What kind of code would produce this assemby with loads of jump statements?
up vote
12
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
asked Nov 8 at 6:21
GoldenWest
6516
add a comment |
up vote
12
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
asked Nov 8 at 6:21
GoldenWest
6516
1
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32
add a comment |
up vote
12
down vote
favorite
up vote
12
down vote
favorite
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
asked Nov 8 at 6:21
GoldenWest
6516
00EE16CC . E9 DFBB0000 JMP BinFile.00EED2B0
00EE16D1 . E9 64AF0000 JMP <JMP.&MSVCP140D.?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE16D6 . E9 15DB0000 JMP BinFile.00EEF1F0
00EE16DB . E9 D0D40000 JMP BinFile.00EEEBB0
00EE16E0 . E9 C9E60000 JMP <JMP.&KERNEL32.IsDebuggerPresent>
00EE16E5 . E9 D6AD0000 JMP BinFile.00EEC4C0
00EE16EA . E9 C1510000 JMP BinFile.00EE68B0
00EE16EF . E9 5CE70000 JMP BinFile.00EEFE50
00EE16F4 . E9 C7A50000 JMP BinFile.00EEBCC0
00EE16F9 . E9 A4E60000 JMP <JMP.&ucrtbased._wsplitpath_s>
00EE16FE . E9 AD950000 JMP BinFile.00EEACB0
00EE1703 . E9 083B0000 JMP BinFile.00EE5210
00EE1708 . E9 BBAE0000 JMP <JMP.&MSVCP140D.?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ>
00EE170D . E9 7EBA0000 JMP BinFile.00EED190
00EE1712 . E9 B9BA0000 JMP BinFile.00EED1D0
00EE1717 . E9 44870000 JMP BinFile.00EE9E60
00EE171C . E9 AF5C0000 JMP BinFile.00EE73D0
00EE1721 $ E9 7A430000 JMP BinFile.00EE5AA0
00EE1726 . E9 07E70000 JMP <JMP.&KERNEL32.GetProcAddress>
00EE172B . E9 E07C0000 JMP BinFile.00EE9410
00EE1730 . E9 6B520000 JMP BinFile.00EE69A0
00EE1735 . E9 EEAE0000 JMP <JMP.&MSVCP140D.?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std>
00EE173A . E9 EDE60000 JMP <JMP.&KERNEL32.FreeLibrary>
00EE173F . E9 DCCF0000 JMP BinFile.00EEE720
00EE1744 . E9 FDAE0000 JMP <JMP.&MSVCP140D.?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@>
00EE1749 . E9 42E70000 JMP BinFile.00EEFE90
00EE174E . E9 41AF0000 JMP <JMP.&MSVCP140D.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBED>
00EE1753 . E9 28860000 JMP BinFile.00EE9D80
00EE1758 . E9 03C20000 JMP BinFile.00EED960
00EE175D . E9 FEBF0000 JMP BinFile.00EED760
00EE1762 . E9 29CB0000 JMP BinFile.00EEE290
00EE1767 . E9 C4510000 JMP BinFile.00EE6930
I am reverse engineering a exe for a class assignment and I am trying to wrap my brain around what kind of code would produce this type of assembly code. I have been at it for a couple of days now. I am not looking for an exact answer, that would be helpful but more along the lines of how to go about solving reversing an exe like this. Thank you and help would be greatly appreciated. If anyone is wondering I am using OllyDB
windows assembly dll exe
windows assembly dll exe
asked Nov 8 at 6:21
GoldenWest
6516
asked Nov 8 at 6:21
GoldenWest
6516
asked Nov 8 at 6:21
GoldenWest
6516
asked Nov 8 at 6:21
GoldenWest
6516
asked Nov 8 at 6:21
GoldenWest
6516
6516
1
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32
add a comment |
1
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32
1
1
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32
add a comment |
2 Answers
2
active
oldest
votes
up vote
25
down vote
accepted
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a relative jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
add a comment |
up vote
9
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered Nov 8 at 14:19
ratchet freak
53235
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
25
down vote
accepted
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a relative jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
add a comment |
up vote
25
down vote
accepted
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a relative jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
add a comment |
up vote
25
down vote
accepted
up vote
25
down vote
accepted
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a relative jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
This looks like the output of Visual C++ linker in incremental linking mode. In this mode, the linker adds a section with incremental linking thunks (ILTs) at the start of the code section (.text), each thunk being a relative jump (E9 xx xx xx xx) to a function.
All function calls in the binary are redirected to the corresponding ILT instead of pointing directly to the target function. In case of minor changes in the source code, this approach allows the linker to replace any function that has been updated and only patch the ILT jump to point to the new function body, without having to patch all the references to the function, speeding up the linking process significantly.
Incremental linking is on by default in debug builds.
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
edited Nov 9 at 8:59
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
answered Nov 8 at 9:59
Igor Skochinsky♦
23.8k34587
23.8k34587
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
add a comment |
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
1
1
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
Thank you! It definetly is c++ that helps alot and ill look up what you said in your comment , thank you !!
– GoldenWest
Nov 8 at 17:06
add a comment |
up vote
9
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered Nov 8 at 14:19
ratchet freak
53235
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
add a comment |
up vote
9
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered Nov 8 at 14:19
ratchet freak
53235
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
add a comment |
up vote
9
down vote
up vote
9
down vote
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered Nov 8 at 14:19
ratchet freak
53235
If they were all to external targets then it would be the stubs for external functions when dynamically loading dlls.
This way you can limit the amount of pages that need updating when a new dll get loaded. Which lets the calling code be position independent with regards to the call target. Calls to external function are sent to that page and forwarded to the actual function.
When the dll gets loaded (on startup, on delay load or explicitly) the page is filled in based on the virtual address. When a delay loaded function is called it is instead forwarded to a loading function which then forwards to the actual function.
answered Nov 8 at 14:19
ratchet freak
53235
answered Nov 8 at 14:19
ratchet freak
53235
answered Nov 8 at 14:19
ratchet freak
53235
answered Nov 8 at 14:19
ratchet freak
53235
53235
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
add a comment |
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
1
1
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
i did not know that thank you!! ill continue to reverse and see if i can figure this exe out! Thank you for the help.
– GoldenWest
Nov 8 at 17:07
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
Import thunks use indirect jumps (FF 25 or FF 15 IIRC) so this is not it IMO
– Igor Skochinsky♦
Nov 11 at 11:10
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19848%2fwhat-kind-of-code-would-produce-this-assemby-with-loads-of-jump-statements%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Also are you sure this is .text section and not some other section like GOT/PLT?
– sudhackar
Nov 8 at 8:14
It almost looks like a import thunk table, but that would use indirect jumps.
– Sebastian Redl
Nov 8 at 8:50
thunk table sounds right! i dont think its a .text section because it links to functions or am i thinking about it wrong ? So i can look up thunk tables and i should be able to see some c++ code?
– GoldenWest
Nov 8 at 17:05
Have you tried using a debugger to determine what code jumps to this section? There might be an obvious pattern that elucidates its purpose.
– trognanders
Nov 9 at 9:43
im using ollyDB firts time ive ever done any reverse enginneering but im getting the hang of it. Just discovered some print statements and putting breakpoints there and stepping through the assembly now. This is definitely the import address table!
– GoldenWest
Nov 10 at 6:32