Post on 05-Jul-2018
8/16/2019 C++ Reverse Disassembly
1/33
C++ Reverse Disassembly
Opcodevoid, 25 Aug 2004
4.86 (70 votes)
This article's aim is to provide material for modern day decompiling of an application written in
C++
Technical Detail
This article's aim is to provie material !or moern ay ecompilin" o! applications #ritten in C++.$e ass%me yo% have a soli %nerstan o! C++& 86 ssembly& an #ino#s.
vervie# an contents*. $hy is C++ Decompilin" possible*. ,ntro-. oern Day /ample1. Compiler 2peci!ic-. C++ 3rotocols*. ,ntro-. lobal 5ariables1. /pressions4. Ret%rn 5al%es
. %nction calls an the stac6. 9ocal 5ariables1. C++ :ey#ors*. ,ntro-. ,! statement1. or 9oop4. 2tr%ct%res. Technical l"orithms4. 3ractical Decompilin"*. ,ntro to Decompilin" $ino#s application-. Decompilin" a sample application
2pecial Case; Compiler 2peci!ic
Compiler 2peci!ic;
/ach compiler is i!!erent& s%ch as their CrtlStartUp ro%tines& their statement assemblies(switch & if &while)& an n%mero%s other thin"s mae each compiler "enerate i!!erent coe& even i!
http://www.codeproject.com/script/Membership/View.aspx?mid=412290http://www.codeproject.com/script/Membership/View.aspx?mid=412290
8/16/2019 C++ Reverse Disassembly
2/33
yo% compile the same C++ coe on t#o compilers& the en res%lt #ill be i!!erent& beca%se o! this ,#ill stic #ith one an only one compiler& #hich is the 5is%al C++ Compiler.
5is%al C++ is pro%ce by icroso!t an c%rrently elivers the !astest an most optimi%st sayin"some o! the in!ormation presente in this boo may only #or on 5is%al C++.
,! yo% on?t have 5is%al C++ that is !ine& there are many other compilers available& an most o! thisin!ormation is also acc%rate !or them
Chapter *; $hy is C++ Decompilin" possible
*.* ,ntro;
, been as many times is C++ ecompilin" even possible not only %e to the compleity o! acompiler b%t !or the mass abo%t o! in!ormation loss in compilin"& s%ch as comments & incl%e !iles&
macros >%st to name a !e#. 2o one o!ten #oners is this even #orth p%rsin". $ell , #ante to starto%t #ith the topic o! #hat is totally loss #hen yo% compile a pro"ram an #hat stays there& re!er totable *.*.* to see #hat #e loses an remains.
What is lost What remains
templates %nction calls
classes Dynamic linin" calls
arcos 2#itch statements
,ncl%e !iles 9ocal 5ariables
comments 3arameters
=ot to say everythin" that is in the @$hat remainsA sections is *00B there& it >%st means it is verysimple an practical to reverse en"ineer. eca%se o! this !act , choose to eal #ith the @$hatremainsA section !irst beca%se it?s m%ch easier.
s #e pro"ress tho%"h this boo eep in min reverse en"ineerin" is almost never practical antaes lots o! practice. ,t?s harer to reverse en"ineer somethin" create than to create it in the !irstplace.
8/16/2019 C++ Reverse Disassembly
3/33
"oo #ay to start o%t #ith reverse en"ineerin" is to ecompile yo%r o#n pro"rams an see ho#each C++ !%nction speci!ically #ors& then apply that no#le"e in other areas beca%se looin" attho%sans o! lines o! assembly coe is not really !%n.
*.- oern Day /amples;
=o# #hen yo%r reain" this boo yo% mi"ht start to thin that & @anythin" translate in!o a i!!erentlan"%a"e can be retranslate bac into the same lan"%a"eA ri"ht& #ell this is not the case in reverseen"ineerin" a lot o! thin"s #ill be lost& an a lot o! thin"s yo% m%st mae %p(ass%me) alon" the #ay.
2o , #ante to mae s%re a provie some practical eamples !or reverse en"ineerin" at thebe"innin" o! the boo& to "ive yo% a sense o! hope.
To be"in reverse en"ineerin"& , ecie to start #ith the main C++ statement
ie Copy Coe
Int main(int argc, char * argv[])
=o# #e can easily !in this statement in any eec%table !ile %e to the 3/ !ormat #hich tells %s thestart o! the eec%table& beca%se o! this #e can simply rea the 3/ !ormat in a speci!ic eec%tablean "et its start aress. r can #e
This is #here the Common R%ntime 9ibrary comes in at (CRT9)& yo% see #hen yo% compile a C++pro"ram most compilers (beca%se this is compiler speci!ic st%!!) #ill eec%te in the !ollo#in" orer
*. CrtlStartUp();-. Int main(int argc, char * argv[])1. CrtlCleanUp();
this means #e can?t loo into the 3/ !ile an "et the start o! o%r coe& #e can only "et the start o!the Crtl2tartEp()?s coe. $e have to choices& reverse en"ineer the Crt2tart%p Coe or sip over it& ,lie the latter& an #e #ill eal #ith the Common R%ntime 9ibrary later.
Chapter -; C++ 3rotocols;
-.* ,ntro
ne o! the main reason C++ is so #ell esi"n is beca%se it has a strict protocols %se in itsassemblies. C++ has some very static assemblies s%ch as #hen yo% ret%rn val%es& it is al#ays p%t
in the / re"ister& an !%nction callin" %s%ally al#ays %se the stac beca%se o! this reverseen"ineers can attac this static assemblies an "et a hea start
The !irst thin" #e sho%l eal #ith is lobal 5ariables beca%se i! yo%?re comin" !rom a lot o! hi"hlevel lan"%a"es yo% mi"ht have some miss conceptions.
-.- lobal 5ariables
8/16/2019 C++ Reverse Disassembly
4/33
Fo% no# ho# many boos say emory is store ranom on the comp%ter& #ell this is tr%e !or themost part& b%t yo%r application memory allocation !or "lobal variables is G%ite static. That?s ri"ht eachtime yo% r%n yo%r pro"ram& yo%r static allocate variables #ill al#ays en %p in the same place.
nother interestin" !act is variables on?t hol ata& they pointer to #here the ata is store.
ere is a C++ /ample;
ie Copy Coe
#include stdaf!"h#include windws"h
char * gl$alvar % &hats Up;int 'I+- &in.ain(/IS+'C hInstance,/IS+'C hrevInstance,0S+ lpCmd0ine,int nCmdShw)1 // TODO: Place code here.
gl$alvar % (char *)2!322222;return 2;4
ere is a in epth loo at the isassemblies
ie Copy Coe
223252627 gl$al8var dd 325263h223252637 gl$al8var8value d$ 9&hats Up9,2mv gl$al8var,322222h
:& this proves that variables o not hol ata& as yo% can see& the compiler a%tomatically initiali
8/16/2019 C++ Reverse Disassembly
5/33
#include stdaf!"h#include windws"h
char gl$alvar[] % &hats Up;
int 'I+- &in.ain(/IS+'C hInstance,
IS+'C hrevInstance,0S+ lpCmd0ine,
int nCmdShw)1 gl$alvar[2] % 9'9; gl$alvar[5] % :U; return 2;4
$hich #hen compile becomes
ie Copy Coe
22325262 gl$al8var d$ %st moi!yin" the val%es storeat 22325262 an 22325265.
Fo% sho%l have variables an pointer variables o#n pac& since this in!ormation #ill not be eplaina"ain& i! there is somethin" yo% on?t %nerstan& rea it over.
-.1 /pressions
:& as #e all no# C++ has near /n"lish lie synta an #hich #e can pro"ram in. $ell 86assembly coe oesn?t& !or eample tae a loo at the !ollo#in" statement
ie Copy Coe
Int s % 6 > 3 > ? > 5 > @;
o# can #e calc%late this in assembly simple& loo at the !ollo#in" C++ eample
8/16/2019 C++ Reverse Disassembly
6/33
ie Copy Coe
#include stdaf!"h#include windws"h
int s? % 6;int sA % 3;
int s6 % ?;int s3 % ?6;
int 'I+- &in.ain(/IS+'C hInstance,
/IS+'C hrevInstance,
0S+ lpCmd0ine,
int nCmdShw)1 // TODO: Place code here. s? % sA > s6 Bs3 > 63; return 2;4
$hich #hen compile becomes
ie Copy Coe
22325262 s? dd 6 22325263 sA dd 3 2232526 s6 dd ? 2232526C s3 dd ?
mv ea!, sA2232?22 add ea!, s6
2232?22 su$ ea!, s32232?2?3 add ea!, 632232?2?D mv s?, ea!
: the compiler optimi
8/16/2019 C++ Reverse Disassembly
7/33
C++ Operator X86 Instruction
I (%ltiply) %l & (%se !m%l !or !loatin" point)
J (Division) Div (%se !iv !or !loatin" point)
K (2%btraction) 2%b
+(ition)
s yo% can see& #e can easily ecipher most statements in C++ %sin" the table above.
or a test #e #ill loo at a sample isassembly %mp an ecompile it by han to C++.
ie Copy Coe
2222222 A222222? 6222222A 32222226 22222223 ?2222225 mv al, [22222222] add al, [2222222?] mv ch, [2222222A] mul ch
mv [222222226],a!
: the !irst thin" #e o is try to !i"%re o%t #hat type o! variables they are %sin"
n !rom #hat #e can see they o%r %sin" al an ch& #hich are 8 bit re"isters& so that means#henever they re!erence anythin" #ith 8 bit re"isters& it means the variable is a Char type.
n o#n yo% see that they o a @mv [222222226], a!A& an since a is a *6 bit re"ister thevariable type is short int.
ere is a small table& so yo% can map re"isters to variable types
X86 Registers C++ Type Variables
8 bit re"isters ( 9 & ) Char
*6 bit re"isters () 2hort int
8/16/2019 C++ Reverse Disassembly
8/33
1- bit re"isters (/) ,nt
2o !ar #e see 4 re!erences to memory aresses& beca%se o! this #e no# #e have 4 variables& the!irst one L000000000M is obvio%sly an char type variable since #e see&
ie Copy Coe
mv al, [22222222]=
an since al is an 8 bit re"ister.
2o lets "ive L0000000M the name o! s*& #e also see that [2222222] tho%"h[2222222A] is allre!erence by 8 bit variables meanin" they are also char type& an the last one [22222226] #hich?s%se lie @mv[222222226] , a!A is a short int type since a is *6 bits
: let?s create another table one #hich #ill hol variable names or alias !or the aresses
ltho%"h #e can never "et the ori"inal variable name #e can also create o%r o#n.
Addresses Variable namesalias!s Variable si"e
0000;0000 2* Char
0000;000* 2- Char
0000;000- 21 Char
0000;0001 24 2hort int
Fo% mi"ht be con!%se #hy 22222223 hols * an 22222226 oesn?t& #ell this is beca%se ,ntelis a little eian machine& that stores val%es in reverse #or orer.
=o# the net thin" #e sho%l o is re#rite the coe above #ith o%r alias?s #e create
ie Copy Coe
s? d$ AsA d$ 6s6 d$ 3
8/16/2019 C++ Reverse Disassembly
9/33
s3 dw ?mv al, s?add al, sAmv ch, s6mul chmv s3,a!
=o# the !irst thin" #e o is mv al, s?
: al no# hols a val%e o! -& the net thin" #e o is @add al, sAA
=o# al has a val%e o! & since sA ha a val%e o! 1 in it the net thin" #e #ant to o is mv ch, s6
=o# ch has a val%e o! 4& a!ter that #e m%l ch& no# a has the val%e o! al * ch&
n since al ha a val%e o! in it an ch ha a val%e o! 4 in at& a! has the val%e o! -0.
: #e can start to ecipher the C++ statement #hich is
ie Copy Coe
s? > sA * s6
!ter that #e see that #e see& @mv s3, a!A so the complete C++ statement is
ie Copy Coe
S3 % s? > sA * s6;
s yo% can see #e >%st #ent tho%"h a #hole b%nch o! mess to come %p #ith a simple C++statement& an this only #ors !or "lobal variables. =ot local variables or str%ct%re members. 2othin"s #ill only "et harer& %e to this , s%""est yo% rea care!%lly an i! yo% on?t %nerstansomethin" rea it over an over %ntil yo% o.
-.4. Ret%rn 5al%es
ne o! the ma>or !%namentals o! C++ is ret%rnin" val%es !rom !%nction call. This is act%ally a verysimple proce%re& beca%se it simple involves placin" a val%e into the ea re"ister.
2o #hen yo% have a statement lie this
ie Copy Coe
c % (char *) mallc (2!EE);
The !irst thin" the compiler oes is call mallc an then it assi"ns c to ea lie @mv c, ea!A
or eample i! yo% have a statement that ret%rns N #hat yo% o%r really sayin" is
ie Copy Coe
8/16/2019 C++ Reverse Disassembly
10/33
88asm1 .v ea!, 5 et4
9et?s have a little practice #ith a !%ll isassembly %mp
ie Copy Coe
.v ea!,5'dd ea!,ASu$ ea!,?et
n the C++ eG%ivalent is
ie Copy Coe
return 5 > A B ?;
This altho%"h simple is one o! the most important concepts a C++ reverse en"ineer can learn.
-. %nction Calls an the 2tac
=o# its time to "et to the bloo an "%ts o! C++ #ith !%nction calls.
%nction calls are !airly simple !or the most part beca%se they o%r >%st labels !or assemblypro"rammers eample.
ie Copy Coe
Int func () 1return ? ;4Eunc();
$o%l compile into
ie Copy Coe
Eunc7.v ea!, ?etCall Eunc
rom this #e can concl%e t#o thin"s& the !irst is;
%nction?s name or lie variables& they are >%st re!erences to some aress #hich is the same as alabel
ere is a !%ll isassembly %mp !or practice
ie Copy Coe
8/16/2019 C++ Reverse Disassembly
11/33
222272222 222227222? 222227222A 2222272226 2
222272225 mv ea!,?
22227222@ ret 2222722?2 call 222272225 :cde starts here2222722?5 mv [222272222],ea!
: the !irst thin" #e see is that at aress 2222722?5 & #e o%r assi"n a 1- bit memory aress tothe val%e o! a 1- bit re"ister #hich?s mean that #e have a 1- bit variable at han or a int typevariable to be more eact.
2o let?s create an alias !or the aress?s 222272222 O 222272226& #hich #ill be s?.
=o# let?s create a ne# isassembly #ith this ae in!ormation
ie Copy Coe
S? dw2
222272225 mv ea!,?22227222@ ret
2222722?2 call 222272225 :cde starts here2222722?5 mv S?,ea!
: the secon thin" #e see is that coe start at 2222722?2 an the !irst instr%ction iscall 222272225.
=o# #e?re at 0000;00* #e can see that the coe is movin" a val%e into ea then ret%rnin". =o# #e
o%r at aress 2222722?5 an #e >%st move s* into ea
2o #e can no# reverse en"ineer this #hole pro"ram bac into C++
ie Copy Coe
Int s? % 2; //dw 0Int sme8functin()1
return ?; //mov eax ,1 : ret 4
s? % sme8functin(); //mov s1 , eax
=o# #hat o #e o #hen !%nctions have parameters& #ell thin"s "et pretty complicate beca%se thecompiler %ses the stac to hanle parameters.
,t p%shes in parameters ri"ht to le!t& meanin" the last parameter "oes in !irst& an the !irst parameter"oes in lest.
8/16/2019 C++ Reverse Disassembly
12/33
or eample& C++ %nction;
ie Copy Coe
Eunc (?, A);
$o%l compile into
ie Copy Coe
ush Aush ?Call func
=o# let?s have an ima"inary stac !rame& #hich has a si ]A& since S eG%als -0& an the!irst parameter is store at L-8M.
• The secon thin" the compiler oes is @add ea!, [esp > ?A]A an since S eG%als -0an the secon parameter is store at 1-.
• The last thin" the compiler oes is ret
8/16/2019 C++ Reverse Disassembly
13/33
2o the !%ll compilation #o%l be
ie Copy Coe
Eunc7 .v ea!, [S > ] 'dd ea!, [S > ?A]
et
neat little reverse en"ineerin" tip is to remember that sense the stac has a !i #ith o! 4 bytes&yo% can easily tell #hat parameter they o%r accessin".
ie Copy Coe
[F] % StacG
[F >3] % eturn address
[F > ] % Eirst
[F > ?A] % Secnd
[F > ?H] % +hird
[F > A2] % Eurth
n so onQ.
-.6 9ocal 5ariables
$e >%st learn that parameters are store on the stac& no# it time to learn abo%t local variables
#hich are also store on the stac& b%t local variables are store G%ite i!!erent.
ere is an eample
ie Copy Coe
Int func ()1 int a % 5; return a;4
: to compile this coe& the compiler m%st !irst reserve space on the stac by "oin"
Su$ S, 3. 2ince 4 bytes is the si
8/16/2019 C++ Reverse Disassembly
14/33
.v e$p, S; back up EP !" ebpSu$ S, 3; reverse some space o" the stack
=ote; C++ al#ays compiles coe lie @2ettin" %p the stac !rameA in any !%nction& even i! yo% %se oron?t %se local variables& an the compiler al#ays %ses ebp to re!erence parameters an local
variables.
,n the @%nction Calls an the 2tacA section , %se esp to re!erence parameters an sip 2ettin" %pthe stac !rame coe this o%t !or clarity sae.
=o# the secon thin" the compiler oes is
ie Copy Coe
.v [e$p B 3], 5
.v ea!, [e$p 3]
,! #e ha a secon local variable #e co%l simple "o
.v [e$p B ], 5, or co%rse the compiler #o%l %se su$ S, ,nstea o! su$ S, 3.
The last thin" the compiler oes is restore the stac !rame an ret%rn
ie Copy Coe
; #lea"!"$ up the stack %rame.v S, e$p; restore stack po!"ter p e$p; restore ebpet
=ote; The compiler al#ays eec%te the @Cleanin" %p the stac !rameA coe& in every !%nction& %e tothis #e can etect a !%nction by looin" !or similar coe. , also sip this in @!%nctions call an thestacA section !or clarity sae.
ere is a !%ll isassembly %mp& !or practice
ie 2hrin Copy Coe
222272222 2222272223 push e$p222272226 mv e$p,esp222272225 su$ esp,
2222722?2 mv [e$p 3], 52222722?5 add [e$p B 3] , [e$p > ]2222722?H mv ea!,[e$p B 3]2222722? mv esp, e$p2222722A2 pp e$p2222722A? ret2222722AA push e$p2222722A6 mv e$p,esp2222722A5 add [e$p > ] , [222272222]222272262 add [e$p > ] , [e$p > ?A]
8/16/2019 C++ Reverse Disassembly
15/33
22227226? mv ea!,[e$p >]22227226A mv esp, e$p222272265 pp e$p22227226H ret22227226D push e$p ;code start 22227226 mv esp, e$p222272232 push ?222272233 call 22227222A22227223@ mv [222272222],ea!222272252 push 322227225? push 622227225A call 2222722AA22227225H add [222272222],ea!22227225 mv esp, e$p22227225@ pp e$p
: the !irst thin" #e is that memory aress [22227222] is bein" re!erence by ea a lot& meanin"#e have a 1- bit variable #hich is an int type. The net thin" #e notice is #e set %p the stac !rame1 times an clean it %p 1 times& #hich means #e have 1 !%nctions(an yes int main(J) also sets%p the stac !rame an cleans it %p).
2o #e have
ie Copy Coe
Eunc? ()EuncA ().ain ()
=et #e see Eunc? address is at 222272223 an accept one 1- bit parameter
eca%se #e see at aress 0000;0040 #e p%sh * into the stac an then at
aress 222272233 #e are callin" 0000;0004 so #e can set%p !%nc* eclaration
ie Copy Coe
2222272222A Eunc? (int a)
=o# #henever !%nc*& oes anythin" to Lebp + 8M #e no# that it is oin" somethin" to its !irstparameter. 2o loo into !%nc* coe& an #e see that it has * local variable beca%se it re!erencesLe$p B 3M.
=o# lets tae a lot at aress 0000;004& #hich is mv [22227222], ea! so #e no# that theori"inal C++ coe is somethin" lie
ie Copy Coe
[222272222] % func? (?);
=et #hen see at aress 22227225? that #e are p%shin" 4 onto the stac then a!ter that #e arep%shin" 1 onto the stac then #e all 2222722AA.
=o# #e can set%p EuncA eclarations
8/16/2019 C++ Reverse Disassembly
16/33
ie Copy Coe
2222722AA EuncA(int a, int $)
t aress 22227225H #e see add [222272222],ea! & means the ori"inal C++ coe issomethin" lie
ie Copy Coe
[222272222] >% EuncA(6,3)
Remember #e p%she 4 onto the stac !irst& an 1 onto the stac secon& beca%se parameters orpasse ri"ht to le!t.
=o# that #e have a lot o! in!ormation lets mae a ne# isassembly one #ith alias !or all localvariables an parameters in %nc* an %nc-. 2ince #e no# that #henever they %se coe
lie [e$p >J] it?s a parameter& an #hen they %se coe lie [e$p """] it?s a local variable.
ie Copy Coe
222272222 s? dw 2222272223 func?(int param8?)7 push e$p1 lcal 7 lcal8var8?4
: , no#& , mae %p a little assembly synta s%ch as !%nc*(int paramH*) an
ie Copy Coe
10cal 7 lcal8var8? 4
This is !or clarity sae that?s all.
=o# let?s start #ith !%nc* at aress 2222722?2 #e see that it is movin" lcal8var8? to & #hichin C++ it's sayin"
ie Copy Coe
int lcal8var8? % 5;
net #e see a localHvarH*& paramH* #hich in C++ its sayin"
ie Copy Coe
lcal8var8? >%param8?
The last thin" #e see be!ore #e clean %p the stac is mv ea!,lcal8var8? #hich in C++ itssayin"
ie Copy Coe
return lcal8var8?;
2o the !%ll reverse en"ineere !%nction is
8/16/2019 C++ Reverse Disassembly
17/33
ie Copy Coe
Int func?(int param?)1 int lcal8var8? % 5; lcal8var8? >% param?; return lcal8var8?;
=o# lets "o to !%nc- at aress 2222722A5 #e see a paramH*& s*& #hich in C++ its sayin"
ie Copy Coe
param8? >%s?;
a!ter that #e see a paramH*& paramH-& #hich in C++ its sayin"
ie Copy Coe
param8? >% param8A;
the last thin" #e see be!ore #e clean %p the stac is mv ea!, param8?& #hich in C++ its sayin"
ie Copy Coe
return param8?;
2o the !%ll reverse en"ineere !%nction is
ie Copy Coe
Int funcA(int param8? int param8A)1 param8? >% s?;
param8? >% param8A; return param8?;4
=o# #e o%r able to reverse en"ineer the #hole pro"ram
ie Copy Coe
Int s? % 2;Int func?(int param?)1 int lcal8var8? % 5; lcal8var8? >% param?; return lcal8var8?;
4 Int funcA(int param8? int param8A)1 param8? >% s?; param8? >% param8A; return param8?;4
8/16/2019 C++ Reverse Disassembly
18/33
int main()1 s? % func?(?); s? >% funcA(6,3);4
This Chapter mi"ht be a little har to comprehen at !irst since , presente a lot o! @strai"ht to thepointA in!ormation& a"ain i! yo% on?t %nerstan anythin" rea it over& an i! yo% still on?t%nerstan emailvbme#Shotmail.com #ith yo%r G%estion
Chapter 1; C++ :ey#ors
1.* ,ntro;
$hat #e been oin" so !ar is the easy st%!!& its time to eal #ith C++ ey#ors comple epression&an some practical real #orl eamples.
1.- ,! 2tatement
ne o! the main statements people %se is this i! statement #hich lo"ically compares val%es. Esin"this !%nction #e can choose #hich path o! eec%tion o%r pro"ram sho%l tae.
,! statement can also be very & very comple an very simple
Tae a loo at the !ollo#in" eamples.
ie Copy Coe
If(I %%2) //do %u"ct!o" //co"t!"ue
=o# #hat i! #e ha somethin" lie this
ie Copy Coe
If(I%%2)1 int iA % 2;4iA % 6; //error ca"&t access !' because !t&s "ot !" (our scope // !t&s !" the !% stateme"ts scope
eca%se o! this #e no# that compiler "enerates a stac !rame !or each ,! statement #ith bracetsri"ht $ron".
,- is accessible to main in reality b%t the compiler eeps it hien& the reason , Um tellin" yo% this isbeca%se to reverse en"ineer i! statements yo% m%st completely %nerstan them.
The secon eample is
mailto:vbmew@hotmail.commailto:vbmew@hotmail.commailto:vbmew@hotmail.commailto:vbmew@hotmail.com
8/16/2019 C++ Reverse Disassembly
19/33
ie Copy Coe
If( (I %%2) KK ( ( IA %% ?) LL (i6 %%A) ) )
The lo"ic !or this is i! I % 2 or i! iA % ? ani6 % A
nother /ample #o%l be
ie Copy Coe
If( (c % (char *) mallc(2!EE) ) %% U00)
This is sayin" c % mallc(2!EE) an i! mallc ret%rn U00 this conition is tr%e.
Fet another eample is
ie Copy Coe
If(mallc(2!EE)) //th!s !s sa(!"$ call malloc)0x**+ a"d !% !t retur"s //a"(th!"$ "ot eual to 0 the" Th!s co"d!t!o" !s true
The last b%t not least eample is
ie Copy Coe
If(Mmallc(2!EE)) //th!s !s sa(!"$ call malloc)0x**+ a"d !% !t retur"s // value !s eual to -ero the" th!s co"d!t!o" !s true
Than!%lly all these i! statement can be reverse en"ineer in t%rn bac into >%st the #ay theyare(almost).
=o# the i! statement maps irectly to the 86 instr%ction cmp #ith this in min tae a lot at the!ollo#in" C++ pro"ram
ie Copy Coe
int main()1 int I % 2; if (I %% 63) i>% A6; return ?;4
This compiles into the !ollo#in"
ie Copy Coe
push e$pmv e$p,esp ;setup the stack %ramesu$ esp, 3
mv [e$p B 3],2cmp [e$p B 3], 63 ; NnO cntinue8prgram
8/16/2019 C++ Reverse Disassembly
20/33
add [e$p B 3],A6
cntinue8prgram7
mv ea!,?
mv esp, e$p ;restore the stack %ramepp e$pret
Fes , no# , ecie to "ive yo% a complete binary isassembly to see i! yo% remember abo%t thestac !rame an the Lebp K4M #hich means the !irst local variable create an yes int main has toset%p the stac !rame lie every other !%nction.
=o# let?s learn ho# to t%rn this pro"ram bac into C++
The !irst thin" #e o is loo at the compare mov Lebp O 4M&0 #hich is tellin" %s that the pro"ram isinitili%mp tocontin%eHpro"ram.
'dd [e$p 3], 63 or add lcal8var8?, 63 is sayin" lcal8var8? >% 63; !ter that #e@mvea!,?A& clean %p the stac !rame an then ret%rn.
=o# lets loo !or a m%ltiple lo"ical i! statements
ie Copy Coe
If( (i%%2) KK (iA %% A6) LL (i6 %%A?) )If8$lcG8checG?7 Cmp I,2 Pne if8$lcG8checGA7 Pmp d8if
If8$lcG8checGA7 Cmp iA,A6 Pne sGip8if Cmp i6,A? Pne sGip8if Q8if7
; act!o"s heresGip8if7
: the !irst thin" #e see is that on m%lti lo"ical i! statements #hen one conition !ails it >%mps to thenet lo"ical epression to see i! that #ill eval%ate to tr%e& as sho#n in !i"%re 1.-.*
8/16/2019 C++ Reverse Disassembly
21/33
2o i! #e have a m%lti lo"ical i! statement& an part o! the epression s%ccees #e contin%e toeval%ate the epression %ntil somethin" is !alse.
! co%rse this is only tr%e !or a L;L operator. or a KK operator i! one part o! the epression is tr%e#e G%it that entire epression an the i! statement eval%ates as tr%e.
1.1 or 9oop
The !or 9oop is not only one o! the most interestin" thin"s abo%t C++ it is one o! the most %sestatements.
The interestin" !actor !or the !or loop comes in its ability to eval%ate 1 epressions
ie Copy Coe
Er( Re!pressin ?; Re!pressin A; Re!pressin 6)
The /pression o%r %s%ally
ie Copy Coe
Er( Rassignment; Rcnditinal; RincrementK decrement)
Reverse en"ineerin" the !or statement is not har& beca%se it?s really a i! statement in most cases
ie Copy Coe
If(I R 3)1 i>>; //do act!o"s4
=o# !or the !or loop eG%ivalent
ie Copy Coe
fr(int I %2;iR3;i>>)1 //do act!o"s4
: lets loo at a simple reverse isassembly !or the !or loop
ie Copy Coe
.v [e$p B 3],2 ;!"!t!l!-e the local var!able Pmp cnditin
Increment7 'dd [e$p 3],?
Cnditin7 Cmp [e$p 3],3
8/16/2019 C++ Reverse Disassembly
22/33
Pge dne
0p7 ;do act!o"s Pmp increment
Qne7
s yo% can see the !or loop is nothin" more than a hi"h level i! statement& the !irst thin" #e o isinitili
8/16/2019 C++ Reverse Disassembly
23/33
, am proviin" some al"orithms to prove an help yo% %nerstan some o! the theory , presente inthis boo.
This !ollo#in" eample proves that variables insie a i! bloc o%r tr%ly accessible to the #hole!%nction.
ie Copy Coe
#include stdaf!"h#include istream"h
int main(int argc, char* argv[])1 88asm mv dwrd ptr [e$p 3], A6 if(true) 1 int i; cut RR i RR endl; 4 return ?;4
The o%tp%t sho%l be -1 even tho%"h #e never initiali%st re"%lar variables #ith the "iven ability to be accessin parts instea o! #holes.
ie Copy Coe
#include stdaf!"h#include istream"hstruct test?1 int mem$er?; int mem$erA; int mem$er6;4;
int main(int argc, char* argv[])1 test? lcal8struct; lcal8struct"mem$er? % ?; lcal8struct"mem$erA % ?; lcal8struct"mem$er6 % ?; 88asm 1 add dwrd ptr [ e$p ?A],55 ; structure 1
add dwrd ptr [ e$p ] , ?22 ; structure ' add dwrd ptr [ e$p 3] , A6 ; structure 4 cut RR mem$er ?7 RR lcal8struct"mem$er? RR endl; cut RR mem$er A7 RR lcal8struct"mem$erA RR endl; cut RR mem$er 67 RR lcal8struct"mem$er6 RR endl; return ?;4
8/16/2019 C++ Reverse Disassembly
24/33
%tp%t sho%l be
ie Copy Coe
mem$er ?7 5Hmem$er A7 ?2?mem$er 67 A3
Chapter 4; 3ractical Decompilin"
This Chapter aims to provie no#le"e o! practical ecompilin"& in this chapter #e #ill learn to %sea isassembler& an learn to ecompile real #orl applications.
4.1 Intro to Windows decompiling
$ino#s ecompilin" is not that i!!ic%lt since all #ino#s pro"rammers !ollo# a strict pro"rammin"
metho s%ch as Create&indw!& or CreateQialg& an ll #ino#s have messa"e loops
#hich yo% can easily !in. e!ore #e really start "ettin" into ecompilin" lets "o over the basic. ,nthe vast #orl o! #ino#s there are many types o! application& an many more types o! technolo"y.
There!ore all o! it is too m%ch to cover in one t%torial. n top o! that& this in!ormation only applies to
application that %ses the basic #ino# !%nctions& s%ch as Create&indw!& an CreateQialg. pplications mae in vis%al basic& or Delphi %se there o#n en"ine& an there en"ines #ill not becover. lso there is C& #hich is simply a class #rapper to 3, calls& b%t can "reatly complethin"s. $e #ill be #orin" on an application , mae in p%re #in1- 3,& ll it oes is sho# a #ino#&b%t #e all no# sho#in" a #ino# reG%ires a si"ni!icant amo%nt o! #or.
)* Create the indo class
rom this #e can "et the $ino# 3roce%re etho& in #hich all messa"e are hanle.
lpfn&ndrc o! the &QC0'SST str%ct%re contains the aress to the $ino# proce%remetho.
,* Create the Windo itsel-*
$e can retrieve every sin"le const by name& an most o! the time the eact CJC++ eG%ivalent.
.* The message /oop
ll #e have to o is loo !or a re!erence toet.essage(J).
$e start #ith the basic seletons !irst& then move on to more comple st%!!& its import to learn thebasic !irst beca%se
They "ive yo% an ieal o! ho# the application is esi"n. $e #ill be %sin" the 35asm& #hich yo%can "et !rom my site K
• http;JJ###.cracin"isli!e.comJmo%les.phpnamePDo#nloasVHopP"etitVliP-
http://www.crackingislife.com/modules.php?name=Downloads&d_op=getit&lid=2http://www.crackingislife.com/modules.php?name=Downloads&d_op=getit&lid=2
8/16/2019 C++ Reverse Disassembly
25/33
This is a very nice !ree isassembler #hich #e #ill be %sin".
4.2 Decompiling a sample application
irst loa %p 3vDasm& an yo%r screen sho%l loo similar to i"%re 4.-.*
(i"%re 4.-.*)
rab Create$ino#- (the pro"ram #e are "oin" to ecompile by han) an pen it in theisassembler& yo%r screen sho%l loo similar to !i"%re 4.-.-
(i"%re 4.-.-)
$e see are entry point& b%t this is CRT9 coe (Common R%ntime library)& ho# can #e!in &in.ain %nction y re!erences. $e no# that in $inain !%nctions #e havea Create&indw!& or a egisterClass!& i! #e can !in #here the pro"ram is callin" these!%nctions& #e can than be"in to map o%t the pro"ram. Fo% see #hen yo% compile a pro"ram a linerlins it #ith libraries or D99 (Dynamic linin" libraries). The !%nctions yo% "et !rom these
D99?s are calle imports. The 35asm can list all the imports a pro"ram has& an sho# yo% thearess !rom #here they are calle. To %se this !eat%re press Crtl+= or press the import b%tton. Fo%r screen sho%l loo similar to !i"%re 4.-.1
• 2tep *. Clic the inp%t b%tton or press Crtl+=
• 2tep -. Fo% sho%l see a #ino# #ith a list o! importsN scroll o#n %ntil yo%
see Create&indw!.
=o# #e m%st !in the start o! the !%nction& this is pretty easy& i! #e !ollo# the !ollo#in" r%les.
*. Consist o! aie Copy Coe
push e$p mv esp,e$psu$ esp, RT
-. Ri"ht a!ter a
ie Copy Coe
8/16/2019 C++ Reverse Disassembly
26/33
mv esp,e$ppp e$pret RT
$ell i! #e scroll %p to aress 0040*04C an yo% sho%l see
ie Copy Coe
2232?23C push e$p2232?23Q mv e$p, esp2232?23E su$ esp, 52h
!ter that #e see
ie Copy Coe
mv dwrd ptr ss7[e$p 62],2222262mv dwrd ptr ss7[e$pAc],2222222226
& so #e no# #e have local variables& an it mostly loos lie a str%ct%re& to !inthe &QC0'SST str%ct%re #e nee a re!erence point. "oo re!erence to loo !oris 0adCursr. bo%t every sin"le application %ses the call& so simply press the import b%tton orCrtl+=& an select 0adCursr.
nce yo% have selecte 0adCursr yo% sho%l then see somethin" similar to
2232?2@A call ds70adCursr'
2232?2@ mv [e$p?3], ea!
& no# #e all no# the ret%rn val%e !or !%nctions are store in the ea re"ister& an #e no# thatthe hCursrmember o! &QC0'SST is bein" %se (beca%se #e are loain" a c%rsor). =o##hat position is hCursr in memory& #ell its ebpK*4h(yes that?s *4 / no ecimal)& #ith thisin!ormation #e can !i"%re o%t #here all the other member are to. ,! #e tae a G%ic loo at
the &QC0'SST str%ct%re
ie Copy Coe
tVpedef struct &QC0'SST 1UI+ c$SiOe; //0hUI+ stVle; // 'ch&QWC lpfn&ndrc; //'hint c$Cls!tra; //'hint c$&nd!tra; //'0h
/IS+'C hInstance; //1ch/ /ICW hIcn; //1h/CUSW hCursr; // ebp 21h 322tart calculat!o" here 24/FUS/ h$rFacGgrund; //ebp 210h0CS+ lpsO.enuame; //ebp 5 0ch0CS+ lpsOClassame; //ebp 2 /ICW hIcnSm; //ebp 24;
8/16/2019 C++ Reverse Disassembly
27/33
s yo% can see its easy to calc%late str%ct%re member aresses& simply a the si
8/16/2019 C++ Reverse Disassembly
28/33
mv dwrd ptr ss7[e$p A3],2
$e are simply settin" wc"c$Cls!tra to 0000000
3* cbWnd12tra
mv dwrd ptr ss7[e$pA2],2222222
#e are simply settin" wc"c$&nd!tra to 0
6* hInstance
mv ea!,dwrd ptr ss7[e$p>] XXlcal varia$le hInstance
mv dwrd ptr ss7[e$p?C],ea! XX/instance
Remember the eclaration !or the main !%nction is
&in.ain(/IS+'C hInstance, /IS+'C hrevInstance, 0S+ lpCmd0ine , intnCmdShw)
an the !irst parameter (h,nstance) is store at e$p > & an the secon parameter(h3rev,nstance) is store at e$p > ?A
=o# that ea hols the val%e o! hols hinstance& #e simply trans!er that val%e to LebpK*CM orhinstance. 2o in other #ors #e are sayin" #c.h,nstance P h,nstance
4* hIcon
mv dwrd ptr ss7[e$p?],22222222
#e are simply settin" wc"hIcn to 0
8* hCursor
ie Copy Coe
push 2222DE22mv ec!,Q&WQ ptr SS7[e$p>2]push ec!call US6AM0adCursr'mv dwrd ptr ss7[e$p?3],ea!
& the !irst thin" #e o is loo at the eclaration o! 0adCursr' an !in that it is
ie Copy Coe
0adCursr (/IS+'C hInstance, 0S+ cursrname);
an the last parameter is p%sh !irst& so c%rsorname is the !irst parameter bein" b%sh #hich is theval%e 700.
8/16/2019 C++ Reverse Disassembly
29/33
,! the %ser is not %sin" a c%stom c%rsor (most on?t) #e can retrieve its val%e in $inDasmRe! anyes& yo% can enter he val%es in $inDasmRe!& >%st mae s%re yo% p%t a 0700 not 700
re!er to !i"%re 4.-.6
(i"%re 4.-.6)
=ote; ,! yo%r #onerin" #hy 0adCursr"cursrname #asn?t in the !irst pict%re& it is beca%se ,?m#ritin" this pro"ram as ,?m typin" this boo.
mv ec!,Q&WQ ptr SS7[e$p>2]
push ec!
=et #e move ec& to 22;Lebp+8M #hich is hInstance& an then #e p%sh ec to the stac&
the stac c%rrently contains
• ,DCHRR$
• h,nstance
then #e see call US6AM0adCursr' & #e can t%rn this bac into the complete ori"inal line o!so%rce #hich is
0adCursr(hInstance,IQC8'W&);
no# #e all no# that 0adCursr ret%rns the hanle to the c%rsor in the ea re"ister so
mv dwrd ptr ss7[e$p?3],ea! , e$p?3 is the position o! hC%rsor. =o# lets ecompile theentire statement
wc"hCursr % 0adCursr(hInstance,IQC8'W&);
5* hbrac%ground
push 2?
C'00 QI6AMetStcGW$Nect
mv dwrd ptr ss7[e$p?2],ea!
& !irst #e p%sh 0* into the stac an call etStcGW$Nect & no# i! #e loo at the eclarationo! etStcGW$Nect #hich is etStcGW$Nect(int $rush) & #e no# that the 0* is speci!yin" abr%sh so loa %p $inDasmRe!& an type * in & re!er to !i"%re 4.-.7 !or more in!ormation
8/16/2019 C++ Reverse Disassembly
30/33
2o #e no# the call is lie etStcGW$Nect(0+'-8FUS/)& a!ter that #esee mv dwrd ptr ss7[e$p?2],ea! an ea hols the hanle to the br%sh ret%rnby etStcGW$Nect& an ebpK*0& is the memory location o! h$rFacGgrund& so the !%llecompile statement is
wc"h$rFacGgrund % etStcGW$Nect(0+'-8FUS/);
)7* lps"#enuame
mv dwrd ptr ss7[e$p2C],2222222
#e simply set lpsO.enuame to 0
))* lps"Classame
mv ed!,dwrd ptr ds7[2232H26C]
mv dwrd ptr ss7[e$p2],ed!
at the aress o! 0040601C& is a pointer to are class name& ho# can i tell & easy beca%se it iss%rro%nin" the aress in bracets& so it is "ettin" a val%e !rom 0040601C& #e can easily %se anyhe eitor to loo at the aress 0040601C& as lon" as #e no# the ima"e base.
The ima"e base is the location the pro"ram is loae into memory& to see the ima"e base pressCRT9+3 in 3vDasm #ino# similar to i"%re 4.-.8 sho%l come %p
(i"%re 4.-.8)
$e s%btract the ima"e base #ith is 400000 in he !rom 0040601C& an #e are le!t #ith 601C& no# i!#e "o to o!!set 601C in a !ile #e #ill see 10& #e m%st rea 1 more bytes beca%se ,ntel %ses 1- bitaress& so the !%ll aress is 10604000
=o# 10604000 is in little enian orer& #hich the 86 %ses& #e m%st convert it to bi" enian by
reverse every he byte& lie this 00406010& no# i! #e s%btract the ima"e base !rom that #e "et6010& an #e loo at aress 6010& #e #ill see a UD?& i! #e eep reain" to a n%ll terminator lieeveryone else oes #e #ill see D/C3,9/.
=o# that #e have the name o! are class& #e can !%lly ecompile the statement lie this
static char * sOClass %
8/16/2019 C++ Reverse Disassembly
31/33
wc"lpsOClassame % sOClass; since #e are "oin" mv dwrd ptr ss7[e$p2],ed! anded!
hols the aress o! sOClass& an ebpK8 is the memory location o! lpsOClassame
),* hIcon
mv dwrd ptr ss7[e$p3],2222222
this is simply settin" h,con to 0
=o# that #e are one #ith are #hole #ino# class& lets have a overvie# o! all the val%es
ie Copy Coe
&QC0'SST wc; //we do"&t k"ow the exact "ame but !t has to be someth!"$wc"c$SiOe % siOef (&QC0'SST);wc"stVle % CS8/Q'& K CS8YQ'&;wc"lpfn&ndrc % &ndrc;
wc"c$Cls!tra % 2;wc"c$&nd!tra %2;wc"hInstance % hInstance;wc"hIcn %2;wc"hCursr % 0adCursr(hInstance,IQC8'W&);wc"h$rFacGgrund % (/FUS/) etStcGW$Nect(0+'-8FUS/);wc"lpsO.enuame % U00;wc"lpsOClassame % sOClass;wc"hIcnSm % U00;
s yo% can see #e practically ecompile this bac to eact so%rce coe.
=o# #e see the !ollo#in" coe
ie Copy Coe
lea ea!,dwrd ptr ss7[e$p62]push ea!call US6AMegisterClass!'and ea!,2222EEEEtest ea!,ea! NnO 2232?23push 2push 2232H253 ; 6#778 #rappush 2232H25C ; 6#778 #a"&t re$!ster classpush 2Call US6AM.essageF!'!r ea!,ea!
Nmp 2232??DA
lets !irst be"in #ith
lea ea!,dwrd ptr ss7[e$p62]
push ea!
8/16/2019 C++ Reverse Disassembly
32/33
call US6AMegisterClass!'
no# ss;LebpK10M hols the aress o! the &QC0'SST str%ct%re& beca%se LebpK10M is the !irstmember o! the str%ct%re #hich is cb2i
8/16/2019 C++ Reverse Disassembly
33/33
• p%sh 004060CNis the aress o! the 2C,, strin" @Can?t re"ister classA
• p%sh 0N is the messa"e bo type& to see #hat type 0 is
9ets crac open $inDasmRe!
Re!er to !i"%re 4.-. !or more in!ormation
2o #e can ecompile the #hole line into
.essageF!(U00,=Cant register class=,=crap=,.F8W);
a!ter that #e see
!r ea!,ea!
Nmp 2232??DA
!r ea!,ea! clears 0 an i! #e "o see #hat?s at aress 0040**7-& #e #ill !in
mv esp,e$p
pp e$p
ret ?2
#hich is eit coe& so #e can ecompile this line to ret%rn 0. The !%ll ori"inal coe is
if(MegisterClass!(L;wc))
1
.essageF!(U00,Can9t register class,Crap,.F8W);
return 2;
4
s yo% can see ecompilin" is G%ite simple !or this basic #ino#s st%!!& so , not "oin" to bore yo%#ith the rest. ,! yo% have any G%estions & please chec o%t are !or%msat http;JJ###.eliteproy.comJmo%les.phpnamePor%ms
http://www.eliteproxy.com/modules.php?name=Forumshttp://www.eliteproxy.com/modules.php?name=Forums