# Brief RE Puzzles

March 13th, 2005 by Multimedia Mike

These are a few of my favorite little reverse engineering puzzles to show people when they express interest in the craft. They are also 2 sample functions I thought I would use when prototyping the BFRE program.

Puzzle #1– this function can be boiled down to a simple statement about its overall function. For the sake of domain knowledge, I will state that it comes from a production video codec. The first 4 hex digits of each instruction are omitted since they are all the same anyway. A typical invocation follows the function.

```
DEF0 55                      push ebp
DEF1 8BEC                    mov ebp, esp
DEF3 53                      push ebx
DEF4 56                      push esi
DEF5 57                      push edi
DEF6 8B7D08                  mov edi, dword[ebp+08]
DEF9 8B750C                  mov esi, dword[ebp+0C]
DEFC 8B4F04                  mov ecx, dword[edi+04]
DEFF 8B5F10                  mov ebx, dword[edi+10]
DF02 8BD1                    mov edx, ecx
DF04 83E107                  and ecx, 00000007
DF07 C1EA03                  shr edx, 03
DF0A 8B0413                  mov eax, dword[ebx+edx]
DF0D 0FC8                    bswap eax
DF0F D3E0                    shl eax, cl
DF11 B920000000              mov ecx, 00000020
DF16 2BCE                    sub ecx, esi
DF18 D3E8                    shr eax, cl
DF1D 5F                      pop edi
DF1E 5E                      pop esi
DF1F 5B                      pop ebx
DF20 5D                      pop ebp
DF21 C3                      ret

```

The following fragment shows an example of how the function is called:

```
mov eax, dword[ebx+06]
mov ecx, 6
push ecx
push eax
call DEF0

```

Puzzle #2: this function also serves an incredibly simple purpose. Again, all of the address have been shortened to 4 digits:

```
1000 8B442404                mov eax, dword[esp+04]
1004 85C0                    test eax, eax
1006 740D                    je 1015
1008 8B08                    mov ecx, dword[eax]
100A 83F93C                  cmp ecx, 0000003C
100D 7506                    jne 1015
100F B801000000              mov eax, 00000001
1014 C3                      ret
1015 C7050090009004000000    mov dword[nnnn9000], 00000004
101F 33C0                    xor eax, eax
1021 C3                      ret
```

And a typical invocation looks like this:

```
1031 8B742408                mov esi, dword[esp+08]
1035 56                      push esi
1036 E8C5FFFFFF              call 1000
```

Solutions to the puzzles are here.

Posted in Reverse Engineering | Comments Off on Brief RE Puzzles