issuhub.com

Reverse Engineering for Beginners

(avery) #1

CHAPTER 81. ORACLE RDBMS CHAPTER 81. ORACLE RDBMS


It is interesting that this element here is0x1f6th(502nd), just like the pointer to theX$VERSIONstring in thekqftab
table. Probably, thekqftapandkqftabtables complement each other, just likekqfvipandkqfviw. We also see a
pointer to thekqvrow()function. Finally, we got something useful!


So we will add these tables to our oracle tables^3 utility too. ForX$VERSIONwe get:


Listing 81.9: Result of oracle tables

kqftab_element.name: [X$VERSION] ?: [kqvt] 0x4 0x4 0x4 0xc 0xffffc075 0x3
kqftap_param.name=[ADDR] ?: 0x917 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[INDX] ?: 0xb02 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[INST_ID] ?: 0xb02 0x0 0x0 0x0 0x4 0x0 0x0
kqftap_param.name=[BANNER] ?: 0x601 0x0 0x0 0x0 0x50 0x0 0x0
kqftap_element.fn1=kqvrow
kqftap_element.fn2=NULL


With the help oftracer, it is easy to check that this function is called 6 times in row (from theqerfxFetch()function)
while querying theX$VERSIONtable.


Let’s runtracerinccmode (it comments each executed instruction):


tracer -a:oracle.exe bpf=oracle.exe!_kqvrow,trace:cc


kqvrow proc near


var_7C = byte ptr -7Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
Dest = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h


; FUNCTION CHUNK AT .text1:056C11A0 SIZE 00000049 BYTES


push ebp

mov ebp, esp

sub esp, 7Ch

mov eax, [ebp+arg_14] ; [EBP+1Ch]=1

mov ecx, TlsIndex ; [69AEB08h]=0

mov edx, large fs:2Ch

mov edx, [edx+ecx*4] ; [EDX+ECX*4]=0xc98c938

cmp eax, 2 ; EAX=1

mov eax, [ebp+arg_8] ; [EBP+10h]=0xcdfe554

jz loc_2CE1288

mov ecx, [eax] ; [EAX]=0..5

mov [ebp+var_4], edi ; EDI=0xc98c938

loc_2CE10F6: ; CODE XREF: kqvrow+10A
; kqvrow+1A9
cmp ecx, 5 ; ECX=0..5
ja loc_56C11C7
mov edi, [ebp+arg_18] ; [EBP+20h]=0
mov [ebp+var_14], edx ; EDX=0xc98c938
mov [ebp+var_8], ebx ; EBX=0
mov ebx, eax ; EAX=0xcdfe554
mov [ebp+var_C], esi ; ESI=0xcdfe248


loc_2CE110D: ; CODE XREF: kqvrow+29E00E6
mov edx, ds:off_628B09C[ecx4] ; [ECX4+628B09Ch]=0x2ce1116, 0x2ce11ac, 0x2ce11db⤦
Ç, 0x2ce11f6, 0x2ce1236, 0x2ce127a
jmp edx ; EDX=0x2ce1116, 0x2ce11ac, 0x2ce11db, 0x2ce11f6, 0x2ce1236,⤦
Ç0x2ce127a


loc_2CE1116: ; DATA XREF: .rdata:off_628B09C


(^3) yurichev.com

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.