{"id":42,"date":"2005-03-13T09:39:09","date_gmt":"2005-03-13T16:39:09","guid":{"rendered":"\/?p=42"},"modified":"2006-05-04T12:15:38","modified_gmt":"2006-05-04T19:15:38","slug":"brief-re-puzzles","status":"publish","type":"post","link":"https:\/\/multimedia.cx\/eggs\/brief-re-puzzles\/","title":{"rendered":"Brief RE Puzzles"},"content":{"rendered":"<p>These are a few of my favorite little reverse engineering puzzles to show people when they express interest in the craft. They are also 2 sample functions I thought I would use when prototyping the <a href=\"http:\/\/multimedia.cx\/eggs\/index.php?cat=15\">BFRE program<\/a>.<\/p>\n<p><!--more--><\/p>\n<p>Puzzle #1&#8211; this function can be boiled down to a simple statement about its overall function. For the sake of domain knowledge, I will state that it comes from a production video codec. The first 4 hex digits of each instruction are omitted since they are all the same anyway. A typical invocation follows the function.<\/p>\n<pre>\r\n\r\n  DEF0 55                      push ebp\r\n  DEF1 8BEC                    mov ebp, esp\r\n  DEF3 53                      push ebx\r\n  DEF4 56                      push esi\r\n  DEF5 57                      push edi\r\n  DEF6 8B7D08                  mov edi, dword[ebp+08]\r\n  DEF9 8B750C                  mov esi, dword[ebp+0C]\r\n  DEFC 8B4F04                  mov ecx, dword[edi+04]\r\n  DEFF 8B5F10                  mov ebx, dword[edi+10]\r\n  DF02 8BD1                    mov edx, ecx\r\n  DF04 83E107                  and ecx, 00000007\r\n  DF07 C1EA03                  shr edx, 03\r\n  DF0A 8B0413                  mov eax, dword[ebx+edx]\r\n  DF0D 0FC8                    bswap eax\r\n  DF0F D3E0                    shl eax, cl\r\n  DF11 B920000000              mov ecx, 00000020\r\n  DF16 2BCE                    sub ecx, esi\r\n  DF18 D3E8                    shr eax, cl\r\n  DF1A 017704                  add dword[edi+04], esi\r\n  DF1D 5F                      pop edi\r\n  DF1E 5E                      pop esi\r\n  DF1F 5B                      pop ebx\r\n  DF20 5D                      pop ebp\r\n  DF21 C3                      ret\r\n\r\n<\/pre>\n<p>The following fragment shows an example of how the function is called:<\/p>\n<pre>\r\n\r\n  mov eax, dword[ebx+06]\r\n  mov ecx, 6\r\n  push ecx\r\n  push eax\r\n  call DEF0\r\n  add esp, 8\r\n\r\n<\/pre>\n<p>Puzzle #2: this function also serves an incredibly simple purpose. Again, all of the address have been shortened to 4 digits:<\/p>\n<pre>\r\n\r\n1000 8B442404                mov eax, dword[esp+04]\r\n1004 85C0                    test eax, eax\r\n1006 740D                    je 1015\r\n1008 8B08                    mov ecx, dword[eax]\r\n100A 83F93C                  cmp ecx, 0000003C\r\n100D 7506                    jne 1015\r\n100F B801000000              mov eax, 00000001\r\n1014 C3                      ret\r\n1015 C7050090009004000000    mov dword[nnnn9000], 00000004\r\n101F 33C0                    xor eax, eax\r\n1021 C3                      ret\r\n<\/pre>\n<p>And a typical invocation looks like this:<\/p>\n<pre>\r\n\r\n1031 8B742408                mov esi, dword[esp+08]\r\n1035 56                      push esi\r\n1036 E8C5FFFFFF              call 1000\r\n<\/pre>\n<p><a href=\"http:\/\/multimedia.cx\/eggs\/index.php?p=43\">Solutions to the puzzles are here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Try your hand at RE&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-42","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/42","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/comments?post=42"}],"version-history":[{"count":0,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/posts\/42\/revisions"}],"wp:attachment":[{"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/media?parent=42"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/categories?post=42"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/multimedia.cx\/eggs\/wp-json\/wp\/v2\/tags?post=42"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}