1

I'm currently reversing the smallest pe file. Here is what I analysed :

The program print * 268b universal tiny PE\n and return exit code 26 (which is the string length)

(1): Magic DOS Signature header
(2): e_lfanew address of PE header
(3): PE Signature Magic
(4): Machine code 386
(5): Optional Header magic Signature
(6): Address Of EntryPoint : 0x00000107
(7): jump to 0x0000001e
(8): push 0x004000e4 (which is address of the string)
(9): the string at 0x000000e4
(10): call 0x00400044 (which call (a) 0x00000062 which refers to (b) `printf` string )
(11): jump to (12) 0x00000034 
(12): add esp,0x4 (to restore the stack due to call)
(13): ret (which should exit the program because we are not in a call ?)

Questions:

  1. Why (a) is 0x00000062 (and not 0x00000064 because printf start at 0x00000064) ?
  2. Why the program return 26 (aka the length of the string) ?
  3. How would we add instructions to return specific exit code ?

enter image description here

8HoLoN
  • 1,122
  • 5
  • 14
  • 3
    1) because that points to the [hint/name table entry](https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#hintname-table) which starts with the hint and the name is at (you guessed it) offset 2. 2) because `printf` returns the number of characters printed 3) you set `eax` to something before the `ret` – Jester Apr 22 '21 at 11:22
  • @Jester `2) because printf returns the number of characters printed` so you mean `printf` set eax to the length of string internally ? – 8HoLoN Apr 22 '21 at 11:25
  • Yes that is correct. – Jester Apr 22 '21 at 11:26
  • 1
    The standard calling convention returns `int` return values in EAX, and `printf` is defined by ISO C to return the number of characters transmitted to the output stream. https://en.cppreference.com/w/c/io/fprintf. So it's not an implementation detail, this is a guaranteed external output that printf is required to produce. And in all x86 calling conventions, to produce in EAX. – Peter Cordes Apr 23 '21 at 07:38

0 Answers0