5.5 Calls to assert().
Sometimes, such strings are encoded using base64.
So it’s a good idea to decode them all and to scan them visually, even a glance should be enough.
More precise, this method of hiding backdoors is called “security through obscurity”.5.5 Calls to assert()
Sometimes the presence of theassert()macro is useful too: commonly this macro leaves source file
name, line number and condition in the code.
The most useful information is contained in the assert’s condition, we can deduce variable names or
structure field names from it. Another useful piece of information are the file names—we can try to
deduce what type of code is there. Also it is possible to recognize well-known open-source libraries by the
file names.
Listing 5.2: Example of informative assert() calls.text:107D4B29 mov dx, [ecx+42h]
.text:107D4B2D cmp edx, 1
.text:107D4B30 jz short loc_107D4B4A
.text:107D4B32 push 1ECh
.text:107D4B37 push offset aWrite_c ; "write.c"
.text:107D4B3C push offset aTdTd_planarcon ; "td->td_planarconfig == PLANARCONFIG_CON"...
.text:107D4B41 call ds:_assert
.text:107D52CA mov edx, [ebp-4]
.text:107D52CD and edx, 3
.text:107D52D0 test edx, edx
.text:107D52D2 jz short loc_107D52E9
.text:107D52D4 push 58h
.text:107D52D6 push offset aDumpmode_c ; "dumpmode.c"
.text:107D52DB push offset aN30 ; "(n & 3) == 0"
.text:107D52E0 call ds:_assert
.text:107D6759 mov cx, [eax+6]
.text:107D675D cmp ecx, 0Ch
.text:107D6760 jle short loc_107D677A
.text:107D6762 push 2D8h
.text:107D6767 push offset aLzw_c ; "lzw.c"
.text:107D676C push offset aSpLzw_nbitsBit ; "sp->lzw_nbits <= BITS_MAX"
.text:107D6771 call ds:_assert
It is advisable to “google” both the conditions and file names, which can lead us to an open-source library.
For example, if we “google” “sp->lzw_nbits <= BITS_MAX”, this predictably gives us some open-source
code that’s related to the LZW compression.
5.6 Constants
Humans, including programmers, often use round numbers like 10, 100, 1000, in real life as well as in the
code.
Thepracticingreverseengineerusuallyknowthemwellinhexadecimalrepresentation: 10=0xA,100=0x64,
1000=0x3E8, 10000=0x2710.
The constants0xAAAAAAAA(0b10101010101010101010101010101010) and
0x55555555(0b01010101010101010101010101010101) are also popular—those are composed of alter-
nating bits.