Reversing : The Hacker's Guide to Reverse Engineering

00401D59 ADD ESP,14 00401D5C TEST EDI,EDI 00401D5E JE cryptex.00401E39 00401D64 MOV ESI,DS:[<&KERNEL32.GetConsoleScreenBu ...

00401DF8 CALL cryptex.00401030 00401DFD ADD ESP,0C 00401E00 MOV EAX,DS:[40504C] 00401E05 LEA EDX,SS:[ESP+44] 00401E09 PUSH EDX 0 ...

00401E9B CALL EBP 00401E9D ADD ESP,4 00401EA0 MOV ECX,4 00401EA5 LEA EDI,SS:[ESP+6C] 00401EA9 LEA ESI,SS:[ESP+5C] 00401EAD XOR E ...

Scanning the File List The scanning of the file list is performed by calling a function at 004017B0, which goes through a famili ...

index, but not before it multiplies it by 8. This line essentially takes ESI, which was an index to the current file entry, and ...

takes longer for 32-bit processors. By placing this instruction before the loop starts the compiler ensured that the loop won’t ...

00401D3E XORPS XMM0,XMM0 00401D41 MOV EBP,DS:[<&MSVCR71.printf>] 00401D47 PUSH EAX 00401D48 PUSH cryptex.00403308 ; AS ...

The next instruction loads the file name address from [ESP+24]to EAXand proceeds to another unusual instruction called XORPS, wh ...

00401DBC CMP EDI,1 00401DBF MOV EAX,0FFC 00401DC4 JA SHORT cryptex.00401DCB 00401DC6 MOV EAX,DS:[405050] 00401DCB ... At any giv ...

algorithm and treating the resulting 160-bit hash as the key. The same 160-bit key is hashed again using the MD5 algorithm and t ...

Figure 6.3 The format of a Cryptex file entry. A Cryptex file list table supports holes, which are unused entries. The file size ...

only be accessed in one or two places. To completely and fully understand the entire file format, you might actually have to rev ...

243 A software program is only as weak as its weakest link. This is true both from a security standpoint and, to a lesser extent ...

can be defined as having control of the flow of informationon a system. This con- trol means that your files stay insideyour com ...

Vulnerabilities A vulnerability is essentially a bug or flaw in a program that compromises the security of the program and usual ...

information it is passed—it must preallocate enough room in the stack for the largest chunk of data it expects to receive. Of co ...

Figure 7.1 A function’s stack, before and after a stack overwrite. For instance, you know that each time you run a program the s ...

0040107c call Chapter7!strcat (00401190) 00401081 lea eax,[esp+0x10] 00401085 push eax 00401086 call Chapter7!system (004010e7) ...

Now that you understand the dynamics of the stack in this function, it becomes easy to see that only two unique stack addresses ...

compilers treat these functions as intrinsic, meaning that the compiler automati- cally inserts their implementation into the ca ...