OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 8, 2006 14:36 CDT by Apu .

Below is the an excerpt from an ELF binary's function:

.text:080497C4
.text:080497C4 var_424         = dword ptr -424h
.text:080497C4 var_420         = dword ptr -420h
.text:080497C4 var_41C         = dword ptr -41Ch
.text:080497C4 var_418         = byte ptr -418h
.text:080497C4 var_C           = dword ptr -0Ch
.text:080497C4 arg_0           = dword ptr 8

I know that this function has only one arguement that is passed to it. How would I determine what type (char, int) of
variable is being passed to it. Also what does the 'var_4XX' mean at the beginning of the funtion. I know that this is something specific to IDA, but I can't decipher it. Thanks.

Apu

aeppert		May 8, 2006 15:38.27 CDT
Well, the short answer is read through the code to determine the type of variable being passed to it. Perhaps look at a cross-reference to the function to determine what kind of data is being pushed on to the stack. Further look for any kind of assembly string handling instructions, such as "movsw" etc with reference to the data being pushed on to the stack. What you are calling "specific to IDA" is in fact not really the case. What you are seeing are local variable definitions. I question where and how you received a copy of IDA Pro as the questions you are asking are rather fundamental.

Apu		May 8, 2006 20:46.44 CDT

BillyBoBob		May 9, 2006 08:30.26 CDT
I question where and how you received a copy of IDA Pro as the questions you are asking are rather fundamental. Do we really have to go down that path? Not that this is a democracy, but my vote is to leave such issues to other boards. I really would like to see it left to being about the RE, not where the tools came from or, for that matter, the purpose of the RE. Just my $0.02

warl0ck		May 9, 2006 12:06.55 CDT
for var_4XX do you some similiarities var_[424] = dword ptr -[424]h

AlexIonescu		May 16, 2006 00:22.47 CDT
Hi Apu, To determine the properly cast type, you need to actually analyze the code. If a variable is being sent to a function which uses a strinct, then that variable is a char *. To determine merely the variable-length type, look at the word before "ptr". dword means 32-bit integer, like an unsigned/signed long or an int. Notice one of them is byte ptr. This means it's probably a char (probably a flag of some sort). (NOTE: See below) As for the number after var, it's IDA's automatic naming based on the stack position. var_424 is [esp-424h], meaning this variable is 0x424 bytes up in the stack. Let's go back to that byte ptr, var_418. Notice how the next variable is actually var_C, meaning that 0x40C bytes on the stack are "unaccounted" for. This is a hint that the size of the variable is actually probably 0x40C, meaning that you're probably looking at a stack buffer for a string. IDA says it's "byte" because the code probably only touches that byte. Again, these are just assumptions as I've seen no actual code, but I hope this helps. Best regards, Alex Ionescu

MohammadHosein		May 16, 2006 03:00.58 CDT
in addition to Alex's comment i would add one thing , you should know about the compiler and its rules , for e.g not every dword ptr is an 32-bit integer , Delphi ( and Kylix in linux ) use a 32-bit integer as a pointer to its "String" type which is always based on heap , so the actual type you look for is a String not an integer , etc ... , so your Compiler and its class libray is very important

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit