Reverse Engineering Mentoring Lesson 004

212,812pages on
this wiki
Add New Page
Add New Page Discuss this page1

Now we will modify example rem002.c to work with a global variable:

int a; 
main(int argc, char **argv) 
	a = 1; 

Try to understand this program with the tools I've pointed out, and include the disassembly here under. Maybe you remember that auto variables are not initialized in C and that global variables are initialized. Can you explain why now that you've looked at disassembled code for both examples?

--Didier Stevens 21:24, 20 February 2007 (UTC)

Here is the disassembled code:

.text:00401150 argc            = dword ptr  8 
.text:00401150 argv            = dword ptr  0Ch 
.text:00401150 envp            = dword ptr  10h 
.text:00401150                 push    ebp 
.text:00401151                 mov     ebp, esp 
.text:00401153                 mov     dword_40B3DC, 1 
.text:0040115D                 pop     ebp 
.text:0040115E                 retn 
.text:0040115E _main           endp 

Auto variables are stored on the stack, since a global must be available to all functions with a program, the data must be reserved in the memory space of the program. When stepping through the program you can see the value changing at the memory address. It appears that the address is determined at runtime.

Yes, global variables are stored in "memory space", not on the stack. But where exactly? The address is not determined at runtime, but at compile time. Look for the definition of dword_40B3DC in your disassembly.

--Didier Stevens 21:15, 6 August 2007 (UTC)

As this is "reversed" (bottom being top and top being bottom, right?) the mov is at the top of the stack (not the right term?). --Pand0ra 15:16, October 13, 2009 (UTC)

No, the move (mov dword_40B3DC, 1) stores value 1 in memory location 40B3DC. It's not on the stack, because variable a (memory location 40B3DC) is a global variable. --Didier Stevens 16:58, October 13, 2009 (UTC)

Different sections are created in exe during compilation. The global variables are stored in .data section.

Are there any other lessons coming up??? ~Saurabh Harit

Well, that depends mainly from you. As this is more mentoring than tutorial, most of the work has to be done by you ;-) I wrote the first pages to get things started, but now I expect that "mentees" write the pages and that mentors correct and guide.

If you want to start, I suggest you make a new page were we discuss code to call a function. This will illustrate your second question on the first page. Start with this:

int f1(int a1) 
	return a1 + 1; 
main(int argc, char **argv) 

~Didier Stevens

Also on Fandom

Random wikia