Strings

Files used -> 8-string.c, 8-string.exe, 8-1-string.c, 8-1-string.exe.

Starting with loading file(8-string.exe) in IDA.

As usual we have our prologue and stack cookie.

Then we see, a dword being moved from memory to eax and then to var_c. The data moved i 6C6C6548h, which is ‘lleH’ in char

Then a word is moved into var_8 via cx register (cx is lower 16 bits/2 bytes), which is 6Fh and ‘o’ in char.

If we see it in stack form (Keeping Little Endian in mind)→

Then we can see, address of var_c is loaded into edx via LEA, which is used to load pointers/addresses.

And this address is passed as an argument to print function right after it. Later, stack cookie is checked and epilogue restores the stack

Lets look at the source code now.

Another Program-

You might think that so far we have come to know about print function without its actual name (print) being listed out. And we didn’t executed complicated code. So it was okay. But what happens when we have inbuilt other function such as strcpy, strlen, maths functions etc etc.

Are we going to look in each and every function call to understand what they do?

For this specific part, we are not going to look each funtion apart from C libraries such as printf scanf.

Lets look at a program -

Here in the Disassembly of main in IDA Free, we can see multiple function calls. I have highlighted 3 of them which are string functions. But we cant know by looking at the disassembly of those function as well. Although, after each function we have some offset(string) to be printed by printf function, which is getting pushed. If we look at them, then we can get idea that the second highlighted function is strcat, third highlighted function is strlen. But no idea about first highlighted function.

Now, if we look the same file in IDA Pro-

Here we can see that IDA pro let us know what those functions are. strcpy, strcat, strlen.

With IDA we have some limitations. Therefore, we wont/cant dive much into this program.