One of the four
packets is guaranteed to be aligned to properly overwrite the saved return address.
Decompilation with Hex-Rays A recent development in the decompilation
field is Ilfak??™s Hex-Rays plug-in for IDA Pro. In beta testing at the time of this writing,
Hex-Rays integrates with IDA Pro to form a very powerful disassembly/decompilation
duo. The goal of Hex-Rays is not to generate source code that is ready to compile. Rather,
the goal is to produce source code that is sufficiently readable that analysis becomes
Gray Hat Hacking: The Ethical Hacker??™s Handbook
302
significantly easier than disassembly analysis. Sample Hex-Rays output is shown in the
following listing, which contains the previously discussed portions of the manage_
request() function from the find binary.
char v59; // [sp+10290h] [bp-608h]@76
sprintf(&v59, "find %s -name \"%s\" -exec grep -H -n %s \\{\\} \\; > %s",
&v57, v43, buf, &v58);
system(&v59);
While the variable names may not make things obvious,we can see that variable v59 is the
destination array for the sprintf() function. Furthermore, by observing the declaration of
v59, we can see that the array sits 608h (1544) bytes above the saved frame pointer, which
agrees precisely with the analysis presented earlier.
Pages:
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546