TransWikia.com

far jump do not point to instruction?

Reverse Engineering Asked by neehack on May 14, 2021

My title is kind of ambiguous and not sure if it is true, Hence the question mark at the end.

Basically, I was trying to trace windows printf in NASM to identify "what is the last call/function that outputs the sting". Long story short after a bunch of break points and etc. I found below:

[EIP] debug034:77126000 jmp     far ptr 33h:77126009h

enter image description here

As soon as my EIP step over this line, the console outputs my string.

My work doesn’t work end here. So, I tried to trace the jmp and see what it points to:

Image

As you can see in the image, the jmp above to point to this location/unk_77126339(after pressing d the location changed from unk_ to byte_) which is empty data (not sure, just saying because of the db)

I also tried to jump to f8a7ff41 below the jump, but that still points to emptiness.

Would you know what is going on here? or how do I jump to the next instruction of printf here?

One Answer

first of all you have a 32bit binary and you are debugging it on a 64 bit system see the wow64 symbol

it means you are looking at some kind of in-between

it means the far jump is pointing to a different code segment (see the present code segment 0x43 versus the codes segment of 0x33

please get yourself familiarised with code segments and privilege levels

basically printf reaches Ntdll!NtWriteFile before transitioning into kernel via a syscall

the far jump you are seeing is layer a glue between 32bit syscall and 64bit execution

google for words like wow64 ,heavensgate etc and skim them

here is a summary of x86 compiled binary debugged on a x64 windbg with code as shown below

:>ls -lg
total 1
-rw-r--r-- 1 197121 82 Jan 20 09:03 printf.cpp

:>cat printf.cpp
#include <stdio.h>
int main (void) {
        printf ("hello jmp farn");
        return 0;
}
:>cl /Zi /W4 /analyze /Od /EHsc /nologo printf.cpp /link /release
printf.cpp

:>ls -lg
total 6794
-rw-r--r-- 1 197121      82 Jan 20 09:03 printf.cpp
-rwxr-xr-x 1 197121  301568 Jan 20 09:05 printf.exe
-rw-r--r-- 1 197121      59 Jan 20 09:05 printf.nativecodeanalysis.xml
-rw-r--r-- 1 197121    5283 Jan 20 09:05 printf.obj
-rw-r--r-- 1 197121 6574080 Jan 20 09:05 printf.pdb
-rw-r--r-- 1 197121   69632 Jan 20 09:05 vc140.pdb

:>printf.exe
hello jmp far

here is a simple trace entering and executing all the calls until the string is printed

scroll to the end to see the transition

:>cdb printf.exe

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64

(1674.4d4): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffa`ac6f0fcc cc              int     3
0:000> g printf!main
ModLoad: 00000000`77070000 00000000`77079000   C:WINDOWSSystem32wow64cpu.dll
ModLoad: 00000000`74eb0000 00000000`74f90000   C:WINDOWSSysWOW64KERNEL32.DLL
ModLoad: 00000000`76e50000 00000000`7704f000   C:WINDOWSSysWOW64KERNELBASE.dll
(1674.4d4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77080000!LdrpDoDebuggerBreak+0x2b:
7712ecc2 cc              int     3
0:000:x86> g printf!main
printf!main:
00181000 55              push    ebp
0:000:x86> uf .
printf!main:
00181000 55              push    ebp
00181001 8bec            mov     ebp,esp
00181003 6890011c00      push    offset printf!__xt_z+0x8 (001c0190)
00181008 e853000000      call    printf!printf (00181060)
0018100d 83c404          add     esp,4
00181010 33c0            xor     eax,eax
00181012 5d              pop     ebp
00181013 c3              ret

0:000:x86> pc
printf!main+0x8:
00181008 e853000000      call    printf!printf (00181060)
0:000:x86> t
printf!printf:
00181060 55              push    ebp
0:000:x86> pc
printf!printf+0x18:
00181078 e82ea10000      call    printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff            mov     edi,edi
0:000:x86> pc
printf!printf+0x21:
00181081 e8aaffffff      call    printf!_vfprintf_l (00181030)
0:000:x86> t
printf!_vfprintf_l:
00181030 55              push    ebp
0:000:x86> pc
printf!_vfprintf_l+0x13:
00181043 e8d8ffffff      call    printf!__local_stdio_printf_options (00181020)
0:000:x86> t
printf!__local_stdio_printf_options:
00181020 55              push    ebp
0:000:x86> pc
printf!_vfprintf_l+0x1f:
0018104f e884b70100      call    printf!__stdio_common_vfprintf (0019c7d8)
0:000:x86> t
printf!__stdio_common_vfprintf:
0019c7d8 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_lock_stream_and_call+0x30 [inlined in printf!__stdio_common_vfprintf+0x7c]:
0019c854 e83eedfeff      call    printf!__crt_seh_guarded_callxxxlambdaing
0:000:x86> t
printf!__crt_seh_guarded_call<int>::operator()<<lambdaing
0018b597 6a0c            push    0Ch
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_ing
0018b59e e80d65ffff      call    printf!__SEH_prolog4 (00181ab0)
0:000:x86> t
printf!__SEH_prolog4:
00181ab0 6890201800      push    offset printf!_except_handler4 (00182090)
0:000:x86> pc
printf!__acrt_lock_stream_and_call::__l2::<lambda_8ing
0018b5ac e89cfcffff      call    printf!_lock_file (0018b24d)
0:000:x86> t
printf!_lock_file:
0018b24d 8bff            mov     edi,edi
0:000:x86> pc
printf!_lock_file+0xc:
0018b259 ff154c001c00    call    dword ptr [printf!_imp__EnterCriticalSection
0:000:x86> t
ntdll_77080000!RtlEnterCriticalSection:
770cadc0 8bff            mov     edi,edi
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_8
0018b5b9 e880520000      call    printf!<lambda_df
0:000:x86> t
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator():
0019083e 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_temporary_buffering_guard::{ctor}+0x1 [inl
0019085c e84e750100      call    printf!__acrt_stdio_begin
0:000:x86> t
printf!__acrt_stdio_begin_temporary_buffering_nolock:
001a7daf 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0xc:
001a7dbb e80afeffff      call    printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x12:
001a7dc1 e85ed90000      call    printf!_isatty (001b5724)
0:000:x86> t
printf!_isatty:
001b5724 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x23:
001a7dd2 e8d433feff      call    printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x6d:
001a7e1c e88ed0ffff      call    printf!_malloc_base (001a4eaf)
0:000:x86> t
printf!_malloc_base:
001a4eaf 8bff            mov     edi,edi
0:000:x86> pc
printf!_malloc_base+0x32:
001a4ee1 ff159c001c00    call    dword ptr [printf!_imp__HeapAlloc
0:000:x86> t
ntdll_77080000!RtlAllocateHeap:
770cf910 8bff            mov     edi,edi
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cut off spew
ntdll_77080000!RtlLeaveCriticalSection:
770ba180 8bff            mov     edi,edi
0:000:x86> pc
printf!__crt_internal_free_policy::operator()+0x4 [inli
001a7e25 e8e5acffff      call    printf!_free_base (001a2b0f)
0:000:x86> t
printf!_free_base:
001a2b0f 8bff            mov     edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x35:
00190873 e8f3f9ffff      call    printf!_LocaleUpdate::_LocaleUpdate (0019026b)
0:000:x86> t
printf!_LocaleUpdate::_LocaleUpdate:
0019026b 8bff            mov     edi,edi
0:000:x86> pc
printf!__crt_stdio_output::standard_base<char,__crt_stdio_output::stream_output_adapter
001908a8 e88af6ffff      call    printf!__crt_stdio_output::output_adapter_data
0:000:x86> t
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_ou
0018ff37 8bff            mov     edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_output_ad
0018ff3f e860ffffff      call    printf!__crt_stdio_output::common_data<char>::common_data<char> (0018fea4)
0:000:x86> t
printf!__crt_stdio_output::common_data<char>::common_data<char>:
0018fea4 8bff            mov     edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x79:
001908b7 e88c150000      call    printf!__crt_stdio_output::output_pro
0:000:x86> t
printf!__crt_stdio_output::output_processor<char,__crt_stdio_ou
00191e48 8bff            mov     edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_processor<char,__crt_stdio_outp
00191e54 e881930000      call    printf!__crt_stdio_output::stre
0:000:x86> t
printf!__crt_stdio_stream::valid [inlined in printf!__crt_stdio_output::stream_o
0019b1da 8b01            mov     eax,dword ptr [ecx]  ds:002b:009ef804=001c9078
0:000:x86> pc
printf!__crt_stdio_output::stream_output_adapter<char>::validate+0x1a:
0019b1f4 e8a5090000      call    printf!__acrt_stdio_char_traits<char>::va
0:000:x86> t
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required:
0019bb9e 8bff            mov     edi,edi
0:000:x86> pc
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required+0x16:
0019bbb4 e811c00000      call    printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff            mov     edi,edi
0:000:x86> pc
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz cut off spew
0:000:x86>
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x86:
001908c4 e892fbffff      call    printf!__crt_stdio_output::format
0:000:x86>
printf!__crt_internal_free_policy::operator()+0x9 [inlined in pr
00190466 e8a4260100      call    printf!_free_base (001a2b0f)
0:000:x86>
printf!__acrt_stdio_temporary_buffering_guard::{dtor}+0x7 
001908e6 e877750100      call    printf!__acrt_stdio_end_tempo
0:000:x86>
printf!__acrt_stdio_end_temporary_buffering_nolock+0x1e:
001a7e80 e827c3ffff      call    printf!__acrt_stdio_flush_nolock (001a41ac)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x31:
001a41dd e8e8390000      call    printf!_fileno (001a7bca)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x38:
001a41e4 e849c90000      call    printf!_write (001b0b32)
0:000:x86>
printf!_write+0x7:
001b0b39 e8720ffdff      call    printf!__SEH_prolog4 (00181ab0)
0:000:x86>
printf!_write+0x5f:
001b0b91 e818a9ffff      call    printf!__acrt_lowio_lock_fh (001ab4ae)
0:000:x86>
printf!__acrt_lowio_lock_fh+0x1b:
001ab4c9 ff154c001c00    call    dword ptr [printf!_imp__EnterCrit
0:000:x86>
printf!_write+0x9c:
001b0bce e847000000      call    printf!_write_nolock (001b0c1a)
0:000:x86>
printf!_write_nolock+0x95:
001b0caf e8fefaffff      call    printf!write_requires_double_translation_nolock (001b07b2)
0:000:x86>
printf!write_requires_double_translation_nolock+0xc:
001b07be e8614f0000      call    printf!_isatty (001b5724)
0:000:x86>
printf!write_requires_double_translation_nolock+0x2f:
001b07e1 e80065ffff      call    printf!__acrt_getptd (001a6ce6)
0:000:x86>
printf!__crt_scoped_get_last_error_reset::{ctor} [inlined in printf!__acrt_getptd+0x5]:
001a6ceb ff1544001c00    call    dword ptr [printf!_imp__GetLastError 
0:000:x86>
printf!try_get_ptd_head+0xb [inlined in printf!__acrt_getptd+0x18]:
001a6cfe e8edc7ffff      call    printf!__acrt_FlsGetValue (001a34f0)
0:000:x86> t;pc
printf!try_get_FlsGetValue+0x11 [inlined in printf!__acrt_FlsGetValue+0x17]:
001a3507 e834fcffff      call    printf!try_get_function (001a3140)
0:000:x86>
printf!__acrt_FlsGetValue+0x2a:
001a351a ff1544011c00    call    dword ptr [printf!__guard_check_icall_fptr 
0:000:x86>
printf!__acrt_FlsGetValue+0x30:
001a3520 ffd6            call    esi {KERNELBASE!FlsGetValue (76f3fc60)}
0:000:x86>
KERNELBASE!FlsGetValue+0x15:
76f3fc75 ff1508a90177    call    dword ptr [KERNELBASE!_imp__RtlFlsGetValue 
0:000:x86>
printf!__acrt_getptd+0xa3:
001a6d89 ff1548001c00    call    dword ptr [printf!_imp__SetLastError 
0:000:x86>
ntdll_77080000!RtlSetLastWin32Error+0x34:
770df8b4 e897570100      call    ntdll_77080000!__security_check_cookie (770f5050)
0:000:x86>
printf!_write_nolock+0x130:
001b0d4a e8d6faffff      call    printf!write_text_ansi_nolock (001b0825)
0:000:x86>
printf!write_text_ansi_nolock+0xa:
001b082f e8fcc30000      call    printf!_chkstk (001bcc30)
0:000:x86>
printf!write_text_ansi_nolock+0x9c:
001b08c1 ff1584001c00    call    dword ptr [printf!_imp__WriteFile 
0:000:x86>
KERNELBASE!WriteFile+0x7:
76f41877 e858920400      call    KERNELBASE!_SEH_prolog4 (76f8aad4)
0:000:x86>
KERNELBASE!WriteFile+0x52:
76f418c2 ff15c0a70177    call    dword ptr [KERNELBASE!_imp__NtWriteFile 
0:000:x86>
ntdll_77080000!NtWriteFile+0xa:
770f2f7a ffd2            call    edx {ntdll_77080000!Wow64SystemServiceCall (77109ef0)}
0:000:x86>
wow64cpu!ReadWriteFileFault+0x2c:
00000000`77071995 e816030000      call    wow64cpu!CpupSyscallStub (00000000`77071cb0)
0:000>
wow64cpu!CpupSyscallStub+0xa:
00000000`77071cba 0f05            syscall 
0:000>
hello jmp far        <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< string printed 
printf!write_text_ansi_nolock+0xd4:
001b08f9 e8d713fdff      call    printf!__security_check_cookie (00181cd5)
0:000:x86>

you can see the same jmp far in the concise single execution

:>cdb -c "bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q" printf.exe  | awk /"Reading/,/quit/"

0:000> cdb: Reading initial command 'bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q'

Bp expression 'KERNELBASE!WriteFile' could not be resolved, adding deferred bp


(1b10.1678): WOW64 breakpoint - code 4000001f (first chance)

Breakpoint 0 hit
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77109ef0 esp=0135e258 ebp=0135e2bc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll_77080000!Wow64SystemServiceCall:
77109ef0 ff2528121a77    jmp     dword ptr [ntdll_77080000!Wow64Transition (771a1228)] 
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77076000 esp=0135e258 ebp=0135e2bc iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
wow64cpu!KiFastSystemCall:
77076000 ea096007773300  jmp     0033:77076009 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
rax=00000000001a0008 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000077109ef0 rsi=000000000135e2e8 rdi=0000000000000054
rip=0000000077076009 rsp=000000000135e258 rbp=000000000135e2bc
 r8=000000000000002b  r9=00000000770f314c r10=0000000000000000
r11=000000000125def0 r12=0000000001052000 r13=000000000125fda0
r14=000000000125e7e0 r15=0000000077073620
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
wow64cpu!KiFastSystemCall+0x9:
00000000`77076009 41ffa7f8000000  jmp     qword ptr [r15+0F8h] ds:00000000`77073718={wow64cpu!CpupRe
hello jmp far

quit:

:>

Answered by blabb on May 14, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP