Monday, April 21, 2008

RE: NTDebugging Puzzler 0x00000003 (Matrix Edition) Some assembly required

So the Microsoft Advanced Windows Debugging and Troubleshooting blog put out a puzzler based on reverse engineering assembler into something meaningful, say C/C++. I took a look at the assembly listing and decided it would be a fun break from work to decompile that into something. About 30 minutes later I wound up with some source that compiles down to nearly the same listing as theirs.

Phew, I've still got it! It took me some time monkeying around with the order of the local variables to get the same space added for the locals as in their example. Other than that it was pretty straight forward.
puzzler3.cpp
#include <stdlib.h>
#include <string.h>

/** Sort an input string's characters in descending order
*
*/
// puzzler3!myfun [c:\source\puzzler\puzzler3\puzzler3\puzzler3.cpp @ 20]:
void myfun(char* arg0)
// 20 00cc1480 55 push ebp
// 20 00cc1481 8bec mov ebp,esp
// 20 00cc1483 81ecf0000000 sub esp,0F0h
// 20 00cc1489 53 push ebx
// 20 00cc148a 56 push esi
// 20 00cc148b 57 push edi
{
//union { // [ebp-0F0h]
//   struct {
    size_t arg0_len;       // [ebp-08h]
//    unsigned int pad0;    // [ebp-0Ch]
//    unsigned int pad1;    // [ebp-10h]
    size_t ii;             // [ebp-14h]
//    unsigned int pad2;    // [ebp-18h]
//    unsigned int pad3;    // [ebp-1Ch]
    size_t len_temp;      // [ebp-20h]
//    unsigned int pad4;    // [ebp-24h]
//    unsigned int pad5;    // [ebp-28h]
    char x;                // [ebp-29h]
//   };
//   unsigned char local_variables[240];
//}; // local variables

// //set local variables to unusual values for buffer checking
//memset(local_variables,
//   0xCCCCCCCCU,
//   sizeof(local0)/sizeof(unsigned int)
//);  // 20 00cc148c 8dbd10ffffff lea edi,[ebp-0F0h]
  // 20 00cc1492 b93c000000 mov ecx,3Ch
  // 20 00cc1497 b8cccccccc mov eax,0CCCCCCCCh
  // 20 00cc149c f3ab rep stos dword ptr es:[edi]

len_temp = strlen(arg0); // 26 00cc149e 8b4508 mov eax,dword ptr [ebp+8]
  // 26 00cc14a1 50 push eax
  // 26 00cc14a2 e803fcffff call puzzler3!ILT+165(_strlen) (00cc10aa)
  // 26 00cc14a7 83c404 add esp,4
  // 26 00cc14aa 8945e0 mov dword ptr [ebp-20h],eax
  // 28 00cc14ad 8b45e0 mov eax,dword ptr [ebp-20h]
  // 28 00cc14b0 8945f8 mov dword ptr [ebp-8],eax

for(arg0_len = len_temp; arg0_len > 0; arg0_len--)
  // 28 00cc14b5 8b45f8 mov eax,dword ptr [ebp-8]
  // 28 00cc14b8 83e801 sub eax,1
  // 28 00cc14bb 8945f8 mov dword ptr [ebp-8],eax
  // 28 00cc14b3 eb09 jmp puzzler3!myfun+0x3e (00cc14be)
  // 28 00cc14be 837df800 cmp dword ptr [ebp-8],0
  // 28 00cc14c2 7e60 jle puzzler3!myfun+0xa4 (00cc1524)
{
  // 30 00cc14c4 c745ec00000000 mov dword ptr [ebp-14h],0
  // 30 00cc14cb eb09 jmp puzzler3!myfun+0x56 (00cc14d6)
  for(ii = 0; ii < (arg0_len - 1); ii++)
    // 30 00cc14cd 8b45ec mov eax,dword ptr [ebp-14h]
    // 30 00cc14d0 83c001 add eax,1
    // 30 00cc14d3 8945ec mov dword ptr [ebp-14h],eax

    // 30 00cc14d6 8b45f8 mov eax,dword ptr [ebp-8]
    // 30 00cc14d9 83e801 sub eax,1
    // 30 00cc14dc 3945ec cmp dword ptr [ebp-14h],eax
    // 30 00cc14df 7d41 jge puzzler3!myfun+0xa2 (00cc1522)
  {
    //char temp0 = arg0[ii]; // 32 00cc14e1 8b4508 mov eax,dword ptr [ebp+8]
                    // 32 00cc14e4 0345ec add eax,dword ptr [ebp-14h]
                    // 32 00cc14e7 0fbe08 movsx ecx,byte ptr [eax]
    //char temp1 = arg0[ii + 1]; // 32 00cc14ea 8b5508 mov edx,dword ptr [ebp+8]
                      // 32 00cc14ed 0355ec add edx,dword ptr [ebp-14h]
                      // 32 00cc14f0 0fbe4201 movsx eax,byte ptr [edx+1]


    // 32 00cc14f4 3bc8 cmp ecx,eax
    // 32 00cc14f6 7e28 jle puzzler3!myfun+0xa0 (00cc1520)
    if(arg0[ii + 1] > arg0[ii])
    {
       x = arg0[ii]; // 34 00cc14f8 8b4508 mov eax,dword ptr [ebp+8]
                // 34 00cc14fb 0345ec add eax,dword ptr [ebp-14h]
                // 34 00cc14fe 8a08 mov cl,byte ptr [eax]
                // 34 00cc1500 884dd7 mov byte ptr [ebp-29h],cl
            
       arg0[ii] = arg0[ii+1]; // 35 00cc1503 8b4508 mov eax,dword ptr [ebp+8]
                      // 35 00cc1506 0345ec add eax,dword ptr [ebp-14h]
                      // 35 00cc1509 8b4d08 mov ecx,dword ptr [ebp+8]
                      // 35 00cc150c 034dec add ecx,dword ptr [ebp-14h]
                      // 35 00cc150f 8a5101 mov dl,byte ptr [ecx+1]
                      // 35 00cc1512 8810 mov byte ptr [eax],dl
       arg0[ii+1] = x; // 36 00cc1514 8b4508 mov eax,dword ptr [ebp+8]
                  // 36 00cc1517 0345ec add eax,dword ptr [ebp-14h]
                  // 36 00cc151a 8a4dd7 mov cl,byte ptr [ebp-29h]
                  // 36 00cc151d 884801 mov byte ptr [eax+1],cl
    }
  } // 38 00cc1520 ebab jmp puzzler3!myfun+0x4d (00cc14cd)
} // 40 00cc1522 eb91 jmp puzzler3!myfun+0x35 (00cc14b5)

// return and ensure our stack is still correct
return; // 41 00cc1524 5f pop edi
    // 41 00cc1525 5e pop esi
    // 41 00cc1526 5b pop ebx
    // 41 00cc1527 81c4f0000000 add esp,0F0h
    // 41 00cc152d 3bec cmp ebp,esp
    // 41 00cc152f e820fcffff call puzzler3!ILT+335(__RTC_CheckEsp) (00cc1154)
    // 41 00cc1534 8be5 mov esp,ebp
    // 41 00cc1536 5d pop ebp
    // 41 00cc1537 c3 ret
}

puzzler3_driver.cpp
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void myfun(char *arg0);

int main(int argc, char* argv[])
{
char *test = NULL;

test = (char *)calloc(strlen(argv[0]) + 1, sizeof(char));
strcpy(test, argv[0]);

printf("%s\n", test);
myfun(test);
printf("%s\n", test);

return 0;
}

You'll need an MSVC compiler, probably circa VS2k5 or later, with /Od /GS /RTC1 /FA /Fa"bin\\" to get a listing that'll look like their listing.
Posted by Christopher at 4/21/2008 03:08:00 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)