Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Quick introduction to reverse engineering for beginners
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
push ecx<br />
movzx edx, WORD PTR _t$[ebp+2] ; wMonth<br />
push edx<br />
movzx eax, WORD PTR _t$[ebp] ; wYear<br />
push eax<br />
push OFFSET $SG78811 ; ’%04d-%02d-%02d %02d:%02d:%02d’, 0aH, 00H<br />
call _printf<br />
add esp, 28 ; 0000001cH<br />
xor eax, eax<br />
mov esp, ebp<br />
pop ebp<br />
ret 0<br />
_main ENDP<br />
16 bytes are allocated <strong>for</strong> this structure in local stack — that’s exactly sizeof(WORD)*8 (there are 8<br />
WORD variables in the structure).<br />
Take a note: the structure beginning with wYear field. It can be said, an pointer <strong>to</strong> SYSTEMTIME<br />
structure is passed <strong>to</strong> GetSystemTime() 53 , but it’s also can be said, pointer <strong>to</strong> wYear field is passed, and<br />
that’s the same! GetSystemTime() writting current year <strong>to</strong> the WORD pointer pointing <strong>to</strong>, then shifting 2<br />
bytes ahead, then writting current month, etc, etc.<br />
1.15.2 Let’s allocate place <strong>for</strong> structure using malloc()<br />
However, sometimes it’s simpler <strong>to</strong> place structures not in local stack, but in heap:<br />
#include <br />
#include <br />
void main()<br />
{<br />
SYSTEMTIME *t;<br />
};<br />
t=(SYSTEMTIME *)malloc (sizeof (SYSTEMTIME));<br />
GetSystemTime (t);<br />
printf ("%04d-%02d-%02d %02d:%02d:%02d\n",<br />
t->wYear, t->wMonth, t->wDay,<br />
t->wHour, t->wMinute, t->wSecond);<br />
free (t);<br />
return;<br />
Let’s compile it now with optimization (/Ox) so <strong>to</strong> easily see what we need.<br />
_main PROC<br />
push esi<br />
push 16 ; 00000010H<br />
call _malloc<br />
add esp, 4<br />
mov esi, eax<br />
push esi<br />
53 MSDN: SYSTEMTIME structure<br />
66