Saturday, April 12, 2014

Practical Reverse Engineering Chapter 1 Page 64 Exercise 3

All the samples used in the book can be downloaded here.

1. Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables.

An interesting instruction @07: sidt  fword ptr [ebp-8]     save 6-byte IDT register [ebp-8]



2. In the example walk-through, we did a nearly one-to-one translation of the assembly code to C. As an exercise, re-decompile this whole function so that it looks more natural. What can you say about the developer's skill level/experience? Explain your reasons. Can you do a better job?

The codes did not include any anti-debug or anti disassemble features. It only has one anti virtualisation feature. The developer does not have very high skill. I would include obstruction tricks to increase difficulty of disassembling the codes.

3. In some of the assembly listings, the function name has a @ prefix followed by a number. Explain when and why this decoration exists.

The function is making use of FastCall convention. At sign (@) is prefixed to names; an at sign followed by the number of bytes (in decimal) in the parameter list is suffixed to names.

4. Implement the following functions in x86 assembly: strlen, strchr, memcpy, memset, strcmp, strset.

Answer to this question is Work In Process

5. Decompile the following kernel routines in Windows:
KeInitializeDpc
KeInitializeApc
ObFastDereferenceObject (and explain its calling convention)
KeInitializeQueue
KxWaitForLockChainValid
KeReadyThread
KiInitializeTSS
RtlValidateUnicodeString

All of them make use of _stdcall calling convention where the callee clear the stack before exiting the routines.

6. Sample H. The function sub_13846 references several structures whose types are not entirely clear. Your task is to first recover the function prototype and then try to reconstruct the structure fields. After reading Chapter 3, return to this exercise to see if your understanding has changed. (Note: This sample is targeting Windows XP x86.)

Answer to this question is Work In Process

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.


7. Sample H. The function sub_10BB6 has a loop searching for something. First recover the function prototype and then infer the types based on the context. Hint: You should probably have a copy of the PE specification nearby.

sub_10BB6 (int1,int2)

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.

8. Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.

Switch Cases.

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.

9. Sample L. Explain what function sub_1000CEA0 does and then decompile it back to C.

Sub_1000CEA0 has 2 parameters ,an address of a string and a character.
Sub_1000CEA0 begin with search the location of the null character at the string with the first "scasb" instruction. Then I look 'backward' to locate a character with the second "scasb" instruction.


10. If the current privilege level is encoded in CS, which is modifiable by user-mode code, why can't user-mode code modify CS to change CPL?

The CS register cannot be modified using load instructions. Only instructions that affect the flow of the routine can change it. To increase CPL one can use the IRET instructions but to decrease the CPL one need to make use of call gates or SYSENTER instructions to enter Ring 0.


11. Read the Virtual Memory chapter in Intel Software Developer Manual, Volume 3 and AMD64 Architecture Programmer's Manual, Volume 2: System Programming. Perform a few virtual address to physical address translations yourself and verify the result with a kernel debugger. Explain how data execution prevention (DEP) works.

DEP is implemented using XD bit in the Extended Feature Enable Register of the Intel CPU.
Instructions cannot be fetch from PAE pages with XD bit set.

Do note Windows kernel debugging using Windbg is needed before embarking on this question.

12. Bruce's favorite x86/x64 disassembly library is BeaEngine by BeatriX (www.beaengine.org). Experiment with it by writing a program to disassemble a binary at its entry point.”

Answer to this question is Work In Process

No comments:

Post a Comment