[ale] C code help
Greg Freemyer
greg.freemyer at gmail.com
Tue May 24 12:12:24 EDT 2005
On 5/24/05, Mark Wright <mpwright at speedfactory.net> wrote:
>
> On May 23, 2005, at 11:14 AM, Greg Freemyer wrote:
>
> > Good Luck, that is quite a project.
> >
> > 2 things:
> >
> > 1) If this were Linux code, you could run strace on the code and see
> > all the kernel API calls, that would pretty much give you the info
> > you are interested in. Unfortunately, you don't seem to be talking
> > about Linux code here, so I have no ideas.
>
> I think it is Unix like or DOS.
>
If it is Linux, you should experiment with strace and get a feel for
how it works.
strace is a very standard linux tool, and is likely part of whatever
distro you use.
Maybe type the below and look at the strace output, then try various
strace options. Try to figure out what is ignorable, and what is
important.
strace wc /etc/fstab 2> /tmp/strace.out
The strace output will be in /tmp/strace.out
When I did this, I got 85 lines of output, but only a few lines
related to /etc/fstab (the file being analysed by wc.)
Once you have a bit of a feel for how strace works, you can try run
your program of interest from a command line: "strace my_program".
> >
> > 2) You said you decompiled 2 files. Decompiled is going to have a
> > specific meaning to a programmer and to the best of my knowledge,
> > there are no tools for decompiling C code. I have to a assume you
> > meant you reverse engineered a couple of config files.
>
> I downloaded a command line utility that ran on OS X called the reverse
> engineering compiler.
> I cd to the directory and took a file called AR.exe that was hex data
> viewed in BBEDIT and converted it into the following (just the first
> bit of the file):
>
>
> /* This file was automatically created by
> * Reverse Engineering Compiler 1.6 (C) Giampiero Caprino (Mar 31 2002)
> * Input file: 'ar.exe'
> */
>
> /* DEST BLOCK NOT FOUND: 00000121 -> 000001ab */
> /* Procedure: 0x00000104 - 0x00000123
> * Argument size: 0
> * Local size: 0
> * Save regs size: 0
> */
>
> L00000104()
> {
>
>
>
> ds = *%cs:0x1ba];
> L00000167();
> (save)cs;
> *L00000928();
> bp = sp;
> ah = 0x4c;
> al = *(bp + 2);
> asm("int 0x21");
> cx = 0xe;
> dx = 0x2f;
> goto L000001ab;
> }
>
> /* Procedure: 0x00000124 - 0x00000166
> * Argument size: 0
> * Local size: 0
> * Save regs size: 4
> */
>
> L00000124()
> {
> /* unknown */ void ds;
>
>
>
> ax = 0x3500;
> asm("int 0x21");
> *L0000005B = bx;
> *L0000005D = es;
> ax = 0x3504;
> asm("int 0x21");
> *L0000005F = bx;
> *L00000061 = es;
> ax = 0x3505;
> asm("int 0x21");
> *L00000063 = bx;
> *L00000065 = es;
> ax = 0x3506;
> asm("int 0x21");
> *L00000067 = bx;
> *L00000069 = es;
> ax = 0x2500;
> ds = cs;
> dx = 0x11a;
> asm("int 0x21");
> }
>
> The truth is I don't know what I have done. Any ideas or comments?
>
I' not sure what the above is myself. Looks like a weird cross
between C code and assembly to me.
Parts of it may be legal C code, but it is definately not something a
beginner would want to wade thru.
I think you will be better off focusing on the strace approach if you
can get it to work.
Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
More information about the Ale
mailing list