Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: Opaque arguments

Hybrid View

  1. #1
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84

    Opaque arguments

    This request is related to the Stack frame.
    It is in continuation to my endeavor to acquire at least a basic level of that elusive reverenced skill aka reversing.

    #include<stdio.h>
    int test (int h)
    {
    if (h==3)
    {
    return 1;
    }}

    void main (int argc, char *argv [] )
    {
    int j, i=3;

    j=test (i); //-------> Line 12

    }

    Code:
    “When a function is called, its arguments are pushed on the stack.”
    A function is called from line-12 and the argument (int h) is pushed on the stack frame (please correct me !). Then EBP value is saved on the stack (Seen in asm as PUSH EBP)...Return address is saved on the stack. So,EBP+4 is the return address.

    Now, EBP is given a new value . Then, ESP makes room to accommodate local variable (i and j).
    In the Assembly below, it can be seen that an 8-byte space is allotted for the two local variables present,

    00401220 > $ 55 PUSH EBP
    00401221 . 89E5 MOV EBP, ESP
    00401223 . 83EC 08 SUB ESP, 8

    00401226 . C70424 010000> MOV DWORD PTR SS: [ESP], 1
    0040122D . FF15 D0504000 CALL DWORD PTR DS:[<&msvcrt.__set_app_type>] ; msvcrt.__set_app_type
    00401233 . E8 C8FEFFFF CALL Return.00401100

    What i fail to see in asm is the:
    (1) Code that pushed the arguments to the stack Frame and the
    (2) Instruction that saved the return address on the stack frame.

    It may be right there gawping at my blindness, but right now iam opaque.
    The executable is attached for your helpful glance if ever needed.

    Regards…
    Attached Files Attached Files
    Last edited by jackall; June 22nd, 2008 at 04:10.

  2. #2
    You have been fooled by the compiler .
    The function you are looking at isn't main(), but a compiler-generated entry-point that is supposed to act transparently to your program. If you step into that call at 0x401233 (and most probably through a fair amount of further auto-generated initialisation code) you'll eventually find your way to main().

    This is one of the 'problems' of C++, from a reverser's perspective. Behind the scenes, quite a lot goes on that we aren't told about. The more of these optional compiler features we use, the more abstracted our code becomes, often to the point where you'd need to trace through thousands of program-prolog instructions before encountering anything familiar. Assuming you're using something like Visual C++, there is a very delicate balance of compiler and linker settings you can enforce that will produce a clean, naked program, but this is increasingly difficult to pull off, especially when using anything more than a minimal set of libraries and language extensions.

    What I find to be the best approach when trying to analyse compiler-generated code is to prepend your function with something unique, such as a call to IsDebuggerPresent(), which you can set a breakpoint on in Olly and hit run, ensuring that you know where you'll land when it breaks.

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Another suggestion to find your own code inside the code woods: Instead of using such a plain constant such as h=3; or (h==3 for testing), make h something much more interesting and distinctive, like h = 1122332211 or h = 0xDEAD. Then search for the numeric constant inside the decompilation. Your code should be around it. . .

  4. #4
    ant
    Guest
    Code:
    What i fail to see in asm is the:
    (1) Code that pushed the arguments to the stack Frame and the 
    (2) Instruction that saved the return address on the stack frame.
    question is understandable but not the answers .
    a little simplification can help and may be of some use to the newbies to whome it is meant for !
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by ant View Post
    question is understandable but not the answers .
    a little simplification can help and may be of some use to the newbies to whom it is meant for !
    A simpler answer for our arthropod friend: Jackall is looking for the code he wrote, and he is not finding it because he is looking in the wrong place.

    From IDA disassembly,

    Code:
    .text:00401290 ; =============== S U B R O U T I N E =======================================
    .text:00401290
    .text:00401290 ; Attributes: bp-based frame
    .text:00401290
    .text:00401290 sub_401290      proc near               ; CODE XREF: _main+37p
    .text:00401290
    .text:00401290 var_4           = dword ptr -4            ; This is an internal bool variable, lets call it answer
    .text:00401290 arg_0           = dword ptr  8            ; This is the parameter (argument) h
    .text:00401290
    .text:00401290                 push    ebp
    .text:00401291                 mov     ebp, esp
    .text:00401293                 sub     esp, 4
    .text:00401296                 cmp     [ebp+arg_0], 3     ; if h==3
    .text:0040129A                 jnz     short loc_4012A5
    .text:0040129C                 mov     [ebp+var_4], 1     ; answer = true
    .text:004012A3                 jmp     short loc_4012AC
    .text:004012A5 ; ---------------------------------------------------------------------------
    .text:004012A5
    .text:004012A5 loc_4012A5:                             ; CODE XREF: sub_401290+Aj
    .text:004012A5                 mov     [ebp+var_4], 0     ;else answer = false
    .text:004012AC
    .text:004012AC loc_4012AC:                             ; CODE XREF: sub_401290+13j
    .text:004012AC                 mov     eax, [ebp+var_4]   ; store answer in eax
    .text:004012AF                 leave
    .text:004012B0                 retn         ; Return the bool answer stored in eax
    .text:004012B0 sub_401290      endp
    .text:004012B0
    .text:004012B1
    .text:004012B1 ; =============== S U B R O U T I N E =======================================
    .text:004012B1
    This is the place where the function:
    Code:
    int test (int h);
    code resides.

    Looking at the place where this function gets called:
    Code:
    .text:004012B1 ; =============== S U B R O U T I N E =======================================
    .text:004012B1
    .text:004012B1 ; Attributes: bp-based frame
    .text:004012B1
    .text:004012B1 ; int __cdecl main(int argc, const char **argv, const char *envp)
    .text:004012B1 _main           proc near               ; CODE XREF: ___mingw_CRTStartup+E2p
    .text:004012B1
    .text:004012B1 var_18          = dword ptr -18h
    .text:004012B1 var_14          = dword ptr -14h
    .text:004012B1 var_C           = dword ptr -0Ch
    .text:004012B1 var_8           = dword ptr -8
    .text:004012B1 var_4           = dword ptr -4
    .text:004012B1 argc            = dword ptr  8
    .text:004012B1 argv            = dword ptr  0Ch
    .text:004012B1 envp            = dword ptr  10h
    .text:004012B1
    .text:004012B1                 push    ebp
    .text:004012B2                 mov     ebp, esp
    .text:004012B4                 sub     esp, 18h
    .text:004012B7                 and     esp, 0FFFFFFF0h
    .text:004012BA                 mov     eax, 0
    .text:004012BF                 add     eax, 0Fh
    .text:004012C2                 add     eax, 0Fh
    .text:004012C5                 shr     eax, 4
    .text:004012C8                 shl     eax, 4
    .text:004012CB                 mov     [ebp+var_C], eax
    .text:004012CE                 mov     eax, [ebp+var_C]
    .text:004012D1                 call    ___chkstk
    .text:004012D6                 call    ___main
    .text:004012DB                 mov     [ebp+var_8], 3          i = 3
    .text:004012E2                 mov     eax, [ebp+var_8]     ; now i gets moved to eax
    .text:004012E5                 mov     [esp+18h+var_18], eax  ;now eax gets loaded into the stack, there is no push of a parameter
    .text:004012E8                 call    sub_401290     ; call test(i) 
    .text:004012ED                 mov     [ebp+var_4], eax ; the answer returned in eax is stored in j
    .text:004012F0                 cmp     [ebp+var_4], 1 ; is j== true ?
    .text:004012F4                 jnz     short loc_401309
    .text:004012F6                 mov     eax, [ebp+var_4]  ;weird stuff
    .text:004012F9                 mov     [esp+18h+var_14], eax ;weird stuff
    .text:004012FD                 mov     [esp+18h+var_18], offset aValueOfJD ; "value of j=%d"
    .text:00401304                 call    printf
    .text:00401309
    .text:00401309 loc_401309:                             ; CODE XREF: _main+43j
    .text:00401309                 call    getchar
    .text:0040130E                 leave
    .text:0040130F                 retn
    .text:0040130F _main           endp

    The calling convention is not typical, quite convoluted. Indeed there is no push into the stack.
    What compiler are you using?

  6. #6
    ant
    Guest
    You guys are really talented ~~ envy u

    There are 10 entries at 00401290 as given by u.
    =============== S U B R O U T I N E ====================
    .text:00401290
    .text:00401290 ; Attributes: bp-based frame
    .text:00401290
    .text:00401290 sub_401290 proc near ; CODE XREF: _main+37p
    .text:00401290
    .text:00401290 var_4 = dword ptr -4 ; This is an internal bool variable, lets call it answer
    .text:00401290 arg_0 = dword ptr 8 ; This is the parameter (argument) h
    .text:00401290

    I use Ollydebugger. there I don’t see the info u have given. And ther’s just one at

    00401290 /$ 55 PUSH EBP
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,128
    Blog Entries
    5
    ant, that's IDA output convention. Many lines, even comments and spacing, may appear to have an "address" associated with them in IDA disassembly, but they all refer to only 1 instruction.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Jackall: For the kind of learning you are currently doing, I suggest:
    Get yourself an old, "classical" compiler like borland's C++ 5.0 and/or an old version of visualstudio.

    Find a copy of Hacker Disassembling Uncovered 2nd edition by Kris Kaspersky. He explains this stuff in excruciating detail.

  9. #9
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Admiral, the info you have provided is an eye opener.
    Code:
    You have been fooled by the compiler.The function you are looking at isn't 
    main(), but a compiler-generated entry-point that is supposed to act 
    transparently to your program. If you step into that call at 0x401233 (and most
    probably through a fair amount of further auto-generated initialisation code)
    you'll eventually find your way to main ().
    Yes ! I stepped into that call: 00401233 which brought me here:

    00401100 $ 55 PUSH EBP
    00401101 . 89E5 MOV EBP, ESP
    00401103 . 53 PUSH EBX
    00401104 . 83EC 24 SUB ESP, 24
    00401107 . 8D5D F8 LEA EBX, DWORD PTR SS: [EBP-8]
    0040110A . C70424 001040> MOV DWORD PTR SS: [ESP], Return.00401000

    Here i face another paradox.
    i need to ask you if this is place iam looking for i.e. the main () function.

    If this is The main (), i need just 2-more points for clarification. i will not bother you again in this context.
    It is a promise. In the same breadth, let me remind you….that...
    “Promises are made to be broken and lies are meant to be kept “

    Well...
    (1). SUB ESP, 24
    Here, a 24 byte of space is allotted for local variables. Why? i have declared just 2-variables (i and j) which need only 8-bytes.

    (2). LEA EBX, DWORD PTR SS: [EBP-8]
    [EBP-8] represent the argument on the stack related to the line :
    int test (int h) {

    (3). [EBP-4] could be return address similarly ……

    i said just 2-points , so 'am not beyond that...

  10. #10
    Registered User
    Join Date
    Mar 2008
    Location
    india
    Posts
    84
    Code:
    that's IDA output convention. Many lines, even comments and spacing, may appear 
    to have an "address" associated with them in IDA disassembly, but they all refer 
    to only 1 instruction.
    Thank you ..Kayaker

  11. #11
    ant
    Guest
    naides,

    answer was difficult to understand but the explanation that followed was head spinning.

    I give up struggling...dead and out.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    @@Naides:

    That code is rather typical output for MinGW:

    .text:004012B1
    .text:004012B1 ; int __cdecl main(int argc, const char **argv, const char *envp)
    .text:004012B1 _main proc near ; CODE XREF: ___mingw_CRTStartup+E2p
    .text:004012B1
    MinGW has calculated the overall stack needs for the procedure, and moves arguments in the right place instead than pushing them. If I am not mistaken, this behaviour should be a speed optimization.

    @@Jackall: [edit ] as naides already pointed out [/edit ] I would say that the code generated by this compiler is definetely not the best for a beginner to start with. I suggest that for your next tests you use VC instead: you can get the VC++ Express for free, which is also pretty good for non-commercial coding.

    Get it here:

    http://www.microsoft.com/express/vc/
    Keep up the study
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  13. #13
    ant
    Guest
    Is it advisable to use IDA Pro disassembler by a beginner ?????
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    You gotta start somewhere.

    Why not IDA.

    Woodmann

  15. #15
    Quote Originally Posted by ant View Post
    Is it advisable to use IDA Pro disassembler by a beginner ?????
    if with hexray plugin

Similar Threads

  1. Dumping function arguments
    By xml in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 22nd, 2005, 08:57
  2. Log function arguments on __vbaStrCmp
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 9
    Last Post: July 23rd, 2003, 14:04
  3. arguments
    By Anonymous in forum Bugs
    Replies: 7
    Last Post: May 13th, 2003, 00:16
  4. [Tip] Log all API calls and arguments
    By Wayne in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 15th, 2002, 04:20
  5. ida function arguments
    By noone in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 5th, 2001, 18:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •