Brief RE Puzzles

These are a few of my favorite little reverse engineering puzzles to show people when they express interest in the craft. They are also 2 sample functions I thought I would use when prototyping the BFRE program.

Puzzle #1– this function can be boiled down to a simple statement about its overall function. For the sake of domain knowledge, I will state that it comes from a production video codec. The first 4 hex digits of each instruction are omitted since they are all the same anyway. A typical invocation follows the function.


  DEF0 55                      push ebp
  DEF1 8BEC                    mov ebp, esp
  DEF3 53                      push ebx
  DEF4 56                      push esi
  DEF5 57                      push edi
  DEF6 8B7D08                  mov edi, dword[ebp+08]
  DEF9 8B750C                  mov esi, dword[ebp+0C]
  DEFC 8B4F04                  mov ecx, dword[edi+04]
  DEFF 8B5F10                  mov ebx, dword[edi+10]
  DF02 8BD1                    mov edx, ecx
  DF04 83E107                  and ecx, 00000007
  DF07 C1EA03                  shr edx, 03
  DF0A 8B0413                  mov eax, dword[ebx+edx]
  DF0D 0FC8                    bswap eax
  DF0F D3E0                    shl eax, cl
  DF11 B920000000              mov ecx, 00000020
  DF16 2BCE                    sub ecx, esi
  DF18 D3E8                    shr eax, cl
  DF1A 017704                  add dword[edi+04], esi
  DF1D 5F                      pop edi
  DF1E 5E                      pop esi
  DF1F 5B                      pop ebx
  DF20 5D                      pop ebp
  DF21 C3                      ret

The following fragment shows an example of how the function is called:


  mov eax, dword[ebx+06]
  mov ecx, 6
  push ecx
  push eax
  call DEF0
  add esp, 8

Puzzle #2: this function also serves an incredibly simple purpose. Again, all of the address have been shortened to 4 digits:


1000 8B442404                mov eax, dword[esp+04]
1004 85C0                    test eax, eax
1006 740D                    je 1015
1008 8B08                    mov ecx, dword[eax]
100A 83F93C                  cmp ecx, 0000003C
100D 7506                    jne 1015
100F B801000000              mov eax, 00000001
1014 C3                      ret
1015 C7050090009004000000    mov dword[nnnn9000], 00000004
101F 33C0                    xor eax, eax
1021 C3                      ret

And a typical invocation looks like this:


1031 8B742408                mov esi, dword[esp+08]
1035 56                      push esi
1036 E8C5FFFFFF              call 1000

Solutions to the puzzles are here.