OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Wednesday, February 13 2008 18:02.38 CST

Printer Friendly ...

Array Indexing Qurik

Author: RolfRolles

# Views: 2379

.text:10002D49 mov     eax, [esp+arg_0]

.text:10002D4D lea     ecx, [eax-9C40h]

.text:10002D53 cmp     ecx, 50h

.text:10002D56 ja      short loc_10002D60

.text:10002D58 mov     eax, dword ptr ds:(loc_1000EF5B+1)[eax*8]

.text:10002D5F retn

.text:10002D60

.text:10002D60 loc_10002D60:

.text:10002D60 lea     edx, [eax-0A029h]

.text:10002D66 cmp     edx, 9

.text:10002D69 ja      short loc_10002D73

.text:10002D6B mov     eax, dword ptr ds:loc_1000D344[eax*8]

.text:10002D72 retn

We don't find any arrays at the locations referenced on lines -D58 and -D6B (in fact we find code) which is unusual:

.text:1000EF57 movzx   eax, word ptr [esi+18h]

.text:1000EF5B

.text:1000EF5B loc_1000EF5B:                           ; DATA XREF: 10002D58

.text:1000EF5B add     dword_10065280, eax

.text:1000EF61 xor     eax, eax

.text:1000EF63 pop     esi

.text:1000EF64 mov     esp, ebp

.text:1000EF66 pop     ebp



.text:1000D342 mov     esp, ebp

.text:1000D344

.text:1000D344 loc_1000D344:                           ; DATA XREF: 10002D6B

.text:1000D344 pop     ebp

Looking closer at the code, the trick lies in the fact that the arrays are not being indexed starting at zero.

.text:10002D58 mov     eax, dword ptr ds:(loc_1000EF5B+1)[eax*8] ; <- 0x9C40 <= eax < 0x9C90

.text:10002D6B mov     eax, dword ptr ds:loc_1000D344[eax*8] ; <- 0xA029 <= eax < 0xA032

So the first array actually begins at 0x1000EF5B+1+0x9C40*8 == 0x1005D15C, and the second array begins at 0x1000D344+0x0A029*8 == 0x1005D48C. What happened here is that the pointer expression has been simplified to conform to x86's instruction encoding:

[1005D15Ch + (eax - 0x9C40) * 8] => [1005D15Ch - 4E200h + eax*8] => [1000EF5Ch + eax*8]

This is pretty uncommon; I've only seen it a handful of times in my reversing endeavors over the years.

Active in Last 5 Minutes
	Lizzard

There are 28,229 total registered users.

Recently Created Topics
Reverse Engineering ...	Jan/23
Career: DoD Agency I...	Jan/22
"Disappearing&q...	Jan/17
Career: Software Sec...	Jan/11
Where is the call st...	Jan/07
IDA Pro 6.1 Breakpoi...	Jan/01
How to create data s...	Dec/30
can i search all mod...	Dec/23
IDA symbol table exp...	Dec/20
An anti-attach trick	Dec/17

Recent Forum Posts
Reverse Engineering ...	NirIzr
"Disappearing&q...	NirIzr
Reverse Engineering ...	charlie
"Disappearing&q...	charlie
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
An anti-attach trick	waleeda...
An anti-attach trick	Bass
Looking for value in...	NirIzr

Recent Blog Entries
	cmathieu	Feb/07
Hacker Carnival
	waleedassar	Feb/06
OllyDbg v1.10 And Hardware ...
	waleedassar	Jan/31
Yet Another Anti-Debug Trick
	RolfRolles	Jan/22
Finding Bugs in VMs with a ...
	waleedassar	Jan/13
An OllyDbg Bug Disables Sof...
More ...

Recent Blog Comments
	waleedassar on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/07
OllyDbg v1.10 And Hardware ...
	NirIzr on:	Feb/05
Yet Another Anti-Debug Trick
	trolotou on:	Feb/05
Doudoune Moncler -Pennies F...
	waleedassar on:	Feb/01
Yet Another Anti-Debug Trick
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit