DEV Community

Gealber Morales
Gealber Morales

Posted on • Updated on • Originally published at gealber.com

Challenge RE #26

This challenge comes in the form of Microsoft Intermediate Language which is extremely readable compared to previous assembly code used in these challenges. If you are interested in more about the specifics of reversing .NET read Chapter 12, of Reversing. Secrets of Reverse Engineering there's a quite detailed explanation there. Also for a quick search of the available opcodes for each instruction recommend you to use Official doc. This challenge will be quite short, I included comments on each line of the code, so the analysis won't be a big deal.

Analysis

Here is the code to understand

  .method public hidebysig static uint8  f(uint8 a) cil managed
  {
    // Code size       36 (0x24)
    .maxstack  2
    .locals init (uint8 V_0)
    IL_0000:  nop
    IL_0001:  ldarg.0 ;; first argument
    IL_0002:  conv.u8 ;; converts value on top of stack and extends it to int64
    IL_0003:  ldc.i8     0x202020202 ;; push this value on the stack as an int64
    ;; multiply two first values on stack, and push result on the stack. In this case
    ;; this is int64(arg_0) * int64(0x202020202)
    IL_000c:  mul     
    IL_000d:  ldc.i8     0x10884422010 ;; again push this value into the stack
    IL_0016:  and ;; perform AND between the result of multiplication and this recent value pushed on the stack
    IL_0017:  ldc.i4     0x3ff ;; push value into stack
    IL_001c:  conv.i8  ;; convert it to int64
    IL_001d:  rem      ;; push into the stack  val1 % 0x3ff, where val1 is the result of our previous operation
    IL_001e:  conv.u1  ;; convert value to int8 but push int32, so it extends the converted value
    IL_001f:  stloc.0  ;; pop value on top of stack and store it in local variable 0
    IL_0020:  br.s       IL_0022 ;; this jumps to IL_0022

    IL_0022:  ldloc.0  ;; loads variable on top of stack
    IL_0023:  ret ;; return
  } // end of method e25::f
Enter fullscreen mode Exit fullscreen mode

There's not too much to add here, take a look that even the signature it's given. Following these comments the equivalent code in C, I don't know C# guys, would be like this

uint8_t f(uint8_t a)
{
    return uint8_t(((int64_t(a) * 0x202020202) & 0x10884422010) % 0x3ff);
}
Enter fullscreen mode Exit fullscreen mode

This would be the code, now what this does? Well for that task I have Google. Making a search for this constant I found a book called Hacker's Delight which has this exact formula. You can find it in Chapter 7, about Rearranging bits and bytes.

According to the description given in the book this

Reverse an 8-bit integer

I don't find too much utility for this kind of hacks, are obscure as fuck. At least you are writing malware, that for some reason needs to perform this operation, and you want to write obscure code, yes is useful otherwise...not so much.

Conclusion

Google is your friend, use it!

Top comments (0)