Debug Fundamentals Exercise 1: Reverse engineer a function

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Niels Thrane — Thu, 13 Nov 2008 22:01:53 GMT

I'm betting on the factorial function .

re: Debug Fundamentals Exercise 1: Reverse engineer a function

jean — Fri, 14 Nov 2008 00:03:27 GMT

DoTheWork performs the factorial operation

the stack says we're in DoTheWork(7) so the return value is 7! = 5040

nice puzzlers, keep it up !

re: Debug Fundamentals Exercise 1: Reverse engineer a function

pingpong — Fri, 14 Nov 2008 00:15:31 GMT

DoTheWork is the factorial function; as such it'll return 7!.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Atul — Fri, 14 Nov 2008 00:48:50 GMT

[ebp] -> Old Ebp == 0012ff88

[ebp+4] -> return address == 004012b2

[ebp+8] -> Param 1 == 2

In this case:

2 * (2 - 1) = 2

int DoTheWork(int n) {

int i = n;

do {

n--;

i = i * n;

} while (n > 2);

return (i);

}

BTW, why not make this a fastcall :)?

re: Debug Fundamentals Exercise 1: Reverse engineer a function

ibganev — Fri, 14 Nov 2008 02:08:00 GMT

(1) At function exit, EAX = 0x13b0

(2) The function computes the factorial of its argument.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Daniel — Fri, 14 Nov 2008 02:09:29 GMT

Looks like factorial, assuming the input is positive (doesn't handle 0!)... result will be 7! = 5040.

<code>

int DoTheWork(int x)

{

int r = x;

do {

r *= --x;

} while (x > 2);

return r;

}

</code>

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Benoit — Fri, 14 Nov 2008 02:39:38 GMT

1) Return value should be 5040 (in decimal)

2) Looks like the !n function called with n=7

re: Debug Fundamentals Exercise 1: Reverse engineer a function

doug — Fri, 14 Nov 2008 07:11:17 GMT

Doh! didn't look at esp

1.) 7!

2.) Factorial

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Aaron Ballman — Fri, 14 Nov 2008 10:32:38 GMT

I'm going to refrain from posting my answer since I don't want to spoil the challenge for anyone. But this was a really fun post (to me, at least), so thanks for it!

re: Debug Fundamentals Exercise 1: Reverse engineer a function

zproxy — Fri, 14 Nov 2008 10:37:07 GMT

This might be completly wrong but off the bat I would translate it to something like this:

void* DoTheWork(void* e, int p)

{

p = ((--p) * p;

}

while (p != 2);

return e;

}

How close did i got it? :=)

re: Debug Fundamentals Exercise 1: Reverse engineer a function

msuiche — Fri, 14 Nov 2008 13:19:54 GMT

I guess this is this:

http://en.wikipedia.org/wiki/Factorial

int DoTheWork(int p1)

{

int eax;

int ecx;

ecx = p1;

eax = p1;

{

ecx -= 1;

eax *= ecx;

} while (ecx > 2);

return eax;

}

0012feb4 00000002

Here is the argument you used.

The function returns 2.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

George — Fri, 14 Nov 2008 13:58:23 GMT

It calculates the number 7 factorial. The return value will be 7! = 5040.

-George

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Rasmus B — Fri, 14 Nov 2008 14:27:41 GMT

Great idea with an exercise!

The function calculates the factorial of the argument. The result in the example is 7!.

int fact(int arg1) {

int retval = arg1;

do {

retval *= --arg1;

} while (arg1 > 2);

return retval;

}

re: Debug Fundamentals Exercise 1: Reverse engineer a function

didi1605 — Fri, 14 Nov 2008 16:12:31 GMT

I assume the result is 5040. About the function I am not quiet sure.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

didi1605 — Fri, 14 Nov 2008 16:17:35 GMT

I assume the result is 5040. About the math function I am not sure.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

dmitri — Fri, 14 Nov 2008 16:36:29 GMT

<pre>

#define DoTheWork factorial

int DoTheWork(int x)

{

int y=x-1;

for(;y>=2;--y) x*=y;

return x;

}

DoTheWork(7)=5040

</pre>

re: Debug Fundamentals Exercise 1: Reverse engineer a function

tastewar — Fri, 14 Nov 2008 16:52:22 GMT

Looks like you're calculating 7! which would be 5040.

Answer

Moshe Levi — Fri, 14 Nov 2008 20:24:28 GMT

The return value from this current execution is 5040 which is the factorial of 7.

1) 7! = 5040 2) factorial

Fri, 14 Nov 2008 21:12:55 GMT

1. When the function “DoTheWork” returns, what is the return value from that function?

5040

2. Bonus: what is the mathematical operation that “DoTheWork” performs?

factorial

re: Debug Fundamentals Exercise 1: Reverse engineer a function

nch — Fri, 14 Nov 2008 23:48:13 GMT

Here the answer.

int DoWork(int x)

{

int y = x;

{

y *= --x;

}

while(x > 2);

return y;

}

"DoWork" calculates factorial.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

nch — Fri, 14 Nov 2008 23:50:54 GMT

Hello, here is the answer:

int DoWork(int x)

{

int y = x;

{

y *= --x;

}

while(x > 2);

return y;

}

Function calculates factorial for its argument.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Alex Ionescu — Sat, 15 Nov 2008 00:12:55 GMT

1) It returns 7!, ie 5040

2) It computes the factorial of the input number

re: Debug Fundamentals Exercise 1: Reverse engineer a function

zmx — Sat, 15 Nov 2008 01:01:34 GMT

I am new to assembly debugging, but let me try this.

It seem this code is calculating the factorial of a number and then store the result in EAX.

The code decrements ECX for each loop until it becomes 2. and each time the value in ECX will be multiplied into EAX.

Here is the part that confuses me.

The initial value of EAX is from ECX and ECX got its value from the memory location pointed by ebp+8.

and ebp got its inital value from esp which is probably "0012fe9c". So 0012fe9c+8 = 0012fea4.

so [0012fea4] is "82059a87". but this seems a very large number already.

so the result in EAX will be the factorial of "82059a87"?

I could be completely wrong here. Just a wild guess.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

David Moisan — Sat, 15 Nov 2008 03:34:38 GMT

It's a factorial function. The original value is 7 and the result (7!) is 0x13B0 or 5040 decimal.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

zmx — Sat, 15 Nov 2008 04:03:57 GMT

this seems to be computing the factorial of a number, though I am still confused what the end result is, because I have a hard time finding the initial value of ECX...

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Nate Jhaveri — Sat, 15 Nov 2008 04:04:32 GMT

Looks like a factorial function, in this case it should return 7!, or 5040.

The original code probably looks something like this:

DoTheWork(int x)

{

int y = x;

{

x--;

y = y * x;

}

while (x > 2)

return y;

}

re: Debug Fundamentals Exercise 1: Reverse engineer a function

calin_iaru — Sat, 15 Nov 2008 04:07:28 GMT

This is factorial(7) - it will return 5040.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

sundr — Sat, 15 Nov 2008 06:40:31 GMT

/// Calculates factorial

int DoTheWork(int n) {

int result = n;

do {

result *= --n;

}

while(n>2);

return result;

}

// Just curious - was the code from puzzle compiled from C++ or hand-written in assembly?

Could not get exactly the same assembly from my msvc 2008 - Release build omits frame creation, while Debug build saves too much regs and 0xCC-fills frame.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Pharaon — Sat, 15 Nov 2008 14:38:56 GMT

1) Looks like it is calculating factorial of the number passed as parameter

2) Return value is 2

re: Debug Fundamentals Exercise 1: Reverse engineer a function

daniel j aguiar — Sat, 15 Nov 2008 18:51:40 GMT

I recently started my studies on debugging. So I can be completely wrong.

This function seems to be a factorial:

Mainly when looking at 00401024 until 00401028 where the function, decrement ecx until it becomes 2, and at each DEC, it multiply EAX * ECX

But I am really unable to find the final value because the ECX receive [ebp+8] at 40101f and [ebp+8] seems to be 82059a87.

EBP = 12fe9c

EBP+8 = 12FEA4

12fea4 = 82059a87 (????)

So... I was unable to find factorial for 82059a87...

Maybe I get something wrong...

Thanks for the opportunity

re: Debug Fundamentals Exercise 1: Reverse engineer a function

edgar — Sun, 16 Nov 2008 00:04:45 GMT

1. 5040

2. factorial

Please, next time a bit more complicated. ;)

My attempt...

Michael Becker — Sun, 16 Nov 2008 02:17:55 GMT

<i>Here's hoping that this looks like it did in plain text...</i>

<pre>

My Answers:

1. 5040 (7!)

2. Factorial N (N!)

/////////////////////////////////////////////////////////////////////////////

// Detailed explanation(s)

/////////////////////////////////////////////////////////////////////////////

// Function: demo2!DoTheWork: (In assembly)

/////////////////////////////////////////////////////////////////////////////

// Save the Prior Frame Pointer to the stack

0040101c 55 push ebp

// Set the Frame pointer to the current Stack pointer

0040101d 8bec mov ebp,esp

// Right at this point, the stack looks like:

// EBP = ESP

// EPB - N -- Local variables, if any (here there aren't)

// EBP -- Old EBP

// EBP + 4 -- Return Address back to calling function

// EBP + 8 -- First function Arg

// Put Arg1 into ECX

0040101f 8b4d08 mov ecx,dword ptr [ebp+8]

// Copy ECX into EAX

00401022 8bc1 mov eax,ecx

// LOOP: ECX--

00401024 49 dec ecx

// EAX = EAX * ECX

00401025 0fafc1 imul eax,ecx

// If EXC is greater than 2, goto LOOP:

00401028 83f902 cmp ecx,2

0040102b 7ff7 jg demo2!DoTheWork+0x8 (00401024)

// Else it wasn't, so replace the Old Frame Pointer

0040102d 5d pop ebp

// Return back to the calling function.

// Whatever is in EAX is effectively returned.

0040102e c3 ret

/////////////////////////////////////////////////////////////////////////////

// Function: demo2!DoTheWork: (In C)

/////////////////////////////////////////////////////////////////////////////

int DoTheWork(int Number)

{

int WorkingValue = Number;

int Factorial = WorkingValue;

do {

WorkingValue--;

Factorial *= WorkingValue;

}while (WorkingValue > 2);

return(Factorial);

}

// Since we know what the function does, all we need to do is find the

// argument to it. We can just look at the stack...

0012fe9c 00406717 demo2!main+0x27 // Return address for DoTheWork

0012fea0 00000007 // Arg1 "7"

0012fea4 82059a87

</pre>

re: Debug Fundamentals Exercise 1: Reverse engineer a function

strik — Sun, 16 Nov 2008 14:37:53 GMT

Hello,

a source code which produces almost directly the same code is as follows:

int DoThework(int value)

{

int c = value;

do {

value = value * --c;

} while (c > 2);

return value;

}

Thus, this function multiplies value * value - 1 * value - 2 * ... * 2, and then ends.

Thus, for positive values (value > 0), this is the faculty (value!) function.

For value <= 0, the function calculates value * (value-1), as the loop will be executed exactly once.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Lucian Bargaoanu — Mon, 17 Nov 2008 14:15:18 GMT

I think the result is Factorial(2).

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Madhur — Mon, 17 Nov 2008 19:10:54 GMT

Well it seems to be calculating factorial of

82059a87 .. Am I right :) ?

re: Debug Fundamentals Exercise 1: Reverse engineer a function

Puneet Saraswat — Mon, 17 Nov 2008 22:14:52 GMT

Very good exercise.

The return value will be 0x2. And the function is for calculating factorial of a number.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

kirchner — Wed, 19 Nov 2008 21:38:16 GMT

I believe returned value will be 5040, and the code implements a factorial function.

I recognized the function as factorial, but when I was about to calculate the return value I first thought that dword ptr [ebp+8] means

0012fea4 82059a87

Then I realized that

0040101c 55 push ebp

has not yet been executed, and it will but another 4bytes on stack.

Anyway, I'm not a low-level debugging expert, but I enjoy these a lot.

Thanks for the exercise. Hope there will be a post with the full explanation later on.

re: Debug Fundamentals Exercise 1: Reverse engineer a function

André Werlang — Wed, 19 Nov 2008 23:56:45 GMT

1. eax holds 5040.

2. Factorial!