"Learning Notes on IDA Reverse Engineering from Scratch" - Chapter 9 (Function Reverse Analysis)

9.2 Symbol File#

Target file: HOLA_REVERSER.exe

View the architecture of the target file:

The target file is a 32-bit program compiled with VC++ 2015.

Double-click to run the program and prompt for input.

The program will check if the input characters are correct.

9.3 Locating the main Function#

First, let's look at the strings.

Found some strings output by the target program at runtime, highlighted by the red line in the above image.

Go to the following location:

In the above image, 0x402108 is the address of this string. The hexadecimal on the right side of the address is the machine code. "aPoneUnNumerito" on the right side of the machine code is the label or name of this string. The "a" in front of the string indicates that it is an ASCII code, and the "db" after it indicates that it is a byte sequence.

Press the D key to view the value of each byte:

Press the A key to display it as a string again.

Place the mouse over the arrow pointing to the right to view the specific reference location, and press the X key to enter the specific reference location.

From this reference, we can find the main function.

9.4 Function Stack#

In the above image, there is a local variable var_4 with a size of dword.

32-bit function call stack view

First, all function arguments are passed to the stack, followed by the return address. Above the return address is the EBP of the higher-level function, generated by the first instruction of the function PUSH EBP, and the topmost is the local variable.

9.5 Main Function Parameters#

Go to the main function

Press the X key to see where the main function is referenced.

Main function call

In the above image, there are three push instructions, which are used to pass parameters. In the comments of these three instructions, you can learn that three parameters are passed, namely argc, argv, and envp, which are default parameters of the function.

9.6 Local Variables#

var_c is a local variable. Press the X key to see where it is referenced. From the image below, it can be seen that this local variable is referenced in two places.

9.7 Atoi Function#

The atoi function converts a string to an integer. If the number is too large to be converted, an error will occur and 0 will be returned. Of course, if the number is smaller than the minimum negative integer (int), an error will also occur and 0 will be returned. All input content will be converted to an integer. If the input is 41424344, it will be converted to a hexadecimal number and saved to EAX.

#include <stdlib.h> 
int atoi(const char *string);

From the above image, it can be known that the target program will convert all input strings into integers. If atoi or _wtoi cannot convert the input content to the desired type, it will return 0.

atoi return value

The return value of eax is passed to esi. After outputting the original string entered by the user, the value of esi will be compared with 0x12457.

The decimal number string entered by the user will be parsed and returned as a hexadecimal number, and then compared with the hard-coded value. If the input corresponds to the decimal number of the hard-coded value, it should be successful.

In the above image, the jnz instruction (not equal to / not zero) is used, so it outputs bad reverser. If they are equal, it outputs good reverser.

0x124578, converted from hexadecimal to decimal, is 1197432.

In the target program, if you enter this decimal number 1197432, you can see that the verification is successful and it outputs good reverser.

The analysis of the target program ends here. In this chapter, we learned about reverse analysis of function stacks, including how functions pass parameters, local variables, and the atoi function.