Thanks for this video Dr Josh, some fantastic techniques which I look forward to understanding by watching a few more times. I'm already getting the gist of the PUSH operations tip. Sometimes the code might just be calling argc and argv, hence the push operations will be 2 as opposed to 3 which was in your case. But seeing this was great! One thing which I've noticed when it comes to finding main, I'm not sure if it's much of a technique, but I do see that an ADD operation is done to the ESP before the main function is called. I'm talking from the experience of using Ghidra where main is not outright labelled, so it does take some indicators to find it. And the ADD operation to ESP has definitely served reliable for me whilst I've been going through some Windows binaries. I also noticed that it happens in your case too at the timestamp of: 8:45 I would be quite interested to hear your input on this and perhaps a further explanation on why an ADD operation to ESP is done when it comes to main and it's not done when any other function is called in the entry function. Once again, thanks for your efforts!
sir, can you please clarify my doubt : The address at 04:15 like for ex, 0000000140001000 is Relative Virtual Address which is calculated by (base address + offset). If i am correct, now, when i debug this same binary or any binary using ida debugger. it shows a totally random address like 0x000000007f2342a9. so what is this ? is it also an virtual address or it's an physical address which is translated by mmu from virtual address. Please see this !
Hi! When I compiled that program, it was given a default image base of 140000000. You can view this info in the PE file format under IMAGE_OPTIONAL_HEADER. If the binary opts into ASLR, then the operating system will likely give it a different, random address. When debugging, you can view what the base address is for your EXE - in IDA i believe that is the modules window while debugging. It is still a virtual address, it's just randomized. ASLR is designed to help mitigate exploitations and helps not only EXEs, but DLLs be at unpredictable addresses. Hope this answers your question!
Thanks for this video Dr Josh, some fantastic techniques which I look forward to understanding by watching a few more times. I'm already getting the gist of the PUSH operations tip. Sometimes the code might just be calling argc and argv, hence the push operations will be 2 as opposed to 3 which was in your case. But seeing this was great!
One thing which I've noticed when it comes to finding main, I'm not sure if it's much of a technique, but I do see that an ADD operation is done to the ESP before the main function is called. I'm talking from the experience of using Ghidra where main is not outright labelled, so it does take some indicators to find it. And the ADD operation to ESP has definitely served reliable for me whilst I've been going through some Windows binaries. I also noticed that it happens in your case too at the timestamp of: 8:45
I would be quite interested to hear your input on this and perhaps a further explanation on why an ADD operation to ESP is done when it comes to main and it's not done when any other function is called in the entry function.
Once again, thanks for your efforts!
It's always nice to see other approaches to finding main to add to the toolbox, thanks!
Glad it was helpful :) It's served me well over the years, although I'm sure there are other ways to find main!
sir, can you please clarify my doubt :
The address at 04:15 like for ex, 0000000140001000 is Relative Virtual Address which is calculated by (base address + offset). If i am correct, now, when i debug this same binary or any binary using ida debugger. it shows a totally random address like 0x000000007f2342a9. so what is this ? is it also an virtual address or it's an physical address which is translated by mmu from virtual address. Please see this !
Hi! When I compiled that program, it was given a default image base of 140000000. You can view this info in the PE file format under IMAGE_OPTIONAL_HEADER. If the binary opts into ASLR, then the operating system will likely give it a different, random address. When debugging, you can view what the base address is for your EXE - in IDA i believe that is the modules window while debugging. It is still a virtual address, it's just randomized. ASLR is designed to help mitigate exploitations and helps not only EXEs, but DLLs be at unpredictable addresses. Hope this answers your question!
@@jstrosch yes i thought so it would have been ASLR as i did my fair share of binary exploitation. Thankyou sir !
@@Victimsingh Great - then you are no doubt familiar :)