Arrays
Files used -> 7-array.c, 7-array.exe, 7-1-array-loop.c, 7-1-array-loop.exe
Last updated
Files used -> 7-array.c, 7-array.exe, 7-1-array-loop.c, 7-1-array-loop.exe
Last updated
Starting with file(7-array.c) and loading in IDA.
Here in the disassembly of main function, we can initially see the prologue setting up stack. After which we see a new term of ‘__security_cookie’. This is a value placed which help in security mechanism. This allows to check if the program was tampered or something happened while execution. The concept is the value is saved in stack just after prologue and in the end when stack is being freed, if they same value (stack cookie) comes out it means the execution happened without issue. If the value is changed that indicates that the program was tampered or some error.
Now we have stack cookie saved on to stack as var_4.
Next we have some values being stored on stack.
Values→ 25, 50, 75, 100 being saved as var_14, var_10, var_c, var_8 respectively.
Now we have imul instruction with 3 operand. imul ecx, eax, 0 means ecx → eax * 0.
imul is making value inside ecx to be 0.
Then we are moving var_14 i.e. value 25 ad pushing it onto the stack
Calling print function
add esp, 8 is restoring stack
Now, the value var_4 is restored and same operation will occur on it i.e. XOR to check if it gives original value or not.
__security_check_cookie is called to check the value (stack cookie)
And later return.
Lets See the source code now.
Another Program-
Here before doing any proper lookup, with an overview we can notice three things.
Usage of arrays
Loop (We can see a tail of last block going back to top/starting block)
For Loop (as increment is done separate, unlike while loop where increment of counter doesn’t happens separately)
That means we are going to look at arrays and for loop together.
We see Prologue with stack cookie
Values 25, 50, 75, 100 being saved on stack as var_14, var_10, var_c, var_8 respectively
var_18 is having value 0 which is acting as counter, since we already know there is a foreloop involved.
Two instructions to look at- mov ecx, [ebp+var_18] ; mov edx, [ebp+ecx*4+var_14]
First instruction is moving value of counter in ecx register. The second one is using ebp, ecx and var_14 to refer other variables.
ecx=0, second instruction will be, mov [edx+0+var_14], which is pointing directly to var_14 (0x14=20)
ecx=1, second instruction will be, mov [edx+4+var_14]. Since we know that Stack grows downwards and if we add something it will reduce that amount of memory, can be seen in epilogue as well, where stack is restored by adding value. With this, second instruction will point to var_10 (0x10 = 16).
ecx=2, then second instruction will become [edx+8+var_14], now we will be pointing to variable var_c (0xc = 12)
and when ecx=3, it will be pointing to last variable var_8 (0x8=8).
So we know each time for loop iterates value of ecx will change till 3 and print each variable on after other. Later when counter(var_18) is 4 it will move to other block for epilogue and stack cookie check.
Lastly when stack cookie is restored properly, it will exit.
Lets see the source code→
