-1

First of all, sorry if my english is bad, it is not my natural language.

I have no experience in reverse engineering yet. So, i am very confused with my first task in University regarding to this topic.

The task is to find a password for a binary. The program asks for user inputs, transfroms it and compares that input to a hardcoded value(i don't know the length of it). I'm trying to find this value.

I'm sure, i have found the memcmp command where the values are compared. I know that memcmp gets these values as input parameters but i don't know where from.(Stack or explicit registers...)

Here is a section of the code before it gets to memcmp:

0x10a84 movw   r3, #3472       ; 0xd90                                                                                                                        
0x10a88 movt   r3, #2
0x10a8c ldr    r1, [r3]
0x10a90 ldr    r3, [r11, #-16]
0x10a94 lsl    r3, r3, #2
0x10a98 mov    r2, r3
0x10a9c ldr    r0, [r11, #-20] ; 0xffffffec
0x10aa0 bl     0x10540 <memcmp@plt>
0x10aa4 mov    r3, r0 
0x10aa8 cmp    r3, #0
0x10aac bne    0x10ac0

I'd very thankful for any help.

Jester
  • 56,577
  • 4
  • 81
  • 125
Sannin
  • 25
  • 4
  • 1
    You should consult the relevant calling convention. Presumably the arguments are passed in `r0`, `r1` and `r2` here with the first two being the pointers and `r2` the length. – Jester Jan 25 '16 at 21:53
  • 1
    It's admittedly unlikely, but there _could_ be some crazy calling convention or non-standard `memcmp` signature at play - the information presented here alone isn't enough to strictly rule it out. That said, `memcmp` _usually_ takes 3 arguments, and there are 3 things being loaded here (you _do_ have your instruction set reference handy, don't you) - two are at small offsets relative to some register (do you smell a stack frame?), whilst the third is from a hard-coded (i.e. fixed at link time) address. Hmm... ;) – Notlikethat Jan 25 '16 at 22:14
  • http://reverseengineering.stackexchange.com/ – phuclv Jan 26 '16 at 03:31
  • Thanks very much guys. It seems i misread some vals and got some confusing results by examining them. In the end the passing arguments are in r0 and r1 for the source adresses and r2 for the length. – Sannin Jan 26 '16 at 21:08

1 Answers1

1

Seems to be a pretty standard memcmp() call. So, the arguments are passed through r0..r2 registers there

SergeyT
  • 61
  • 2