Reverse engineer a function

近日在一个讲调试技术的博客中看到了一个关于逆向工程的文章，个人觉得这个作为初学者入门相当有价值，于是就贴出来供大家学习和交流之用，并在后面附带了相应的答案：

Examine the following code, registers, and stack values to determine the following:

1.       When the function “DoTheWork” returns, what is the return value from that function?

2.       Bonus: what is the mathematical operation that “DoTheWork” performs?

Hints:

1.       The bracket notation [] in the assembly means to treat the value in brackets as a memory address, and access the value at that address.

2.       32-bit integer return values are stored in eax

  // Code

0:000> uf eip

demo2!DoTheWork:

0040101c 55              push    ebp

0040101d 8bec            mov     ebp,esp

0040101f 8b4d08          mov     ecx,dword ptr [ebp+8]

00401022 8bc1            mov     eax,ecx

00401024 49              dec     ecx

00401025 0fafc1          imul    eax,ecx

00401028 83f902          cmp     ecx,2

0040102b 7ff7            jg      demo2!DoTheWork+0x8 (00401024)

0040102d 5d              pop     ebp

0040102e c3              ret

 

// Current register state

0:000> r

eax=00000007 ebx=7ffd9000 ecx=ffffffff edx=00000007 esi=00001771 edi=00000000

eip=0040101c esp=0012fe9c ebp=0012feac iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

demo2!DoTheWork:

0040101c 55              push    ebp

 

// Current stack values for this thread

0:000> dps esp

0012fe9c  00406717 demo2!main+0x27

0012fea0  00000007

0012fea4  82059a87

0012fea8  00000007

0012feac  0012ff88

0012feb0  004012b2 demo2!mainCRTStartup+0x170

0012feb4  00000002

0012feb8  00980e48

0012febc  00980e80

0012fec0  00000094

0012fec4  00000006

0012fec8  00000000

0012fecc  00001771

0012fed0  00000002

0012fed4  76726553

0012fed8  20656369

0012fedc  6b636150

0012fee0  00003120

0012fee4  00000000

0012fee8  00000000

0012feec  00000000

0012fef0  00000000

0012fef4  00000000

0012fef8  00000000

0012fefc  00000000

0012ff00  00000000

0012ff04  00000000

0012ff08  00000000

0012ff0c  00000000

0012ff10  00000000

0012ff14  00000000

0012ff18  00000000

 

正解：

1.      5040 (7!)

2.      Factorial N  (N!)

/

//

//  Detailed explanation(s)

//

/

/

//  Function:   demo2!DoTheWork:    (In assembly)

/

//

//  Save the Prior Frame Pointer to the stack

//

0040101c 55              push    ebp

//

//  Set the Frame pointer to the current Stack pointer

//

0040101d 8bec            mov     ebp,esp

//

//  Right at this point, the stack looks like:

//  EBP = ESP

//  

//  EPB - N -- Local variables, if any (here there aren't)

//  EBP     -- Old EBP

//  EBP + 4 -- Return Address back to calling function

//  EBP + 8 -- First function Arg

//

//

//  Put Arg1 into ECX

//

0040101f 8b4d08          mov     ecx,dword ptr [ebp+8]

//

//  Copy ECX into EAX

//

00401022 8bc1            mov     eax,ecx

//

//  LOOP:   ECX--

//

00401024 49              dec     ecx

//

//  EAX = EAX * ECX

//

00401025 0fafc1          imul    eax,ecx

//

//  If EXC is greater than 2, goto LOOP:

//

00401028 83f902          cmp     ecx,2

0040102b 7ff7            jg      demo2!DoTheWork+0x8 (00401024)

//

//  Else it wasn't, so replace the Old Frame Pointer

//

0040102d 5d              pop     ebp

//

//  Return back to the calling function.

//  Whatever is in EAX is effectively returned.

//

0040102e c3              ret

/

//  Function:   demo2!DoTheWork: (In C)

/

int DoTheWork(int Number)

{

   int WorkingValue = Number;

   int Factorial    = WorkingValue;

   do {

       WorkingValue--;

       Factorial *= WorkingValue;

   }while (WorkingValue > 2);

   return(Factorial);

}

 

0012fe9c  00406717 demo2!main+0x27              // Return address for DoTheWork

0012fea0  00000007                              // Arg1 "7"

0012fea4  82059a87

 

备注：此处需要提示一下，因为当前的esp已经指向了返回地址，所以输入的参数应该是当前的esp＋4

即：0012fea0其值为7，而不是由ebp+8进而得到的是esp＋8，因为此时在ret之后，esp已经指向了函数的返回地址了。