Reversing : The Hacker's Guide to Reverse Engineering

UnknownStruct->Member7 = Param2; UnknownStruct->Member8 = Param3; Let’s proceed to the next section of RtlInitializeGeneri ...

and just count them while doing that. The following is the OllyDbg output for RtlNumberGenericTableElements. RtlNumberGenericTab ...

As hoped, RtlIsGenericTableEmptyseems to be quite simple. The function loads ECXwith the value of the first parameter (which sho ...

RtlGetElementGenericTable: 7C9624E0 PUSH EBP 7C9624E1 MOV EBP,ESP 7C9624E3 MOV ECX,DWORD PTR [EBP+8] 7C9624E6 MOV EDX,DWORD PTR ...

7C96253D JNZ SHORT ntdll.7C96253A 7C96253F JMP SHORT ntdll.7C96254E 7C962541 TEST EDX,EDX 7C962543 LEA EAX,DWORD PTR [ECX+4] 7C9 ...

7C9624EC PUSH EBX 7C9624ED PUSH ESI 7C9624EE MOV ESI,DWORD PTR [ECX+10] 7C9624F1 PUSH EDI 7C9624F2 MOV EDI,DWORD PTR [EBP+C] 7C9 ...

The last two instructions in the current chunk perform another check on that same parameter, except that this time the code is u ...

optimized the code by automatically declaring a temporary variable to store the value instead of computing it each time it is ne ...

■■ You know that RtlGetElementGenericTableis returning the value of one of these pointers to the caller, but not before it is in ...

tested in the source code. That’s because the processor needs to know whether to skipcode, and high-level languages have a diffe ...

realize that the code that follows these two jumps is only executed if ESI > EBX, because we’ve already tested and conditiona ...

(which is the beginning of the loop) for as long as ESI != 0. What does this loop do? Remember that EAXis the third pointer from ...

(and possibly to other functions that traverse the list) would require as few iterations as possible. This code then proceeds in ...

pointer to the last element found. This loop starts with offset +4. Which ele- ment does offset +4 point to? How can you tell? T ...

and EDIcontains the distance between the cached element and the element that you’re looking for. Search Loop 4 There is one othe ...

struct TABLE { PVOID Unknown1; LIST_ENTRY *LLHead; LIST_ENTRY *SomeEntry; LIST_ENTRY *LastElementFound; ULONG LastElementIndex; ...

} else { // We start at the beginning of the list and move forward: ULONG ElementsToGo = AdjustedElementToGet; ElementFound = (L ...

It’s quite amazing to think that with a few clever deductions and a solid understanding of assembly language you can convert tho ...

7C924DC0 PUSH EBP 7C924DC1 MOV EBP,ESP 7C924DC3 PUSH EDI 7C924DC4 MOV EDI,DWORD PTR [EBP+8] 7C924DC7 LEA EAX,DWORD PTR [EBP+8] 7 ...

The next two instructions in the function are somewhat interesting. 7C924DC4 MOV EDI,DWORD PTR [EBP+8] 7C924DC7 LEA EAX,DWORD PT ...