Reverse Engineering Asked by neehack on May 14, 2021
My title is kind of ambiguous and not sure if it is true, Hence the question mark at the end.
Basically, I was trying to trace windows printf
in NASM to identify "what is the last call/function that outputs the sting". Long story short after a bunch of break points and etc. I found below:
[EIP] debug034:77126000 jmp far ptr 33h:77126009h
As soon as my EIP step over this line, the console outputs my string.
My work doesn’t work end here. So, I tried to trace the jmp and see what it points to:
As you can see in the image, the jmp above to point to this location/unk_77126339
(after pressing d
the location changed from unk_ to byte_) which is empty data (not sure, just saying because of the db
)
I also tried to jump to f8a7ff41
below the jump, but that still points to emptiness.
Would you know what is going on here? or how do I jump to the next instruction of printf here?
first of all you have a 32bit binary and you are debugging it on a 64 bit system see the wow64 symbol
it means you are looking at some kind of in-between
it means the far jump is pointing to a different code segment (see the present code segment 0x43 versus the codes segment of 0x33
please get yourself familiarised with code segments and privilege levels
basically printf reaches Ntdll!NtWriteFile before transitioning into kernel via a syscall
the far jump you are seeing is layer a glue between 32bit syscall and 64bit execution
google for words like wow64 ,heavensgate etc and skim them
here is a summary of x86 compiled binary debugged on a x64 windbg with code as shown below
:>ls -lg
total 1
-rw-r--r-- 1 197121 82 Jan 20 09:03 printf.cpp
:>cat printf.cpp
#include <stdio.h>
int main (void) {
printf ("hello jmp farn");
return 0;
}
:>cl /Zi /W4 /analyze /Od /EHsc /nologo printf.cpp /link /release
printf.cpp
:>ls -lg
total 6794
-rw-r--r-- 1 197121 82 Jan 20 09:03 printf.cpp
-rwxr-xr-x 1 197121 301568 Jan 20 09:05 printf.exe
-rw-r--r-- 1 197121 59 Jan 20 09:05 printf.nativecodeanalysis.xml
-rw-r--r-- 1 197121 5283 Jan 20 09:05 printf.obj
-rw-r--r-- 1 197121 6574080 Jan 20 09:05 printf.pdb
-rw-r--r-- 1 197121 69632 Jan 20 09:05 vc140.pdb
:>printf.exe
hello jmp far
here is a simple trace entering and executing all the calls until the string is printed
scroll to the end to see the transition
:>cdb printf.exe
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
(1674.4d4): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00007ffa`ac6f0fcc cc int 3
0:000> g printf!main
ModLoad: 00000000`77070000 00000000`77079000 C:WINDOWSSystem32wow64cpu.dll
ModLoad: 00000000`74eb0000 00000000`74f90000 C:WINDOWSSysWOW64KERNEL32.DLL
ModLoad: 00000000`76e50000 00000000`7704f000 C:WINDOWSSysWOW64KERNELBASE.dll
(1674.4d4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll_77080000!LdrpDoDebuggerBreak+0x2b:
7712ecc2 cc int 3
0:000:x86> g printf!main
printf!main:
00181000 55 push ebp
0:000:x86> uf .
printf!main:
00181000 55 push ebp
00181001 8bec mov ebp,esp
00181003 6890011c00 push offset printf!__xt_z+0x8 (001c0190)
00181008 e853000000 call printf!printf (00181060)
0018100d 83c404 add esp,4
00181010 33c0 xor eax,eax
00181012 5d pop ebp
00181013 c3 ret
0:000:x86> pc
printf!main+0x8:
00181008 e853000000 call printf!printf (00181060)
0:000:x86> t
printf!printf:
00181060 55 push ebp
0:000:x86> pc
printf!printf+0x18:
00181078 e82ea10000 call printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff mov edi,edi
0:000:x86> pc
printf!printf+0x21:
00181081 e8aaffffff call printf!_vfprintf_l (00181030)
0:000:x86> t
printf!_vfprintf_l:
00181030 55 push ebp
0:000:x86> pc
printf!_vfprintf_l+0x13:
00181043 e8d8ffffff call printf!__local_stdio_printf_options (00181020)
0:000:x86> t
printf!__local_stdio_printf_options:
00181020 55 push ebp
0:000:x86> pc
printf!_vfprintf_l+0x1f:
0018104f e884b70100 call printf!__stdio_common_vfprintf (0019c7d8)
0:000:x86> t
printf!__stdio_common_vfprintf:
0019c7d8 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_lock_stream_and_call+0x30 [inlined in printf!__stdio_common_vfprintf+0x7c]:
0019c854 e83eedfeff call printf!__crt_seh_guarded_callxxxlambdaing
0:000:x86> t
printf!__crt_seh_guarded_call<int>::operator()<<lambdaing
0018b597 6a0c push 0Ch
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_ing
0018b59e e80d65ffff call printf!__SEH_prolog4 (00181ab0)
0:000:x86> t
printf!__SEH_prolog4:
00181ab0 6890201800 push offset printf!_except_handler4 (00182090)
0:000:x86> pc
printf!__acrt_lock_stream_and_call::__l2::<lambda_8ing
0018b5ac e89cfcffff call printf!_lock_file (0018b24d)
0:000:x86> t
printf!_lock_file:
0018b24d 8bff mov edi,edi
0:000:x86> pc
printf!_lock_file+0xc:
0018b259 ff154c001c00 call dword ptr [printf!_imp__EnterCriticalSection
0:000:x86> t
ntdll_77080000!RtlEnterCriticalSection:
770cadc0 8bff mov edi,edi
0:000:x86> pc
printf!__crt_seh_guarded_call<int>::operator()<<lambda_8
0018b5b9 e880520000 call printf!<lambda_df
0:000:x86> t
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator():
0019083e 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_temporary_buffering_guard::{ctor}+0x1 [inl
0019085c e84e750100 call printf!__acrt_stdio_begin
0:000:x86> t
printf!__acrt_stdio_begin_temporary_buffering_nolock:
001a7daf 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0xc:
001a7dbb e80afeffff call printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x12:
001a7dc1 e85ed90000 call printf!_isatty (001b5724)
0:000:x86> t
printf!_isatty:
001b5724 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x23:
001a7dd2 e8d433feff call printf!__acrt_iob_func (0018b1ab)
0:000:x86> t
printf!__acrt_iob_func:
0018b1ab 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_begin_temporary_buffering_nolock+0x6d:
001a7e1c e88ed0ffff call printf!_malloc_base (001a4eaf)
0:000:x86> t
printf!_malloc_base:
001a4eaf 8bff mov edi,edi
0:000:x86> pc
printf!_malloc_base+0x32:
001a4ee1 ff159c001c00 call dword ptr [printf!_imp__HeapAlloc
0:000:x86> t
ntdll_77080000!RtlAllocateHeap:
770cf910 8bff mov edi,edi
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cut off spew
ntdll_77080000!RtlLeaveCriticalSection:
770ba180 8bff mov edi,edi
0:000:x86> pc
printf!__crt_internal_free_policy::operator()+0x4 [inli
001a7e25 e8e5acffff call printf!_free_base (001a2b0f)
0:000:x86> t
printf!_free_base:
001a2b0f 8bff mov edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x35:
00190873 e8f3f9ffff call printf!_LocaleUpdate::_LocaleUpdate (0019026b)
0:000:x86> t
printf!_LocaleUpdate::_LocaleUpdate:
0019026b 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::standard_base<char,__crt_stdio_output::stream_output_adapter
001908a8 e88af6ffff call printf!__crt_stdio_output::output_adapter_data
0:000:x86> t
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_ou
0018ff37 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_adapter_data<char,__crt_stdio_output::stream_output_ad
0018ff3f e860ffffff call printf!__crt_stdio_output::common_data<char>::common_data<char> (0018fea4)
0:000:x86> t
printf!__crt_stdio_output::common_data<char>::common_data<char>:
0018fea4 8bff mov edi,edi
0:000:x86> pc
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x79:
001908b7 e88c150000 call printf!__crt_stdio_output::output_pro
0:000:x86> t
printf!__crt_stdio_output::output_processor<char,__crt_stdio_ou
00191e48 8bff mov edi,edi
0:000:x86> pc
printf!__crt_stdio_output::output_processor<char,__crt_stdio_outp
00191e54 e881930000 call printf!__crt_stdio_output::stre
0:000:x86> t
printf!__crt_stdio_stream::valid [inlined in printf!__crt_stdio_output::stream_o
0019b1da 8b01 mov eax,dword ptr [ecx] ds:002b:009ef804=001c9078
0:000:x86> pc
printf!__crt_stdio_output::stream_output_adapter<char>::validate+0x1a:
0019b1f4 e8a5090000 call printf!__acrt_stdio_char_traits<char>::va
0:000:x86> t
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required:
0019bb9e 8bff mov edi,edi
0:000:x86> pc
printf!__acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required+0x16:
0019bbb4 e811c00000 call printf!_fileno (001a7bca)
0:000:x86> t
printf!_fileno:
001a7bca 8bff mov edi,edi
0:000:x86> pc
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz cut off spew
0:000:x86>
printf!<lambda_df52180bf14694d51fdefd82613e8f07>::operator()+0x86:
001908c4 e892fbffff call printf!__crt_stdio_output::format
0:000:x86>
printf!__crt_internal_free_policy::operator()+0x9 [inlined in pr
00190466 e8a4260100 call printf!_free_base (001a2b0f)
0:000:x86>
printf!__acrt_stdio_temporary_buffering_guard::{dtor}+0x7
001908e6 e877750100 call printf!__acrt_stdio_end_tempo
0:000:x86>
printf!__acrt_stdio_end_temporary_buffering_nolock+0x1e:
001a7e80 e827c3ffff call printf!__acrt_stdio_flush_nolock (001a41ac)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x31:
001a41dd e8e8390000 call printf!_fileno (001a7bca)
0:000:x86>
printf!__acrt_stdio_flush_nolock+0x38:
001a41e4 e849c90000 call printf!_write (001b0b32)
0:000:x86>
printf!_write+0x7:
001b0b39 e8720ffdff call printf!__SEH_prolog4 (00181ab0)
0:000:x86>
printf!_write+0x5f:
001b0b91 e818a9ffff call printf!__acrt_lowio_lock_fh (001ab4ae)
0:000:x86>
printf!__acrt_lowio_lock_fh+0x1b:
001ab4c9 ff154c001c00 call dword ptr [printf!_imp__EnterCrit
0:000:x86>
printf!_write+0x9c:
001b0bce e847000000 call printf!_write_nolock (001b0c1a)
0:000:x86>
printf!_write_nolock+0x95:
001b0caf e8fefaffff call printf!write_requires_double_translation_nolock (001b07b2)
0:000:x86>
printf!write_requires_double_translation_nolock+0xc:
001b07be e8614f0000 call printf!_isatty (001b5724)
0:000:x86>
printf!write_requires_double_translation_nolock+0x2f:
001b07e1 e80065ffff call printf!__acrt_getptd (001a6ce6)
0:000:x86>
printf!__crt_scoped_get_last_error_reset::{ctor} [inlined in printf!__acrt_getptd+0x5]:
001a6ceb ff1544001c00 call dword ptr [printf!_imp__GetLastError
0:000:x86>
printf!try_get_ptd_head+0xb [inlined in printf!__acrt_getptd+0x18]:
001a6cfe e8edc7ffff call printf!__acrt_FlsGetValue (001a34f0)
0:000:x86> t;pc
printf!try_get_FlsGetValue+0x11 [inlined in printf!__acrt_FlsGetValue+0x17]:
001a3507 e834fcffff call printf!try_get_function (001a3140)
0:000:x86>
printf!__acrt_FlsGetValue+0x2a:
001a351a ff1544011c00 call dword ptr [printf!__guard_check_icall_fptr
0:000:x86>
printf!__acrt_FlsGetValue+0x30:
001a3520 ffd6 call esi {KERNELBASE!FlsGetValue (76f3fc60)}
0:000:x86>
KERNELBASE!FlsGetValue+0x15:
76f3fc75 ff1508a90177 call dword ptr [KERNELBASE!_imp__RtlFlsGetValue
0:000:x86>
printf!__acrt_getptd+0xa3:
001a6d89 ff1548001c00 call dword ptr [printf!_imp__SetLastError
0:000:x86>
ntdll_77080000!RtlSetLastWin32Error+0x34:
770df8b4 e897570100 call ntdll_77080000!__security_check_cookie (770f5050)
0:000:x86>
printf!_write_nolock+0x130:
001b0d4a e8d6faffff call printf!write_text_ansi_nolock (001b0825)
0:000:x86>
printf!write_text_ansi_nolock+0xa:
001b082f e8fcc30000 call printf!_chkstk (001bcc30)
0:000:x86>
printf!write_text_ansi_nolock+0x9c:
001b08c1 ff1584001c00 call dword ptr [printf!_imp__WriteFile
0:000:x86>
KERNELBASE!WriteFile+0x7:
76f41877 e858920400 call KERNELBASE!_SEH_prolog4 (76f8aad4)
0:000:x86>
KERNELBASE!WriteFile+0x52:
76f418c2 ff15c0a70177 call dword ptr [KERNELBASE!_imp__NtWriteFile
0:000:x86>
ntdll_77080000!NtWriteFile+0xa:
770f2f7a ffd2 call edx {ntdll_77080000!Wow64SystemServiceCall (77109ef0)}
0:000:x86>
wow64cpu!ReadWriteFileFault+0x2c:
00000000`77071995 e816030000 call wow64cpu!CpupSyscallStub (00000000`77071cb0)
0:000>
wow64cpu!CpupSyscallStub+0xa:
00000000`77071cba 0f05 syscall
0:000>
hello jmp far <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< string printed
printf!write_text_ansi_nolock+0xd4:
001b08f9 e8d713fdff call printf!__security_check_cookie (00181cd5)
0:000:x86>
you can see the same jmp far in the concise single execution
:>cdb -c "bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q" printf.exe | awk /"Reading/,/quit/"
0:000> cdb: Reading initial command 'bp KERNELBASE!WriteFile;g;g;pc;pc;t;pc;t;r;t;r;t;r;t;g;q'
Bp expression 'KERNELBASE!WriteFile' could not be resolved, adding deferred bp
(1b10.1678): WOW64 breakpoint - code 4000001f (first chance)
Breakpoint 0 hit
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77109ef0 esp=0135e258 ebp=0135e2bc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll_77080000!Wow64SystemServiceCall:
77109ef0 ff2528121a77 jmp dword ptr [ntdll_77080000!Wow64Transition (771a1228)]
eax=001a0008 ebx=00000000 ecx=00000000 edx=77109ef0 esi=0135e2e8 edi=00000054
eip=77076000 esp=0135e258 ebp=0135e2bc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
wow64cpu!KiFastSystemCall:
77076000 ea096007773300 jmp 0033:77076009 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
rax=00000000001a0008 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000077109ef0 rsi=000000000135e2e8 rdi=0000000000000054
rip=0000000077076009 rsp=000000000135e258 rbp=000000000135e2bc
r8=000000000000002b r9=00000000770f314c r10=0000000000000000
r11=000000000125def0 r12=0000000001052000 r13=000000000125fda0
r14=000000000125e7e0 r15=0000000077073620
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
wow64cpu!KiFastSystemCall+0x9:
00000000`77076009 41ffa7f8000000 jmp qword ptr [r15+0F8h] ds:00000000`77073718={wow64cpu!CpupRe
hello jmp far
quit:
:>
Answered by blabb on May 14, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP