Saturday, April 12, 2014

Practical Reverse Engineering Chapter 1 Page 69 Exercise 4

1. Explain two methods to get the instruction pointer on x64. At least one of the methods must use RIP addressing.
lea rax,[rip]

call NextLine
NextLine:
    pop eax



2. Perform a virtual-to-physical address translation on x64. Were there any major differences compared to x86?

There are many differences when performing virtual-to-physical address translation between x64 and x86. E.g. x86 has 4 sub sections which x64 have 5.

This blogpost that showed the differences.

Do note that you need to have kernel debugging setup using Windbg. Let me via comments if you have trouble with this step. I have tried kernel debugging via Windows host and VMware and OS X host and VM fusion. There are slight differences in configuring the vmx file.


Feel free to leave me comments for the answers above. :)

Practical Reverse Engineering Chapter 1 Page 64 Exercise 3

All the samples used in the book can be downloaded here.

1. Repeat the walk-through by yourself. Draw the stack layout, including parameters and local variables.

An interesting instruction @07: sidt  fword ptr [ebp-8]     save 6-byte IDT register [ebp-8]



2. In the example walk-through, we did a nearly one-to-one translation of the assembly code to C. As an exercise, re-decompile this whole function so that it looks more natural. What can you say about the developer's skill level/experience? Explain your reasons. Can you do a better job?

The codes did not include any anti-debug or anti disassemble features. It only has one anti virtualisation feature. The developer does not have very high skill. I would include obstruction tricks to increase difficulty of disassembling the codes.

3. In some of the assembly listings, the function name has a @ prefix followed by a number. Explain when and why this decoration exists.

The function is making use of FastCall convention. At sign (@) is prefixed to names; an at sign followed by the number of bytes (in decimal) in the parameter list is suffixed to names.

4. Implement the following functions in x86 assembly: strlen, strchr, memcpy, memset, strcmp, strset.

Answer to this question is Work In Process

5. Decompile the following kernel routines in Windows:
KeInitializeDpc
KeInitializeApc
ObFastDereferenceObject (and explain its calling convention)
KeInitializeQueue
KxWaitForLockChainValid
KeReadyThread
KiInitializeTSS
RtlValidateUnicodeString

All of them make use of _stdcall calling convention where the callee clear the stack before exiting the routines.

6. Sample H. The function sub_13846 references several structures whose types are not entirely clear. Your task is to first recover the function prototype and then try to reconstruct the structure fields. After reading Chapter 3, return to this exercise to see if your understanding has changed. (Note: This sample is targeting Windows XP x86.)

Answer to this question is Work In Process

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.


7. Sample H. The function sub_10BB6 has a loop searching for something. First recover the function prototype and then infer the types based on the context. Hint: You should probably have a copy of the PE specification nearby.

sub_10BB6 (int1,int2)

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.

8. Sample H. Decompile sub_11732 and explain the most likely programming construct used in the original code.

Switch Cases.

Note: The hash value for sample H in the book has error and the right sample H can be downloaded here. I loaded the sample H in IDA Pro 6 and the function names are -4 bytes from the ones mentioned in the book.

9. Sample L. Explain what function sub_1000CEA0 does and then decompile it back to C.

Sub_1000CEA0 has 2 parameters ,an address of a string and a character.
Sub_1000CEA0 begin with search the location of the null character at the string with the first "scasb" instruction. Then I look 'backward' to locate a character with the second "scasb" instruction.


10. If the current privilege level is encoded in CS, which is modifiable by user-mode code, why can't user-mode code modify CS to change CPL?

The CS register cannot be modified using load instructions. Only instructions that affect the flow of the routine can change it. To increase CPL one can use the IRET instructions but to decrease the CPL one need to make use of call gates or SYSENTER instructions to enter Ring 0.


11. Read the Virtual Memory chapter in Intel Software Developer Manual, Volume 3 and AMD64 Architecture Programmer's Manual, Volume 2: System Programming. Perform a few virtual address to physical address translations yourself and verify the result with a kernel debugger. Explain how data execution prevention (DEP) works.

DEP is implemented using XD bit in the Extended Feature Enable Register of the Intel CPU.
Instructions cannot be fetch from PAE pages with XD bit set.

Do note Windows kernel debugging using Windbg is needed before embarking on this question.

12. Bruce's favorite x86/x64 disassembly library is BeaEngine by BeatriX (www.beaengine.org). Experiment with it by writing a program to disassemble a binary at its entry point.”

Answer to this question is Work In Process

Practical Reverse Engineering Page 33 Chapter 1 Exercises 2

1. Given what you learned about CALL and RET, explain how you would read the value of EIP? Why can't you just do MOV EAX, EIP?

call next
next: pop eax

EIP is a special register that can't be accessed directly for x86 CPU. For x64 RIP can be read directly.


2. Come up with at least two code sequences to set EIP to 0xAABBCCDD.

JMP   0xAABBCCDD

PUSH    0xAABBCCDD
RET


3. In the example function, addme, what would happen if the stack pointer were not properly restored before executing RET?

Nothing will happen as ESP is not changed during the function flow.
There is no instructions in the function that cause changes to the stack.

4. In all of the calling conventions explained, the return value is stored in a 32-bit register (EAX). What happens when the return value does not fit in a 32-bit register? Write a program to experiment and evaluate your answer. Does the mechanism change from compiler to compiler?”

“int
__cdecl addme(short a, short b)
{
    return a*b;
}”

Answer to this question is not complete yet.


Feel free to leave me comments for my answers. :)

Practical Reverse Engineering Page 22 Chapter 1 Exercise 1

1. This function uses a combination SCAS and STOS to do its work. First, explain what is the type of the [EBP+8] and [EBP+C] in line 1 and 8, respectively. Next, explain what this snippet does.
01: 8B 7D 08         mov   edi, [ebp+8]
02: 8B D7            mov   edx, edi
03: 33 C0            xor   eax, eax
04: 83 C9 FF         or    ecx, 0FFFFFFFFh
05: F2 AE            repne scasb
06: 83 C1 02         add   ecx, 2
07: F7 D9            neg   ecx
08: 8A 45 0C         mov   al, [ebp+0Ch]
09: 8B FA            mov   edi, edx
10: F3 AA            rep stosb
11: 8B C2            mov   eax, edx”

[EBP+8] is pointing to a string.
[ebp+0Ch] is pointing to a character.
The above pointers are likely to be arguments passed into the function.

Line 1-5 is check length of the string before it is NULL terminated. Count will be in ECX.
Line 6-7 Prepare the count in ECX for use in the 2nd part of the function.
Line 8-10 over write the string pointed by [ebp+8] with character pointed by [ebp+0Ch].
Line 11 the pointer to the overwritten string is returned by Eax.

Feel free to leave comments on my answers. :)

Practical Reverse Engineering

I finally received this long awaited book by some of the best people in the business of reverse engineering codes. I am going to take this book like a intermediate level text book for reverse engineering. I will also post my answers to the exercises from the book.