Saturday, April 12, 2014

Practical Reverse Engineering Page 22 Chapter 1 Exercise 1

1. This function uses a combination SCAS and STOS to do its work. First, explain what is the type of the [EBP+8] and [EBP+C] in line 1 and 8, respectively. Next, explain what this snippet does.
01: 8B 7D 08         mov   edi, [ebp+8]
02: 8B D7            mov   edx, edi
03: 33 C0            xor   eax, eax
04: 83 C9 FF         or    ecx, 0FFFFFFFFh
05: F2 AE            repne scasb
06: 83 C1 02         add   ecx, 2
07: F7 D9            neg   ecx
08: 8A 45 0C         mov   al, [ebp+0Ch]
09: 8B FA            mov   edi, edx
10: F3 AA            rep stosb
11: 8B C2            mov   eax, edx”

[EBP+8] is pointing to a string.
[ebp+0Ch] is pointing to a character.
The above pointers are likely to be arguments passed into the function.

Line 1-5 is check length of the string before it is NULL terminated. Count will be in ECX.
Line 6-7 Prepare the count in ECX for use in the 2nd part of the function.
Line 8-10 over write the string pointed by [ebp+8] with character pointed by [ebp+0Ch].
Line 11 the pointer to the overwritten string is returned by Eax.

Feel free to leave comments on my answers. :)

2 comments:

  1. Got to this blog through Amazon review. I am also working through the exercises.

    "Line 1-5 is check length of the string before it is NULL terminated. Count will be in ECX"

    Length of the string is not stored in ECX right? This just means scan forward upto number of times in ECX

    ReplyDelete
    Replies
    1. Yes, ECX stored the scan forward count value. ECX is not the actual string length as it does not include NULL byte

      Delete