binary-auditing RCE exercise
As a part of learning reverse engineering and enhancing RCE skills, I was going through binary-auditing tutorials. This is manual decompilation exercise 7. Problem: This is the code to be analysed: proc near 000 push ebx 004 push esi 008 xor ebx, ebx 008 mov [eax], ebx 008 mov ebx, ecx 008 dec ebx 008 test ebx, ebx 008 jl short loc_408135 008 inc ebx loc_40810E: 008 mov ecx, [eax] 008 shl ecx, 4 008 movzx esi, byte ptr [edx] 008 add ecx, esi 008 mov [eax], ecx 008 mov ecx, [eax] 008 and ecx, 0F0000000h 008 test ecx, ecx 008 jz short loc_40812D 008 mov esi, ecx 008 shr esi, 18h 008 xor [eax], esi loc_40812D: 008 not ecx 008 and [eax], ecx 008 inc edx 008 dec ebx 008 jnz short loc_40810E loc_408135: 008 pop esi 004 pop ebx 000 retn sub_408100 endp
And here is the solution: var1_eax //eax -->pointer variable var2_ebx=0; var4_edx; var5_esi; *var1_eax=0; var2_ebx= ecx; var2_ebx--; if(var2_ebx >=0) { var2_ebx++; } else return; do { var3_ecx=*var1_eax; //value of eax var3_ecx=var3_ecx*16; //multiply by 16 var5_esi=BYTE at var4_edx; //movzx var3_ecx=var3_ecx+var5_esi; *var1_eax=var3_ecx; var3_ecx=*var1_eax; var3_ecx=var3_ecx&0F0000000h; if(var3_ecx!=0) { var5_esi=var3_ecx; var5_esi=var5_esi/24; *var1_eax=(*var1_eax)^var5_esi; } var3_ecx=! var3_ecx *var1_eax=(*var1_eax)&var_ecx; var4_edx++; }while(var2_ebx-- != 0)
Categories: MalwareAnalysis
You have really interesting blog, keep up posting such informative posts!