X hits on this document

376 views

0 shares

0 downloads

0 comments

42 / 120

11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30:

.stabs .stabs .stabs

" _ Z 5 d o A d d i i : F ( 0 , 1 8 ) " , 3 6 , 0 , 3 3 "op1:p(0,3)",160,0,33,8 "op2:p(0,3)",160,0,33,12 ,

Z5doAddii:

__

movl addl .stabs .stabs .stabs

12(%ebp), %eax 8(%ebp), %eax "_Z5doSubii:F(0,18)",36,0,34, "op1:p(0,3)",160,0,34,8 "op2:p(0,3)",160,0,34,12

Z5doSubii:

movl

8(%ebp), %eax

subl

%edx, %eax

__ .stabn

.stabs .stabs .stabs

"_Z5doMulii:F(0,18)",36,0,35, "op1:p(0,3)",160,0,35,8 "op2:p(0,3)",160,0,35,12

Z5doSubii

68,0,34,LM33-

__

__Z5doMulii: .stabn 68,0,35,LM35-

Z5doMulii

__

movl

8(%ebp), %eax

imull

12(%ebp), %eax

__

__

__

Z5doAddii

Z5doSubii

Z5doMulii

The hunt for symbolic information doesn't end with information embedded by

debuggers, it continues on to include the most prolific author of such helpful information

  • the programmer. Recall that in the animated tutorial on reversing Wintel machine

code (see Section 4) the key piece of information that led to the solution was the trial

limitation message found in the .rdata (read-only) section of the executable. One can

imagine that something as simple as having the Password Vault application load the trial

limitation message from a file each time time it's needed and immediately clearing it from

memory would have prevented the placement of a memory breakpoint on the trial

message, which was an anchor for the entire tutorial. An alternative to moving the trial

limitation message out of the executable would be to encrypt it so that a search of the

dump would not turn up any hits; of course encrypted symbolic information would need

to be decrypted before it is used. Encryption of symbolic information, as was discussed

34

Document info
Document views376
Page views377
Page last viewedFri Dec 09 10:23:29 UTC 2016
Pages120
Paragraphs2913
Words25794

Comments