Flag: Tornado!
Hurricane!
|
|
Topic created on: February 24, 2007 11:27 CST by SpacedOut  .
On the reversing project I'm working (trying to get a file format) on i keep seeing calls to _exit, for example:
push 204h ; NumberOfBytesToRead
call _exit
add esp, 4
mov [esp+10], eax
I'm not sure why IDA identified 204h as number of bytes to read or why the return value from a void function is being used. IDA seems to confirm that this is the C library exit() function too, not another one with the same name.
Any help would be appreciated.
seems it's just a bug in IDA or conflict between FLIRT bases, it occurs quite often, however, in my version (4.7 console), everything is ok:
.text:004010B4 call _main
.text:004010B9 add esp, 0Ch
.text:004010BC mov [ebp+var_1C], eax
.text:004010BF push eax ; int
.text:004010C0 call _exit
also, try to use functions long GetSpd(long ea) and long GetSpDiff(long ea) to determine if IDA determines ESP value correctly or not, and if it's wrong use success SetSpDiff(long ea,long delta) to correct ESP (maybe, IDA thinks that PUSH-argument belongs to another function).
p.s. I wrote a book about IDA-script language, but it's not translated into eng yet and available in rus only.
|
|
Looks like a FLIRT miss to me, i.e. that _exit is not _exit at all, but some kind of fread() function. Comment "NumberOfBytesToRead" was probably added by propagating up parameters of the ReadFile function called somewhere in that "_exit" function.
|
no, it can't be fread(), due to add esp,4 command means so-called _exit() takes only _one_ parameter, since fread() takes four!
meantime, it can't be _exit(), since real _exit() returns void, not _int_ (see command mov[esp+10],eax)
SpacedOut
I can't help you having only piece of code.
if it's possible, please send your project
(not IDA database!) to [email protected]
|
|
I didn't say it's fread, I said "some kind of fread()". Of course I noticed it takes only one argument :)
|
"some kind of fread()" would surely take at least two arguments, including a file handle / some structure containing a file handle, so that's unlikely to be true (unless this is a fastcall function and we aren't seeing all of the arguments).
Solution: disassemble the so-called _exit and/or observe the return value at runtime.
|
Thanks a lot for the help everyone, I admit I'm a newb so I really appreciate it. AbelianGrape, I took your advice and disassembled the so-called exit and I think I figured it out.
I was looking through a tree of what functions were called from this so-called exit and I noticed MessageBox() was one, I went to that section of code and found it displayed "SmartHeap Library." A google search brought me to this page: http://www.microquill.com/index.html. Apparently they sell a library that makes managing memory allocation with threads easier. I believe this is a memory allocation function.
SmartHeap by default overrides malloc(), and now that I think about it I haven't seen a single call to malloc() but I've seen several to this function. Further, on the three calls I was observing there was a call to the 'eh vector iterator constructor'(). The best part is the sizes match up:
push 204h
call _exit
...
push offset null_sub
push offset sub_6A0760
push 20h
push 10h ; 20h * 10h + 4 = 204h
push esi
call ??_L@YGXPAXIHP6EX0@Z1@Z
...
push 1F2h
call _exit
...
push offset null_sub
push offset sub_6A0780
push 0Dh
push 26h ; 0Dh * 26h + 4 = 1F2h
push esi
call ??_L@YGXPAXIHP6EX0@Z1@Z
What should I do now? Is there a way to correct the disassembly, is it worth it in your opinion? How should I handle these kinds of situations?
|
first of all:
check the list of signatures (view -> open subview -> signatures) and tell us what you see.
if you have two or more modules, delete C-runtime module (if IDA says it can't do that, well, damage start-up code in hex-redactor and re-create project. be ready to load signatures manually: view -> open subview -> signatures -> insert key).
however, if IDA leaves "NumberOfBytesToRead" comment it means that IDA doesn't know about Smart Heap Lib, otherwise it should say "NumberOfBytesToAllocate" or something like that.
it's very possible you have deal with "malloc()" or something like that, but you never can be absolute sure until you have investigated the "_exit()" code.
to answer your question: "What should I do now?"
1) just nothing;
2) rename _exit to _smart_malloc;
3) create your own FLIRT signature and share it with the world :-)
|
Signatures:
vc32rtf Applied 1008 Microsoft VisualC 2-8/net runtime
vc32mfc Applied 1664 MFC 3.1/4.0/4.2/8.0 32bit
just looking at the xrefs from, this _smart_malloc is pretty large function, most of it probably has to deal with multi-processors, threads, and stuff since that's what the makers of Smart Heap Lib say it will do. It does make calls to Win32 memory allocation functions, exception functions, other error handling functions, and the actual _exit(). Since I don't know how to make a FLIRT signature, I'm inclined to just do nothing and move on, unless you really think that's a bad idea.
|
|
just rename _exit to _smart_heap_malloc and forgot about it, just in case set break point on _exit and check if it returns pointer to valid memory area.
|
|
I've already done that, it does return a valid memory pointer. Thanks for your help.
|
|
...and if you still have the NumberOfBytesRead argument propagated in all the calls to _smart_heap_malloc(), use "y" to fix the function signature.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}