These are a few of my favorite little reverse engineering puzzles to show people when they express interest in the craft. They are also 2 sample functions I thought I would use when prototyping the BFRE program.
Puzzle #1– this function can be boiled down to a simple statement about its overall function. For the sake of domain knowledge, I will state that it comes from a production video codec. The first 4 hex digits of each instruction are omitted since they are all the same anyway. A typical invocation follows the function.
DEF0 55 push ebp DEF1 8BEC mov ebp, esp DEF3 53 push ebx DEF4 56 push esi DEF5 57 push edi DEF6 8B7D08 mov edi, dword[ebp+08] DEF9 8B750C mov esi, dword[ebp+0C] DEFC 8B4F04 mov ecx, dword[edi+04] DEFF 8B5F10 mov ebx, dword[edi+10] DF02 8BD1 mov edx, ecx DF04 83E107 and ecx, 00000007 DF07 C1EA03 shr edx, 03 DF0A 8B0413 mov eax, dword[ebx+edx] DF0D 0FC8 bswap eax DF0F D3E0 shl eax, cl DF11 B920000000 mov ecx, 00000020 DF16 2BCE sub ecx, esi DF18 D3E8 shr eax, cl DF1A 017704 add dword[edi+04], esi DF1D 5F pop edi DF1E 5E pop esi DF1F 5B pop ebx DF20 5D pop ebp DF21 C3 ret
The following fragment shows an example of how the function is called:
mov eax, dword[ebx+06] mov ecx, 6 push ecx push eax call DEF0 add esp, 8
Puzzle #2: this function also serves an incredibly simple purpose. Again, all of the address have been shortened to 4 digits:
1000 8B442404 mov eax, dword[esp+04] 1004 85C0 test eax, eax 1006 740D je 1015 1008 8B08 mov ecx, dword[eax] 100A 83F93C cmp ecx, 0000003C 100D 7506 jne 1015 100F B801000000 mov eax, 00000001 1014 C3 ret 1015 C7050090009004000000 mov dword[nnnn9000], 00000004 101F 33C0 xor eax, eax 1021 C3 ret
And a typical invocation looks like this:
1031 8B742408 mov esi, dword[esp+08] 1035 56 push esi 1036 E8C5FFFFFF call 1000