Thread: Types Of Loops In Reverse Engineering

Well, I'll explain how to do a loop if they want to repeat any statement more than once, I'll post some examples and I'll comment on them to facilitate understanding, but let's first understand how a loop in reverse engineering.

A loop in r (reverse engineering) is similar to the way it is done in any other language, will always have a control variable and a controller, and in our case the control variable can be a register or a memory location, and controller will always be a CMP. The difference is that the control register is not changed instantly, which you will control it.

Well, I better explain, let's make a loop in C + +, pay attention.

01: for (i = 1, i <= 10, i + +) {
[...] / / Block codes
03:}

As you can see, our controller is the FOR statement and this loop control variable is the variable i, it starts containing the value 1. The condition is that when the variable reaches 10 the loop will stop, and to get there, the variavei i will be incremented +1.

In reverse engineering, this same process would be compiled in the following way

0001: MOV AL, 1 / / Starts the AL register (our control register) to 1
0002: CMP AL, 0A / / Compares the value of AL (our control register) with 0A (10 decimal)
0003: JE SHORT 0006 / / If the value of AL is equal to 0A (10 decimal) it jumps to offset 0006
[...] / / If not, will execute the block of routines that should be located just below
0004: AL INC / / Increment +1 in control register AL
0005: JMP SHORT 0002 / / Jumpa to offset 0002 where is the controller loop
[...] / / Continuation of routine

I'll give you another example using the control, a place of memory.

0001: MOV BYTE PTR DS: [00445566], 1 / / Guard at offset 00445566 (memory control) the value 1
0002: CMP BYTE PTR DS: [00445566], 0A / / Compares the value of offset 00445566 (memory control) with 0A (10 decimal)
0003: JE SHORT 0006 / / If the value of the offset is equal to 0A (10 decimal) it jumps to offset 0004
[...] / / If not, will execute the block of routines that should be located just below
0004: INC BYTE PTR DS: [00445566] / / Increment +1 memory control
0005: JMP SHORT 0002 / / Jumpa to offset 0002 where is the controller loop
[...] / / Continuation of routine

So come on, we are forced ourselves to control our control variable, because if not routinely enter into an infinite loop. If you wanted to do an infinite loop (of course, that to make an infinite loop you will have to create a new thread, otherwise you will catch your main thread) you should just remove the drivers. In this case, you do not need to control anything, it just take a jump to the beginning of the routine, I'll show you an example.

Infinite Loop.

0001: MOV DWORD PTR DS: [EAX * 4 +00445566], 1 / / The calculation done in square brackets ([]) result in an offset, and this offset is inserted the number 1
0002: INC EAX / / EAX Incremeta +1
0003: JMP 0001 / / always Jumpa to offset 0001

line 0001 we conducted a calculation to find out the memory location where the value will be inserted first. Suppose the EAX register is accumulated hexadecimal number 1, and the next line is responsible for performing the following function: EAX * 4 +00445566. In this scenario, let's turn it into something that we humans are accustomed to dealing, thus 1 * 4 +00445566.

From this, just put the math into action and solve the equation, simple no?

Soon after the calculation, the routine moves one to offset that is calculated, and after moving it increments +1 in register EAX and jumps to the beginning again.