Reversing : The Hacker's Guide to Reverse Engineering

example of how information is irretrievably lost during the compilation process. A decompiler would have to employ some kind of ...

Type Analysis Depending on the specific platform for which the executable was created, accurate type information is often not av ...

Once information regarding primitive data types is gathered, it makes a lot of sense to propagate it globally, as discussed earl ...

Take the following code snippet as an example: mov eax, DWORD PTR [esp-4] mov DWORD PTR [eax], 0 mov DWORD PTR [eax+4], 1 mov DW ...

Control Flow Analysis Control flow analysis is the process of converting the unstructured control flow graphs constructed by the ...

■■ Once you have properly identified library calls you can benefit from the fact that you have accurate type information for the ...

the code-analysis stage. All that’s needed here is to determine the suitable lan- guage construct and produce the code using the ...

As for the question of what to expect from binary decompilation, I’d sum- marize by saying binary decompilation is possible—it a ...

479 CHAPTER This appendix discusses the most common logical and control flow constructs used in high-level languages and demonst ...

reversing, and explain their exact meanings. I begin by going over the process of comparing two operands in assembly language, w ...

Table A.1 (continued) RELATION LEFT RIGHT BETWEEN FLAGS OPERAND OPERAND OPERANDS AFFECTED COMMENTS X< 0 Y< 0 X> Y OF = ...

In looking at Table A.1, the ground rules for identifying the results of signed integer comparisons become clear. Here’s a quick ...

In looking at Table A.2, the ground rules for identifying the results of unsigned integer comparisons become clear, and it’s obv ...

overflow flag (OF). This is because the arithmetic instructions use OF for indi- cating signed overflows. Table A.3 Signed Condi ...

Table A.3 (continued) SATISFIED MNEMONICS FLAGS WHEN COMMENTS If Less or ZF = 1 OR X<= Y This code is the same Equal (LE) ((O ...

Table A.4 (continued) SATISFIED MNEMONICS FLAGS WHEN COMMENTS If Below or CF = 1 OR ZF = 1 X<= Y This code is the same Equal ...

generate for nearly every function. The particulars of these sequences depend on the specific compiler used and on other issues ...

imported. Locating the IAT is quite easy and can be done with a variety of dif- ferent tools that dump the module’s PE header an ...

Figure A.1 High-level/low-level view of a single branch conditional sequence. Two-Way Conditionals Another fundamental functiona ...

Figure A.2 High-level/low-level view of a two-way conditional. Notice the unconditional JMPright after the function call. That i ...