Incorrectly disassembled code examples

dani0l · Feb 3, 2014 · 9ea72f3 · 9ea72f3
1 parent 247a5b4
commit 9ea72f3
Show file tree

Hide file tree

Showing 11 changed files with 1,142 additions and 4 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -22,4 +22,5 @@ Published at 13-Aug-2013: pointers, C++ references.
 25-Jan-2014: CRT (win32)
 28-Jan-2014: SEH3/4
 31-Jan-2014: 64-bit in 32-bit environment
-02-Feb-2014: Changing title to shorter "Reverse Engineering for Beginners".
+02-Feb-2014: Changing title to shorter "Reverse Engineering for Beginners".
+03-Feb-2014: Incorrectly disassembled code examples
diff --git a/OS-specific/PE/PE.tex b/OS-specific/PE/PE.tex
@@ -195,11 +195,12 @@ \subsubsection{\IFRU{Секции}{Sections}}
 \IT{(readable data)}.
 \IFRU{Еще популярные имена секций}{Other popular section names are}: 
 
+\index{MIPS}
 \begin{itemize}
 \item \TT{.idata}\EMDASH{}\IFRU{секция импортов}{imports section}
 \item \TT{.edata}\EMDASH{}\IFRU{секция экспортов}{exports section}
-\item \TT{.pdata}\EMDASH{}\IFRU{секция содержащая информацию об исключениях в x64}
-{section containing all information about exceptions in x64}: \ref{SEH_win64}
+\item \TT{.pdata}\EMDASH{}\IFRU{секция содержащая информацию об исключениях в Windows NT для MIPS и x64}
+{section containing all information about exceptions in Windows NT for MIPS and x64}: \ref{SEH_win64}
 \item \TT{.reloc}\EMDASH{}\IFRU{секция релоков}{relocs section}
 \item \TT{.bss}\EMDASH{}\IFRU{неинициализированные данные}{uninitialized data (\ac{BSS})}
 \item \TT{.tls}\EMDASH{}thread local storage (\ac{TLS})

diff --git a/common_phrases.tex b/common_phrases.tex
@@ -63,4 +63,5 @@
 % other
 \newcommand{\IntelSyntax}{\IFRU{Синтаксис Intel}{Intel syntax}}
 \newcommand{\ATTSyntax}{\IFRU{Синтаксис AT\&T}{AT\&T syntax}}
+\newcommand{\randomNoise}{\IFRU{случайный шум}{random noise}}
 
diff --git a/patterns/23_incorrect_disassembly/ARM.asm b/patterns/23_incorrect_disassembly/ARM.asm
@@ -0,0 +1,52 @@
+BLNE    0xFE16A9D8
+BGE     0x1634D0C
+SVCCS   0x450685
+STRNVT  R5, [PC],#-0x964
+LDCGE   p6, c14, [R0],#0x168
+STCCSL  p9, c9, [LR],#0x14C
+CMNHIP  PC, R10,LSL#22
+FLDMIADNV LR!, {D4}
+MCR     p5, 2, R2,c15,c6, 4
+BLGE    0x1139558
+BLGT    0xFF9146E4
+STRNEB  R5, [R4],#0xCA2
+STMNEIB R5, {R0,R4,R6,R7,R9-SP,PC}
+STMIA   R8, {R0,R2-R4,R7,R8,R10,SP,LR}^
+STRB    SP, [R8],PC,ROR#18
+LDCCS   p9, c13, [R6,#0x1BC]
+LDRGE   R8, [R9,#0x66E]
+STRNEB  R5, [R8],#-0x8C3
+STCCSL  p15, c9, [R7,#-0x84]
+RSBLS   LR, R2, R11,ASR LR
+SVCGT   0x9B0362
+SVCGT   0xA73173
+STMNEDB R11!, {R0,R1,R4-R6,R8,R10,R11,SP}
+STR     R0, [R3],#-0xCE4
+LDCGT   p15, c8, [R1,#0x2CC]
+LDRCCB  R1, [R11],-R7,ROR#30
+BLLT    0xFED9D58C
+BL      0x13E60F4
+LDMVSIB R3!, {R1,R4-R7}^
+USATNE  R10, #7, SP,LSL#11
+LDRGEB  LR, [R1],#0xE56
+STRPLT  R9, [LR],#0x567
+LDRLT   R11, [R1],#-0x29B
+SVCNV   0x12DB29
+MVNNVS  R5, SP,LSL#25
+LDCL    p8, c14, [R12,#-0x288]
+STCNEL  p2, c6, [R6,#-0xBC]!
+SVCNV   0x2E5A2F
+BLX     0x1A8C97E
+TEQGE   R3, #0x1100000
+STMLSIA R6, {R3,R6,R10,R11,SP}
+BICPLS  R12, R2, #0x5800
+BNE     0x7CC408
+TEQGE   R2, R4,LSL#20
+SUBS    R1, R11, #0x28C
+BICVS   R3, R12, R7,ASR R0
+LDRMI   R7, [LR],R3,LSL#21
+BLMI    0x1A79234
+STMVCDB R6, {R0-R3,R6,R7,R10,R11}
+EORMI   R12, R6, #0xC5
+MCRRCS  p1, 0xF, R1,R3,c2
+
diff --git a/patterns/23_incorrect_disassembly/ARM_thumb.asm b/patterns/23_incorrect_disassembly/ARM_thumb.asm
@@ -0,0 +1,89 @@
+                LSRS    R3, R6, #0x12
+                LDRH    R1, [R7,#0x2C]
+                SUBS    R0, #0x55 ; 'U'
+                ADR     R1, loc_3C
+                LDR     R2, [SP,#0x218]
+                CMP     R4, #0x86
+                SXTB    R7, R4
+                LDR     R4, [R1,#0x4C]
+                STR     R4, [R4,R2]
+                STR     R0, [R6,#0x20]
+                BGT     0xFFFFFF72
+                LDRH    R7, [R2,#0x34]
+                LDRSH   R0, [R2,R4]
+                LDRB    R2, [R7,R2]
+; ---------------------------------------------------------------------------
+                DCB 0x17
+                DCB 0xED
+; ---------------------------------------------------------------------------
+                STRB    R3, [R1,R1]
+                STR     R5, [R0,#0x6C]
+                LDMIA   R3, {R0-R5,R7}
+                ASRS    R3, R2, #3
+                LDR     R4, [SP,#0x2C4]
+                SVC     0xB5
+                LDR     R6, [R1,#0x40]
+                LDR     R5, =0xB2C5CA32
+                STMIA   R6, {R1-R4,R6}
+                LDR     R1, [R3,#0x3C]
+                STR     R1, [R5,#0x60]
+                BCC     0xFFFFFF70
+                LDR     R4, [SP,#0x1D4]
+                STR     R5, [R5,#0x40]
+                ORRS    R5, R7
+
+loc_3C                                  ; DATA XREF: ROM:00000006
+                B       0xFFFFFF98
+; ---------------------------------------------------------------------------
+                ASRS    R4, R1, #0x1E
+                ADDS    R1, R3, R0
+                STRH    R7, [R7,#0x30]
+                LDR     R3, [SP,#0x230]
+                CBZ     R6, loc_90
+                MOVS    R4, R2
+                LSRS    R3, R4, #0x17
+                STMIA   R6!, {R2,R4,R5}
+                ADDS    R6, #0x42 ; 'B'
+                ADD     R2, SP, #0x180
+                SUBS    R5, R0, R6
+                BCC     loc_B0
+                ADD     R2, SP, #0x160
+                LSLS    R5, R0, #0x1A
+                CMP     R7, #0x45
+                LDR     R4, [R4,R5]
+; ---------------------------------------------------------------------------
+                DCB 0x2F ; /
+                DCB 0xF4
+; ---------------------------------------------------------------------------
+                B       0xFFFFFD18
+; ---------------------------------------------------------------------------
+                ADD     R4, SP, #0x2C0
+                LDR     R1, [SP,#0x14C]
+                CMP     R4, #0xEE
+; ---------------------------------------------------------------------------
+                DCB  0xA
+                DCB 0xFB
+; ---------------------------------------------------------------------------
+                STRH    R7, [R5,#0xA]
+                LDR     R3, loc_78
+; ---------------------------------------------------------------------------
+                DCB 0xBE ; -
+                DCB 0xFC
+; ---------------------------------------------------------------------------
+                MOVS    R5, #0x96
+; ---------------------------------------------------------------------------
+                DCB 0x4F ; O
+                DCB 0xEE
+; ---------------------------------------------------------------------------
+                B       0xFFFFFAE6
+; ---------------------------------------------------------------------------
+                ADD     R3, SP, #0x110
+
+loc_78                                  ; DATA XREF: ROM:0000006C
+                STR     R1, [R3,R6]
+                LDMIA   R3!, {R2,R5-R7}
+                LDRB    R2, [R4,R2]
+                ASRS    R4, R0, #0x13
+                BKPT    0xD1
+                ADDS    R5, R0, R6
+                STR     R5, [R3,#0x58]
diff --git a/patterns/23_incorrect_disassembly/MIPS.asm b/patterns/23_incorrect_disassembly/MIPS.asm
@@ -0,0 +1,83 @@
+               lw      $t9, 0xCB3($t5)
+               sb      $t5, 0x3855($t0)
+               sltiu   $a2, $a0, -0x657A
+               ldr     $t4, -0x4D99($a2)
+               daddi   $s0, $s1, 0x50A4
+               lw      $s7, -0x2353($s4)
+               bgtzl   $a1, 0x17C5C
+# ---------------------------------------------------------------------------
+               .byte 0x17
+               .byte 0xED
+               .byte 0x4B  # K
+               .byte 0x54  # T
+# ---------------------------------------------------------------------------
+               lwc2    $31, 0x66C5($sp)
+               lwu     $s1, 0x10D3($a1)
+               ldr     $t6, -0x204B($zero)
+               lwc1    $f30, 0x4DBE($s2)
+               daddiu  $t1, $s1, 0x6BD9
+               lwu     $s5, -0x2C64($v1)
+               cop0    0x13D642D
+               bne     $gp, $t4, 0xFFFF9EF0
+               lh      $ra, 0x1819($s1)
+               sdl     $fp, -0x6474($t8)
+               jal     0x78C0050
+               ori     $v0, $s2, 0xC634
+               blez    $gp, 0xFFFEA9D4
+               swl     $t8, -0x2CD4($s2)
+               sltiu   $a1, $k0, 0x685
+               sdc1    $f15, 0x5964($at)
+               sw      $s0, -0x19A6($a1)
+               sltiu   $t6, $a3, -0x66AD
+               lb      $t7, -0x4F6($t3)
+               sd      $fp, 0x4B02($a1)
+# ---------------------------------------------------------------------------
+               .byte 0x96
+               .byte 0x25  # %
+               .byte 0x4F  # O
+               .byte 0xEE
+# ---------------------------------------------------------------------------
+               swl     $a0, -0x1AC9($k0)
+               lwc2    $4, 0x5199($ra)
+               bne     $a2, $a0, 0x17308
+# ---------------------------------------------------------------------------
+               .byte 0xD1
+               .byte 0xBE
+               .byte 0x85
+               .byte 0x19
+# ---------------------------------------------------------------------------
+               swc2    $8, 0x659D($a2)
+               swc1    $f8, -0x2691($s6)
+               sltiu   $s6, $t4, -0x2691
+               sh      $t9, -0x7992($t4)
+               bne     $v0, $t0, 0x163A4
+               sltiu   $a3, $t2, -0x60DF
+               lbu     $v0, -0x11A5($v1)
+               pref    0x1B, 0x362($gp)
+               pref    7, 0x3173($sp)
+               blez    $t1, 0xB678
+               swc1    $f3, flt_CE4($zero)
+               pref    0x11, -0x704D($t4)
+               ori     $k1, $s2, 0x1F67
+               swr     $s6, 0x7533($sp)
+               swc2    $15, -0x67F4($k0)
+               ldl     $s3, 0xF2($t7)
+               bne     $s7, $a3, 0xFFFE973C
+               sh      $s1, -0x11AA($a2)
+               bnel    $a1, $t6, 0xFFFE566C
+               sdr     $s1, -0x4D65($zero)
+               sd      $s2, -0x24D7($t8)
+               scd     $s4, 0x5C8D($t7)
+# ---------------------------------------------------------------------------
+               .byte 0xA2
+               .byte 0xE8
+               .byte 0x5C  # \
+               .byte 0xED
+# ---------------------------------------------------------------------------
+               bgtz    $t3, 0x189A0
+               sd      $t6, 0x5A2F($t9)
+               sdc2    $10, 0x3223($k1)
+               sb      $s3, 0x5744($t9)
+               lwr     $a2, 0x2C48($a0)
+               beql    $fp, $s2, 0xFFFF3258
+
diff --git a/patterns/23_incorrect_disassembly/main.tex b/patterns/23_incorrect_disassembly/main.tex
@@ -0,0 +1,127 @@
+\section{\IFRU{Неверно дизассемблированный код}{Incorrectly disassembled code}}
+
+\IFRU{Практикующие reverse engineer-ы часто сталкиваются с неверно дизассемблированным кодом}
+{Practicing reverse engineers often dealing with incorrectly disassembled code}.
+
+\subsection{\IFRU{Дизассемблирование началось в неверном месте}{Disassembling started incorrectly} (x86)}
+
+\IFRU{В отличие от ARM и MIPS (где у каждой инструкции длина или 2 или 4 байта), x86-инструкции имеют переменную длину,
+так что, любой дизассемблер, начиная работу с середины x86-инструкции, может выдать неверные результаты.}
+{Unlike ARM and MIPS (where any instruction has length of 2 or 4 bytes), x86 instructions has variable size,
+so, any disassembler, starting at the middle of x86 instruction, may produce incorrect results.}
+
+\IFRU{Как пример}{As an example}:
+
+\lstinputlisting{patterns/23_incorrect_disassembly/x86_wrong_start.asm}
+
+\IFRU{В начале мы видим неверно дизассемблированные инструкции, но потом, так или иначе, дизассемблер находит верный след}
+{There are incorrectly disassembled instructions at the beginning, but eventually, disassembler finds right 
+track}.
+
+\subsection{\IFRU{Как выглядят случайные данные в дизассемблированном виде}{How random noise looks disassembled}?}
+
+\IFRU{Общее, что можно сразу заметить, это}{Common properties which can be easily spotted are}:
+
+\begin{itemize}
+\item \IFRU{Необычно большой разброс инструкций}{Unusually big instruction dispersion}.
+\IFRU{Самые частые x86-инструкции это}{Most frequent x86 instructions are} \PUSH{}, \MOV{}, \CALL{}, \IFRU{но здесь мы видим
+инструкции из любых групп: \ac{FPU}-инструкции, инструкции \TT{IN}/\TT{OUT}, редкие и системные инструкции, всё друг с другом смешано 
+в одном месте}{but here we will see
+instructions from any instruction group: \ac{FPU} instructions, \TT{IN}/\TT{OUT} instructions, rare and system instructions,
+everything messed up in one single place}.
+
+\item \IFRU{Большие и случайные значения, смещения,}{Big and random values, offsets and} immediates.
+
+\item \IFRU{Переходы с неверными смещениями часто имеют адрес перехода в середину другой инструкции}
+{Jumps having incorrect offsets often jumping into the middle of another instructions}.
+\end{itemize}
+
+\lstinputlisting[caption=\randomNoise{} (x86)]{patterns/23_incorrect_disassembly/x86.asm}
+
+\lstinputlisting[caption=\randomNoise{} (x86-64)]{patterns/23_incorrect_disassembly/x64.asm}
+
+\index{ARM}
+\lstinputlisting[caption=\randomNoise{} (ARM \IFRU{в режиме ARM}{in ARM mode})]{patterns/23_incorrect_disassembly/ARM.asm}
+
+\lstinputlisting[caption=\randomNoise{} (ARM \IFRU{в режиме Thumb}{in Thumb mode})]{patterns/23_incorrect_disassembly/ARM_thumb.asm}
+
+\index{MIPS}
+\lstinputlisting[caption=\randomNoise (MIPS little endian)]{patterns/23_incorrect_disassembly/MIPS.asm}
+
+\IFRU{Также важно помнить, что хитрым образом написанный код для распаковки и дешифровки (включая самомодифицирующийся),
+также может выглядеть как случайный шум, тем не менее, он исполняется корректно}{It is also important to keep in mind that 
+cleverly constructed unpacking and decrypting code 
+(including self-modifying) may looks like noise as well, nevertheless, it executes correctly}.
+
+\subsection{\IFRU{Информационная энтропия среднестатистического кода}{Information entropy of average code}}
+
+\index{\IFRU{Информационная энтропия}{Information entropy}}
+\IFRU{Результаты работы утилиты \IT{ent}}{\IT{ent} utility results}\footnote{\url{http://www.fourmilab.ch/random/}}.
+
+(\IFRU{Энтропия идеально сжатого (или зашифрованного) файла\EMDASH{}8 бит на байт; файла с нулями любой длины\EMDASH{}0 бит на байт.}
+{Entropy of ideally compressed (or encrypted) file is 8 bits per byte; of zero file of arbitrary size if 0 bits per byte.})
+
+\IFRU{Здесь видно что код для CPU с 4-байтными инструкциями (ARM в режиме ARM и MIPS) наименее экономичны в этом смысле.}
+{Here we can see that a code for CPU with 4-byte instructions (ARM in ARM mode and MIPS) is least effective in this sense.}
+
+\subsubsection{x86}
+
+\IFRU{Секция \TT{.text} файла \TT{ntoskrnl.exe} из}
+{\TT{.text} section of \TT{ntoskrnl.exe} file from} Windows 2003:
+
+\begin{lstlisting}
+Entropy = 6.662739 bits per byte.
+
+Optimum compression would reduce the size
+of this 593920 byte file by 16 percent.
+...
+\end{lstlisting}
+
+\IFRU{Секция \TT{.text} файла}{\TT{.text} section of} \TT{ntoskrnl.exe} \IFRU{из}{from} Windows 7 x64:
+
+\begin{lstlisting}
+Entropy = 6.549586 bits per byte.
+
+Optimum compression would reduce the size
+of this 1685504 byte file by 18 percent.
+...
+\end{lstlisting}
+
+\subsubsection{ARM (Thumb)}
+\index{ARM}
+
+AngryBirds Classic:
+
+\begin{lstlisting}
+Entropy = 7.058766 bits per byte.
+
+Optimum compression would reduce the size
+of this 3336888 byte file by 11 percent.
+...
+\end{lstlisting}
+
+\subsubsection{ARM (\IFRU{режим ARM}{ARM mode})}
+
+Linux Kernel 3.8.0:
+
+\begin{lstlisting}
+Entropy = 6.036160 bits per byte.
+
+Optimum compression would reduce the size
+of this 6946037 byte file by 24 percent.
+...
+\end{lstlisting}
+
+\subsubsection{MIPS (little endian)}
+\index{MIPS}
+
+\IFRU{Секция \TT{.text} файла}{\TT{.text} section of} \TT{user32.dll} \IFRU{из}{from} Windows NT 4:
+
+\begin{lstlisting}
+Entropy = 6.098227 bits per byte.
+
+Optimum compression would reduce the size
+of this 433152 byte file by 23 percent.
+....
+\end{lstlisting}
+