2009-07-06

WinDBG Extension to Read BigLib Numbers

In filedump, file "WinDBG_Ext_Roy_BigLib.zip" is a WinDBG extension for reading arbitrary precision number structures from the BigLib library by Roy | Fleur. It comes with source. To use it, copy it to the "winext" subdirectory in your WinDBG installation directory.An example:

.text:004016B0 push dword_4047A1 <-- arg3
.text:004016B6 push dword_404789 <-- arg2
.text:004016BC push dword_404799 <-- arg1
.text:004016C2 push dword_40478D <-- arg0
.text:004016C8 mov eax, 1
.text:004016CD call sub_4017F3

Even without knowing what sub_4017F3 is, the input/output can be monitored. Load up the extension so that we can view the numbers:

0:000> !load bn
extension: initializing...
0:000> !bn poi(esp)
bignum @00AC0000
00003652B36A37B0C7ECE042
0:000> !bn poi(esp+4)
bignum @00AF0000
00000002
0:000> !bn poi(esp+8)
bignum @009B0000
0000CBEC5F1F97FB14C803CB
0:000> !bn poi(esp+c)
bignum @00B10000
0

Proceed over the call, and check the numbers again:

0:000> p
0:000> !bn 00AC0000
bignum @00AC0000
00003652B36A37B0C7ECE042
0:000> !bn 00AF0000
bignum @00AF0000
00000002
0:000> !bn 009B0000
bignum @009B0000
0000CBEC5F1F97FB14C803CB
0:000> !bn 00B10000
bignum @00B10000
00006F18441B1396928838B5

All the arguments except arg3 remained the same. With some intuition and a verifying test in BigCalto, we see that arg3 = arg0 ^ arg1 (mod arg2) and identify this function as _BigPowMod().

I purposely did some things to encourage rapid re-purposement of the source code: all the code is in one file, there is minimal bloat (just some placeholders with prints where extended functionality can exist), and it compiles with a simple batch file which invokes the Visual Studio command line tools. No project or solution bullshit.

No comments:

Post a Comment

thanks for commenting!