issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1 
One interesting thing about the data structure is the way it is accessed—

using two different registers. Essentially, the function keeps two pointers into

the data structure, EAXand ECX. EAXholds the original value passed through

the first parameter, and ECXholds the address of EAX + 4. Some members are

accessed using EAXand others via ECX.

Here’s what the preceding code does, step by step.


  1. Sets the first member of the structure to zero (using EDX). The structure
    is accessed via EAX.

  2. Sets the third member of the structure to the address of the second
    member of the structure (this is the value stored in ECX: EAX + 4). This
    time the structure is accessed through ECXinstead of EAX.

  3. Sets the second member to the same address (the one stored in ECX).

  4. Sets the fourth member to the same address (the one stored in ECX).


If you were to translate the snippet into C, it would look something like the

following code:

UnknownStruct->Member1 = 0;

UnknownStruct->Member3 = &UnknownStruct->Member2;

UnkownStruct->Member2 = &UnknownStruct->Member2;

UnknownStruct->Member4 = &UnknownStruct->Member2;

At first glance this doesn’t really tell us much about our structure, except that

members 2, 3, and 4 (in offsets +4, +8, and +c) are all pointers. The last three

members are initialized in a somewhat unusual fashion: They are all being ini-

tialized to point to the address of the second member. What could that possibly

mean? Essentially it tells you that each of these members is a pointer to a group

of three pointers (because that’s what pointed to by UnknownStruct->

Member2—a group of three pointers). The slightly confusing element here is the

fact that this structure is pointing to itself, but this is most likely just a place-

holder. If I had to guess I’d say these members will later be modified to point to

other places.

Let’s proceed to the next four lines in the disassembled function.

7C921A50 MOV ECX,DWORD PTR SS:[EBP+C]

7C921A53 MOV DWORD PTR DS:[EAX+18],ECX

7C921A56 MOV ECX,DWORD PTR SS:[EBP+10]

7C921A59 MOV DWORD PTR DS:[EAX+1C],ECX

The first two lines copy the value from the second parameter passed into the

function into offset +18 in the present structure (offset +18 is the 7th member).

The second two lines copy the third parameter into offset +1c in the structure

(offset +1c is the 8th member). Converted to C, the preceding code would look

like the following.

150 Chapter 5

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.