Results 1 to 2 of 2

Thread: Analyzing Different Loops Constructs with IDA Share/Save - My123World.Com!

  1. #1
    Security Researcher
    Join Date
    Oct 2010
    Location
    Bangalore
    Posts
    14

    Lightbulb Analyzing Different Loops Constructs with IDA

    This post continues from my 1st post here: Bloodshed Dev-C++ 4.9.9.2 Compiler Analysis [Reversing Engineering Tips]

    As the title of the post suggests we shall discuss about analyzing 3 different kinds of loops in binaries. By no means this post is a complete or the infact the best guide to reverse-engineering or analyzing binaries. It is just my effort to share and explain the knowledge, that I have learnt from the community, back to the community. Just for your note, I have 3 binaries which have been coded in Dev-C++ 4.9.9.2 which essestially used the MinGW port of the gcc compiler.

    Okay let us first start with the analyzing the first IDA disassembly and try to figure out what kind of loop is this, if it is at all.

    Infinite Loop

    Name:  infinite-6.png
Views: 733
Size:  12.8 KB
    What you see in the above picture is the IDA disassembly of the binary #6 (6.exe). We shall start from here as its simple to understand and will hopefully keep your interest preserved to continue reading this post. Okay, so as you can see I have numbered different blocks so it gets easy for me to refer each block while explaining.

    Explanation

    Block 1
    1. In the statement, mov [ebp+var_4], 1 the variable var_4 is assigned to value "1" i.e. var_4 = 1;

    Next the control continues to Block #2.

    Block 2
    1. The code starts with the block label "loc_4012C1" (think of it as a label that is used with the GOTO statement i.e. GOTO loc_4012C1)
    2. In the next line, cmp [ebp+var_4], 0 the value of var_4 is compared to 0 (think of it as if(var_4==0){set Zero Flag to true i.e. 1}). By the way Zero Flag (denoted by Z in most debuggers) is a status register in the processor that indicates whether the result of an arithmetic or logical operation was zero or not. Based upon the value of Zero flag, we can use various conditional jump statements as desired.
    3. In the third line, jz short loc_4012DC is a conditional jump statement jz (stands for Jump if Zero) which simply means jump the program control to the code block named loc_4012DC if value of Zero flag is "0". Now as you can guess that var_4 is != 0 since 1 !=0, so Zero flag will not be set to 1 and the statement jz short loc_4012DC will be false, so the program control naturally moves to Block 3. Now what does loc_4012DC code block do we shall discuss later. Lets for now move to Block 3.


    Block 3
    1. The first line mov eax, [ebp+var_4] simply copies the value of var_4 to eax i.e. eax=1;
    2. In the 2nd line mov [esp+18h+var_14], eax, it just copies the value of eax register to a local variable var_14.
    3. In the 3rd line mov [esp+18h_var_18], offset unk_403000 copies the offset address of "%d" (sorry the IDA analysis portion has been cropped from the right, in the picture above) as the value of [esp+18h+var_14], which shall be argument of the next function call i.e. printf in the next statement.
    4. call printf as you may have guessed, it calls the printf function and takes the value of esp+18h_var_18 as its argument.
    5. jmp short loc_4012C1 is simply a unconditional jump to the code block loc_4012C1

    One thing to understand that we have reached to the end of the program and so far there is no reference to the code block loc_4012DC and, if you notice, at the end of block 3 we are again taken back to loc_4012C1 which we know will again lead us to the end of block 3 and the process will keep on repeating. Sounds like an infinite loop. Well yes it is. But before we do a pseudo code for this let us analyze what block 4 would do if it was ever executed.

    Block 4
    1. The code starts with the label block "loc_4012DC"
    2. mov eax, 0 copies the value "0" to the eax register; that is what the function shall return upon exit.
    3. leave removes the stack frame.
    4. retn return from near procedure (still unclear to me, what is a near procedure but that is the definition, :P)

    Pseudo Code

    int var_4;
    var_4=1;
    while(var_4)
    {
    printf("%d", var_4);
    }
    return 0;


    I shall keep posting other analysis in different threads. Hope you will like. By the way this post is absolutely based upon my understanding and it is not authoritative, I may be wrong and you have been warned.
    Last edited by nishant; 03-05-2012 at 03:22 PM.

  2. #2
    Security Researcher
    Join Date
    Oct 2010
    Location
    Bangalore
    Posts
    14

    Lightbulb Analyzing Different Loops Constructs with IDA [Part - 2]

    Hi,

    This post is in continuation to my 1st post Analyzing Different Loops Constructs with IDA. In this post we shall try to analyse a different kind of loop construct in a compiled binary. All the assumptions, warnings, things to remember & analysis environment are still applicable to this post as it was for the first part of the post in the link above.

    For Loop

    Okay the IDA analysis of the program binary goes like this:

    Name:  simple-4.png
Views: 385
Size:  16.4 KB

    What you see in the above picture is the IDA disassembly of the binary #4 (4.exe). As you can see I have numbered different blocks so it gets easy for me to refer each block while explaining.

    Explanation

    Block 1
    1. In the statement, mov [ebp+var_4], 0 the variable var_4 is assigned to value "0" i.e. var_4 = 0;

    Next the control continues to Block #2.

    Block 2
    1. The code starts with the block label "loc_4012C1" (think of it as a label that is used with the GOTO statement i.e. GOTO loc_4012C1)
    2. In the next line, cmp [ebp+var_4], 5 the value of var_4 is compared to 0 (think of it as if(var_4>5){set Zero Flag to false i.e. 0 & Sign Flag = Overflow Flag}).
    3. In the third line, jg short loc_4012ED is a conditional jump statement jg (stands for Jump if Greater) which simply means jump the program control to the code block named loc_4012ED if value of first operand of previous CMP instruction is greater than the second. Now as you can guess that var_4 is < 5 since 0 < 5, so Zero flag will be set to 0 and the statement jg short loc_4012ED will be false, so the program control naturally moves to Block 3. Now what does loc_4012ED code block do we shall discuss later. Lets for now move to Block 3.

    Block 3
    1. The first line mov eax, [ebp+var_4] simply copies the value of var_4 to eax i.e. eax=0;
    2. In the 2nd line mov [esp+18h+var_14], eax, it just copies the value of eax register to a local variable var_14.
    3. In the 3rd line mov [esp+18h_var_18], offset unk_403000 copies the offset address of "%d" (sorry the IDA analysis portion has been cropped from the right, in the picture above) as the value of [esp+18h+var_14], which shall be argument of the next function call i.e. printf in the next statement.
    4. call printf as you may have guessed, it calls the printf function and takes the value of esp+18h+var_18 as its argument.
    5. mov [esp+18h+var_18], offset unk_403003 copies the offset of the "\n" (newline character), which shall be argument of the next function call i.e. printf in the next statement.
    6. call printf as you may have guessed, it calls the printf function and takes the current value of esp+18h+var_18 as its argument.
    7. lea eax, [ebp+var_4] (lea stands for Load Effective Address, you can think of it as a special mov instruction which essentially copies the address of var_4 to eax i.e. eax = &var_4
    8. inc dword ptr [eax] increments the value stored in the pointer to the address of eax register i.e. *eax = *eax + 1; which essestially means var_4++;
    9. jmp short loc_4012C1 is simply a unconditional jump to the code block loc_4012C1

    One thing to understand that we have reached to the end of the program and so far there is no reference to the code block loc_4012ED and, if you notice, at the end of block 3 we are again taken back to loc_4012C1 which we know will again lead us to the end of block 3 and the process will keep on repeating and var_4 keeps on incremening by 1 but until var_4 is less than 5. Sounds like an for loop to me. But before we do a pseudo code for this let us analyze what block 4 would do when its executed i.e. var_4 >= 5;


    Block 4
    1. The code starts with the label block "loc_4012DC"
    2. mov eax, 0 copies the value "0" to the eax register; that is what the function shall return upon exit.
    3. leave removes the stack frame.
    4. retn return from near procedure (still unclear to me, what is a near procedure but that is the definition, :P)


    Pseudo Code
    var_4=0;
    for(var=0;var_4<5;var4++)
    {
    printf("%d",var_4);
    printf("\n");
    }
    return 0;


    I shall keep posting other analysis in different threads. Hope you will like. By the way this post is absolutely based upon my understanding and it is not authoritative, I may be wrong and you have been warned.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •