Assembly Language for Beginners

(Jeff_L) #1

5.9 Using magic numbers while tracing.


5.9 Using magic numbers while tracing


Often, our main goal is to understand how the program uses a value that has been either read from file
or received via network. The manual tracing of a value is often a very labor-intensive task. One of the
simplest techniques for this (although not 100% reliable) is to use your ownmagic number.


This resembles X-ray computed tomography is some sense: a radiocontrast agent is injected into the
patient’s blood, which is then used to improve the visibility of the patient’s internal structure in to the
X-rays. It is well known how the blood of healthy humans percolates in the kidneys and if the agent is
in the blood, it can be easily seen on tomography, how blood is percolating, and are there any stones or
tumors.


We can take a 32-bit number like0x0badf00d, or someone’s birth date like0x11101979and write this
4-byte number to some point in a file used by the program we investigate.


Then, while tracing this program withtracerincode coveragemode, with the help ofgrepor just by
searching in the text file (of tracing results), we can easily see where the value has been used and how.


Example ofgrepabletracerresults inccmode:


0x150bf66 (_kziaia+0x14), e= 1 [MOV EBX, [EBP+8]] [EBP+8]=0xf59c934
0x150bf69 (_kziaia+0x17), e= 1 [MOV EDX, [69AEB08h]] [69AEB08h]=0
0x150bf6f (_kziaia+0x1d), e= 1 [FS: MOV EAX, [2Ch]]
0x150bf75 (_kziaia+0x23), e= 1 [MOV ECX, [EAX+EDX4]] [EAX+EDX4]=0xf1ac360
0x150bf78 (_kziaia+0x26), e= 1 [MOV [EBP-4], ECX] ECX=0xf1ac360


This can be used for network packets as well. It is important for themagic numberto be unique and not
to be present in the program’s code.


Aside of thetracer, DosBox (MS-DOS emulator) in heavydebug mode is able to write information about all
registers’ states for each executed instruction of the program to a plain text file^24 , so this technique may
be useful for DOS programs as well.


5.10 Loops


Whenever your program works with some kind of file, or buffer of some size, it has to be some kind of
decrypting/processing loop inside of the code.


This is a real example oftracertool output. There was a code which loads some kind of encryted file of
258 bytes. I run it with the intention to get each instruction counts (aDBItool will serve much better
these days). And I quickly found a piece of code, which executed 259/258 times:


...


0x45a6b5 e= 1 [FS: MOV [0], EAX] EAX=0x218fb08
0x45a6bb e= 1 [MOV [EBP-254h], ECX] ECX=0x218fbd8
0x45a6c1 e= 1 [MOV EAX, [EBP-254h]] [EBP-254h]=0x218fbd8
0x45a6c7 e= 1 [CMP [EAX+14h], 0] [EAX+14h]=0x102
0x45a6cb e= 1 [JZ 45A9F2h] ZF=false
0x45a6d1 e= 1 [MOV [EBP-0Dh], 1]
0x45a6d5 e= 1 [XOR ECX, ECX] ECX=0x218fbd8
0x45a6d7 e= 1 [MOV [EBP-14h], CX] CX=0
0x45a6db e= 1 [MOV [EBP-18h], 0]
0x45a6e2 e= 1 [JMP 45A6EDh]
0x45a6e4 e= 258 [MOV EDX, [EBP-18h]] [EBP-18h]=0..5 (248 items skipped) 0xfd..0x101
0x45a6e7 e= 258 [ADD EDX, 1] EDX=0..5 (248 items skipped) 0xfd..0x101
0x45a6ea e= 258 [MOV [EBP-18h], EDX] EDX=1..6 (248 items skipped) 0xfe..0x102
0x45a6ed e= 259 [MOV EAX, [EBP-254h]] [EBP-254h]=0x218fbd8
0x45a6f3 e= 259 [MOV ECX, [EBP-18h]] [EBP-18h]=0..5 (249 items skipped) 0xfe..0x102
0x45a6f6 e= 259 [CMP ECX, [EAX+14h]] ECX=0..5 (249 items skipped) 0xfe..0x102 [EAX+14h]=0x102
0x45a6f9 e= 259 [JNB 45A727h] CF=false,true
0x45a6fb e= 258 [MOV EDX, [EBP-254h]] [EBP-254h]=0x218fbd8
0x45a701 e= 258 [MOV EAX, [EDX+10h]] [EDX+10h]=0x21ee4c8
0x45a704 e= 258 [MOV ECX, [EBP-18h]] [EBP-18h]=0..5 (248 items skipped) 0xfd..0x101
0x45a707 e= 258 [ADD ECX, 1] ECX=0..5 (248 items skipped) 0xfd..0x101
0x45a70a e= 258 [IMUL ECX, ECX, 1Fh] ECX=1..6 (248 items skipped) 0xfe..0x102


(^24) See also my blog post about this DosBox feature:blog.yurichev.com

Free download pdf