In C++
XorTesting.exe
has
XorTesting.cpp
which looks like
int main(int argc, char * argv[])
{
if ((argc == 3 && strlen(argv[1]) == 1 && argv[1][0] == '0') ||
(argc == 2 && strlen(argv[1]) == 1 && argv[1][0] == '1'))
{
.... more code ....
}
}
----------
In IDA Pro here is how to find the actual main function
----------
----------
start proc
jmp start_0
----------
----------
start_0 proc
push ebp
mov ebp, esp
call sub_xxxxx1 (just calls init functions)
pop ebp
return
-----------
-----------
sub_xxxxx1 proc
push ebp
mov ebp, esp
call sub_xxxxx2 (security cookie check)
call sub_xxxxx3 (initializes and then calls actual main function)
pop ebp
ret
-----------
-----------
sub_xxxxx3 proc
var_44= dword ptr -44h
var_40= dword ptr -40h
var_3C= dword ptr -3Ch
... many more ...
push ebp
mov ebp, esp
push 0FFFFFFFEh
...
call j__initterm
...
call ds:___guard_check_icall_fptr
...
call j__register_threat_local_exe_atexit_callback
add esp, 4
loc_xxxxxx:
call sub_xxxxx4 (will end up calling the actual main function)
...
call j_exit
... lots more code...
------------
------------
sub_xxxxx4 proc
var_C= dword ptr -0Ch
var_8= dword ptr -8h
var_4= dword ptr -4h
push ebp
mov ebp, esp
...
call j__get_initial_narrow_environment
...
call j__p___argv
...
call j__p___argc
...
call j__sub_xxxxx5 (will end up calling the actual main function)
add esp, 0Ch
mov esp, ebp
pop ebp
return
-------------
-------------
sub_xxxxx5 proc
jmp sub_xxxxx6 (the ACTUAL main function code)
-------------
-------------
sub_xxxxx6 proc
var_178= dword ptr -178h
var_174= dword ptr -174h
var_168= dword ptr -168h
... many more ...
push ebp
mov ebp, esp
sub esp, 178h
...
rep stosd
mov eax, __security_cookie
...
cmp [ebp+arg_0], 3 (equivalent of C++ "if argc == 3")
...
call j_strlen (equivalent of c++ 'strlen' call)
... rest of code ...
-------------
Showing posts with label x86. Show all posts
Showing posts with label x86. Show all posts
Monday, April 13, 2020
Subscribe to:
Posts (Atom)