Reverse Engineering Flashcards
Learn to reverse engineer and understand assembly instructions
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: How many parameters does the function have?
Answer:
2 parameters
4 mov %edi,-0x4(%rbp)
7 mov %esi,-0x8(%rbp
the first argument (%edi) is stored in the address
-04(%rbp) which means 4 bytes below the base pointer
the 2nd argument (%esi) is stored in the address
-0x8(%rbp) which means 8 bytes below the base pointer
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: How many local variables does the function have?
Answer: None
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: The instruction that is 10 bytes from the start of the function is an unconditional jump:
10 jmp 0x4004f8 [dostuff+34]
The instruction that is 40 bytes from the start of the function is a conditional jump to the instruction immediately following that unconditional jump:
40 jne 0x4004e2 [dostuff+12]
What C statement would have generated this?
Answer: A while-statement
10 jmp 0x4004f8 [dostuff+34]
—tells us to jump to line 34
34 mov -0x4(%rbp),%eax
37 cmp -0x8(%rbp),%eax
40 jne 0x4004e2 [dostuff+12]
mov = place x to eax register cmp = S1 - S2 so, S1 = y and S2 = x jne = jump if not equal if y is not equal to x jump to line 12
in C:
while(x != y) {
do stuff...
}
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: If the variable x represents the value stored in -0x4(%rbp) and the variable y represents the value held in -0x8(%rbp), which C statement would cause the instruction 18 bytes from the start of the function:
18 jle 0x4004f2 [dostuff+28]
Answer: if (x > y)
12 mov -0x4(%rbp),%eax
15 cmp -0x8(%rbp),%eax
18 jle 0x4004f2 [dostuff+28]
mov = place x to %eax register
cmp = S1 - S2
so, S1 = y, and S2 = x
jle = jump if less than or equal (signed)
if y is less than or equal to x then jump
in other words, if x is greater than y then jump
in C: if (x > y)
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: If the variable x represents the value stored in -0x4(%rbp) and the variable y represents the value held in -0x8(%rbp), which C statement would cause the instruction 23 bytes from the start of the function:
23 sub %eax,-0x4(%rbp)
Answer: x = x - y;
20 mov -0x8(%rbp),%eax
23 sub %eax,-0x4(%rbp)
mov = place y to eax register sub = Destination - Source = Destination x = x - y
in C:
x = x - y;
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: If the variable x represents the value stored in -0x4(%rbp) and the variable y represents the value held in -0x8(%rbp), which C statement would cause the instruction 31 bytes from the start of the function:
31 sub %eax,-0x8(%rbp)
Answer: y = y - x;
28 mov -0x4(%rbp),%eax
31 sub %eax,-0x8(%rbp)
mov = place x to eax register sub = Destionation - Source = Destionation y = y - x;
in C:
y = y - x;
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question:
The instruction 40 bytes from the start of the function is a conditional jump
40 jne 0x4004e2 [dostuff+12]
If the variable x represents the value stored in -0x4(%rbp) and the variable y represents the value held in -0x8(%rbp), which C expression is evaluated for this conditional jump?
Answer: if (x!=y)
34 mov -0x4(%rbp),%eax
37 cmp -0x8(%rbp),%eax
40 jne 0x4004e2 [dostuff+12]
mov = place x to eax register cmp = S1 - S2 S1 = y and S2 =x jne = jump if not equal
in C: If (x!=y)
It's all about ATnT assembly language 0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Question: If the variable x represents the value stored in -0x4(%rbp) and the variable y represents the value held in -0x8(%rbp), what value is returned by the function?
Answer: x
37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
once x becomes equal to y the program hops out of the loop, goes to line 42, and since x is stored in -0x4(%rb), which is placed to the return argument register %eax, the value returned by the function is x.
Construct a c function that matches this the following assembly code
0 push %rbp 1 mov %rsp,%rbp 4 mov %edi,-0x4(%rbp) 7 mov %esi,-0x8(%rbp) 10 jmp 0x4004f8 [dostuff+34] 12 mov -0x4(%rbp),%eax 15 cmp -0x8(%rbp),%eax 18 jle 0x4004f2 [dostuff+28] 20 mov -0x8(%rbp),%eax 23 sub %eax,-0x4(%rbp) 26 jmp 0x4004f8 [dostuff+34] 28 mov -0x4(%rbp),%eax 31 sub %eax,-0x8(%rbp) 34 mov -0x4(%rbp),%eax 37 cmp -0x8(%rbp),%eax 40 jne 0x4004e2 [dostuff+12] 42 mov -0x4(%rbp),%eax 45 pop %rbp 46 retq
Answer:
int doStuff(int x, int y) {
while(x!=y) {
if(x > y)
x = x - y;
else
y = y -x;
}
return x;
}
int main() {
int a = 0;
int b = 0;
int r = doStuff(a, b);
{
