Reverse Engineering Mentoring Lesson 005

Following with lessons from Didier, I will try to share my experience in reversing.

Didier suggests in his last comment this execercise:

I complicate it a bit, but I think It will be easy. If I could, everybody can ;) I use Dev+c++ as IDE with gcc. This detail it's important. We will see later wht. After compiling our example we open with ida pro 4.9. We press Crtl+F12 to display graph of function calls and we get this:



WTF????? We can see calls to functions like malloc, fflush, fprintf,... that we didn't use in our program. So what are that all calls? In IDA names windows, go to start.



Here we have the first function call __set_app_type. But the really interesting call is sub_401100 (00401233 call sub_401100). If we go the graph, we could see that sub_40100 calls other functions and if we follow in graph the execution path, we could see a final call to sub_401260. Let's go to see what does this function:

.text:00401260                push    ebp .text:00401261                mov     ecx, ds:atexit .text:00401267                mov     ebp, esp .text:00401269                pop     ebp .text:0040126A                jmp     ecx .text:0040126A sub_401260     endp

It seems to be the normal exit. Now that we know the final function, we follow tracing statically the program, going from last to our start function. The previous call comes from sub_4013B0:

.text:004013B0 sub_4013B0     proc near               ; CODE XREF: sub_4012A0+13�p .text:004013B0 .text:004013B0 var_8          = dword ptr -8 .text:004013B0 .text:004013B0                push    ebp .text:004013B1                mov     ebp, esp .text:004013B3                push    ebx .text:004013B4                sub     esp, 4 .text:004013B7                mov     eax, ds:dword_404020 .text:004013BC                test    eax, eax .text:004013BE                jnz     short loc_4013F6 .text:004013C0                mov     eax, ds:dword_4018C0 .text:004013C5                mov     ebx, 1 .text:004013CA                mov     ds:dword_404020, ebx .text:004013D0                cmp     eax, 0FFFFFFFFh .text:004013D3                jz      short loc_4013FA