issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 18. ARRAYS CHAPTER 18. ARRAYS


.string "November"
.LC13:
.string "December"


The address of the table is loaded in X1 usingADRP/ADDpair. Then corresponding element is picked using just oneLDR,
which takes W0 (the register where input argumentmonthis), shifts it 3 bits to the left (which is the same as multiplying by
8), sign-extends it (this is what “sxtw” suffix implies) and adds to X0. Then the 64-bit value is loaded from the table into X0.


18.5.4 MIPS.


Listing 18.14: Optimizing GCC 4.4.5 (IDA)

get_month1:
; load address of table into $v0:
la $v0, month1
; take input value and multiply it by 4:
sll $a0, 2
; sum up address of table and multiplied value:
addu $a0, $v0
; load table element at this address into $v0:
lw $v0, 0($a0)
; return
jr $ra
or $at, $zero ; branch delay slot, NOP


.data # .data.rel.local
.globl month1
month1: .word aJanuary # "January"
.word aFebruary # "February"
.word aMarch # "March"
.word aApril # "April"
.word aMay # "May"
.word aJune # "June"
.word aJuly # "July"
.word aAugust # "August"
.word aSeptember # "September"
.word aOctober # "October"
.word aNovember # "November"
.word aDecember # "December"


.data # .rodata.str1.4
aJanuary: .ascii "January"<0>
aFebruary: .ascii "February"<0>
aMarch: .ascii "March"<0>
aApril: .ascii "April"<0>
aMay: .ascii "May"<0>
aJune: .ascii "June"<0>
aJuly: .ascii "July"<0>
aAugust: .ascii "August"<0>
aSeptember: .ascii "September"<0>
aOctober: .ascii "October"<0>
aNovember: .ascii "November"<0>
aDecember: .ascii "December"<0>


18.5.5 Array overflow


Our function accepts values in the range of 0..11, but what if 12 is passed? There is no element in table at this place. So
the function will load some value which happens to be there, and return it. Soon after, some other function can try to get
a text string from this address and may crash.


Let’s compile the example in MSVC for win64 and open it inIDAto see what the linker has placed after the table:


Listing 18.15: Executable file in IDA

off_140011000 dq offset aJanuary_1 ; DATA XREF: .text:0000000140001003
; "January"
dq offset aFebruary_1 ; "February"

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.