If Statements

Introduction

“If” statements in C programming are used to execute a block of statements if a certain condition is true. They allow programmers to control the execution of code and allow user inputs to direct the actions of the program, which adds flexibility to programs. “If” statements are used in security situations which require login credentials. If the credentials match the database for that user, the user is granted access. If the credentials don’t match, the user is rejected. 

When it comes to reverse-engineering, “if” statements are very commonly seen when analyzing binaries. The majority of malware programs make use of “if” statements to make decisions based on a condition. For instance, a malware author may use an “if” statement to stop executing the binary if a debugger is attached to it.

Being able to spot “if” statements in assembly is a must-have skill for a reverse engineer. In this article, we will discuss how “if” statements can be spotted when reversing a binary.

Identifying “if” statements

“If” statements are written in syntax that is either simple or nested. 

Simple -if statements

The Figure 1 code snippet shows the use of an “if” statement in C programming.

#include <stdio.h> 

void main()

{

int a = 30;

int b = 20;

if (a > b){

printf(“a is greater than bn”);

}

else{

printf(“b is greater than an”);

}

}

Figure 1

 

When the code in Figure 1 is compiled and the binary is opened using a debugger (OllyDbg in this case), Figure 2 results.

PUSH EBP

MOV EBP,ESP

AND ESP,FFFFFFF0

SUB ESP,20

CALL if.004015F0

MOV DWORD PTR SS:[ESP+1C],1E

MOV DWORD PTR SS:[ESP+18],14         ; |

MOV EAX,DWORD PTR SS:[ESP+1C]        ; |

CMP EAX,DWORD PTR SS:[ESP+18]        ; |

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/tD1GxD6hns8/