PMA 304: C Constructs in Assembly (15 pts)

What You Need

Purpose

To compile several C programs and disassemble them with IDA Pro.

Installing Visual C++ Build Tools

These are already included in the "Windows 10 w Tools" VM. If you are using some other machine, see these instructions to install them:

https://www.bowneconsultingcontent.com/pub/EH/proj/cloud/ED301c_tkp/ED301c_tkp.htm

Downloading and Installing IDA Pro Free

These are already included in the "Windows 10 w Tools" VM. If you are using some other machine, open this page:

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Click the "IDA Freeware for Windows" link, as shown below.

Install the software with the default options.

Compiling "Print"

Click Start. Scroll to the V section and expand "Visual Studio 2019". Click "Developer Command Prompt for VS 2019".

In the Developer Command Prompt window, execute these commands:

mkdir c:\decomp
cd c:\decomp
notepad print.cpp
Enter this code:
#include <iostream>  
using namespace std;  
void main()  
{  
    printf("%d %s\n", 2, "HELLO");  
}  

In Notepad, click File, Save.

In the Developer Command Prompt window, execute these commands:

cl print.cpp
print
The program runs, and prints out

2 HELLO

as shown below.

Disassembling the printf Function Call

Open IDA Pro Free.

In the "IDA Quick start" box, click the New button, as shown below.

In the "Select file" box, navigate to C:\decomp and double-click print.

In the "Load a new file" box, click OK.

IDA opens, showing some of the code that launches print, as shown below.

From the IDA manu bar, click View, "Open subviews", Strings. In the Strings pane, double-click HELLO, as shown below.

The address in the rdata section where that string is stored appears, as shown below. On the right side, point to the address labelled "DATA XREF". The code that uses this string appears in a pop-up box, as shown below.

Double-click the address labelled "DATA XREF". The assembly code appears, as shown below.

The assembly code in the green box performs this C command:

    printf("%d %s\n", 2, "HELLO");  
The three argument are pushed onto the stack in reverse order, and then the function is called.

Global and Local Variables

In the Developer Command Prompt window, execute these commands:
cd c:\decomp
notepad glob.cpp
Enter this code:
#include <iostream>  
using namespace std;  

int g=2; // GLOBAL VARIABLE

void main()  
{  
    int l = 3; // LOCAL VARIABLE
    printf("%d %d\n", g, l);  
}  

In Notepad, click File, Save.

In the Developer Command Prompt window, execute these commands:

cl glob.cpp
glob
The program runs, and prints out

2 3

as shown below.

Disassembling glob

In IDA Pro, from the menu bar, click File, Open.

In the "Save database" box, check "DON'T SAVE the database" and click OK.

In the "Select file" box, navigate to C:\decomp and double-click glob.

In the "Load a new file" box, click OK.

IDA opens, showing the launcher.

From the IDA manu bar, click View, "Open subviews", Strings.

In the Strings pane, double-click "%d %d\n", as shown below.

On the right side, point to the address labelled "DATA XREF". The code that uses this string appears in a pop-up box, as shown below.

Double-click the address labelled "DATA XREF". The assembly code appears, as shown below. Notice these features:

PMA 304.1: Analyzing an Unknown Binary (15 pts)

Download this file:

arith.exe

Disassemble it in IDA Pro. Find the code shown below.

Find the value covered by a green box in the image below. That's the flag.


Posted: 10-2-18
Link to Visual C++ Build Tools instructions added 4-6-21
Windows 10 w Tools info added 9-28-2021
cl switch removed, format updated 11-16-21
Video added 4-22-24