6

While reversing an executable with olly, theres compiler code and user code. So how do i recognise the compiler codes ? Lets say if the executable is visual basic, it has a jmp and a call in the first 2 instructions and the winmain comes later.

Lian
  • 61
  • 1

1 Answers1

1

You just need to identify the main function. Everything called from main is user code. If you want to check if a function is part of user code, recursively check the xref starting from that function and see if it ends up in main. As for how to identify main, it depends on the OS that the executable is compiled for and possibly the specific compiler too. But for ELF files compiled by gcc for Linux, main is the last value pushed before calling __libc_start_main in start.

yellowbyte
  • 186
  • 6
  • yea, i think tat would apply in ida, tracing back with xref. any idea of how to do it manually?? – user18767 Jan 13 '17 at 10:48
  • Sure. Find all functions called from main. Each time you find a function, add it to a list and then find all functions called from that function. So if a function exists in that list, that means that it's part of user code. – yellowbyte Jan 14 '17 at 05:09
  • "Everything called from main is user code"? That is a bold statement. Not only can you put user calls into main (even if only a lowly printf ("Please supply an argument to this command\n");), but there may also be template calls inside main to initialize global data, call system maintenance routines, or prologues and epilogues, etc. – Jongware Jan 15 '17 at 13:41
  • Sorry, I'm confused as to what you are saying. When you say template calls, you mean function template? Function template can be declared and defined by users. Global data are part of user code. They are placed in .data or .bss section but referenced in user code. System maintenance routines are called before main right? In the start function? And when you say prologues/epilogues, you mean function prologues and function epilogues? That just defines how function set and clean up itself. User don't explicitly write the prologues and epilogues, but it's just what functions are compiled down to. – yellowbyte Jan 17 '17 at 05:52
  • I apologize if I misunderstood your reply @Rad_Lexus. – yellowbyte Jan 17 '17 at 06:24