h    ; char *
    and    esp, 0FFFFFFF0h
    mov    eax, 0
    add    eax, 0Fh
    add    eax, 0Fh
    shr    eax, 4
    shl    eax, 4
    mov    [ebp+var_10], eax
    mov    eax, [ebp+var_10]
    call    sub_401730
    call    sub_4013D0
    mov    [ebp+var_4], 4
    mov    [ebp+var_8], 5
    mov    eax, [ebp+var_8]
    add    eax, [ebp+var_4]
    mov    [ebp+var_C], eax
    mov    eax, [ebp+var_C]
    mov    [esp+18h+var_14], eax
    mov    [esp+18h+var_18], offset aCD ; "c=%d"
    call    printf
    mov    eax, 0
    leave
    retn
    _main endp
    File: 2.c

    Code:
    #include <stdio.h>
    #include <conio.h>
    
    void main()
    {
              char *a;
              a = "hello there";
              printf("%s",a);  
    }
    PEiD Signature for 2.exe



    And its assembler file generated by IDA, for 2.exe (NOTE: This not the entire ASM file but only the extracted IDA View, which is afterall all we are interested in)

    File: 2.asm

    Code:
    ; Attributes: bp-based frame
    
    ; int __cdecl main(int argc,const char **argv,const char *envp)
    _main proc near
    
    var_18=    dword ptr -18h
    var_14=    dword ptr -14h
    var_8= dword ptr -8
    var_4= dword ptr -4
    argc= dword ptr     8
    argv= dword ptr     0Ch
    envp= dword ptr     10h
    
    push    ebp
    mov    ebp, esp
    sub    esp, 18h    ; char *
    and    esp, 0FFFFFFF0h
    mov    eax, 0
    add    eax, 0Fh
    add    eax, 0Fh
    shr    eax, 4
    shl    eax, 4
    mov    [ebp+var_8], eax
    mov    eax, [ebp+var_8]
    call    sub_401720
    call    sub_4013C0
    mov    [ebp+var_4], offset aHelloThere    ; "hello there"
    mov    eax, [ebp+var_4]
    mov    [esp+18h+var_14], eax
    mov    [esp+18h+var_18], offset aS ; "%s"
    call    printf
    leave
    retn
    _main endp
    File: 3.c

    Code:
    #include <stdio.h>
    #include <conio.h>
    void main()
    {
         int b;
         b = 10;
         if (b>4)
         {
              char *a;
              a = "hello there";
              printf("%s",a);   
         }
         else
         {
             printf("false");
         }
    }
    PEiD Signature for 3.exe



    And its assembler file generated by IDA, for 3.exe (NOTE: This not the entire ASM file but only the extracted IDA View, which is afterall all we are interested in)

    File: 3.asm

    Code:
    ; Attributes: bp-based frame
    
    ; int __cdecl main(int argc,const char **argv,const char *envp)
    _main proc near
    
    var_18=    dword ptr -18h
    var_14=    dword ptr -14h
    var_C= dword ptr -0Ch
    var_8= dword ptr -8
    var_4= dword ptr -4
    argc= dword ptr     8
    argv= dword ptr     0Ch
    envp= dword ptr     10h
    
    push    ebp
    mov    ebp, esp
    sub    esp, 18h    ; char *
    and    esp, 0FFFFFFF0h
    mov    eax, 0
    add    eax, 0Fh
    add    eax, 0Fh
    shr    eax, 4
    shl    eax, 4
    mov    [ebp+var_C], eax
    mov    eax, [ebp+var_C]
    call    sub_401740
    call    sub_4013E0
    mov    [ebp+var_4], 0Ah
    cmp    [ebp+var_4], 4
    jle    short loc_4012E3
    mov    [ebp+var_8], offset aHelloThere    ; "hello there"
    mov    eax, [ebp+var_8]
    mov    [esp+18h+var_14], eax
    mov    [esp+18h+var_18], offset aS ; "%s"
    call    printf
    jmp    short locret_4012EF
    
    loc_4012E3:        ; "false"
    mov    [esp+18h+var_18], offset aFalse
    call    printf
    
    locret_4012EF:
    leave
    retn
    _main endp
    For readability I will continue the explanation in a new blog here http://www.garage4hackers.com/conten...ring-tips.html

    Part II :http://www.garage4hackers.com/conten...ring-tips.html
    This article was originally published in forum thread: Bloodshed Dev-C++ 4.9.9.2 Compiler Analysis [Reversing Engineering Tips] started by nishant View original post
  • G4H Facebook

  • G4H Twitter