{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-windbg-009-base64-en","result":{"data":{"markdownRemark":{"id":"eae48e41-1f4f-56a2-a299-8ab4d83b4771","html":"
\n

This page has been machine-translated from the original page.

\n
\n

This time I want to decompile a custom Base64 module with Ghidra and then trace through its execution with WinDbg.

\n\n

Table of Contents

\n\n

Building and Compiling the Base64 Program

\n

First, let me build the program that will be used for analysis.

\n

The source code is available in the following repository.

\n

Reference: kash1064/Try2WinDbg

\n

For the Base64 encode and decode program, I borrowed the implementation introduced in the article below, which is distributed under the WTFPL v2 license.

\n

Reference: Functions for BASE64 Encoding and Decoding in C - Qiita

\n

Some parts have been customized, but the base is largely unchanged.

\n

The source code introduced in this article is also published under WTFPL v2 in keeping with the original, so feel free to use it.

\n

Note: the correctness of the Base64 encoding and decoding results is not guaranteed.

\n

Build with the following commands.

\n

The developer command prompt must be configured in advance to enable cl.exe.

\n
git clone https://github.com/kash1064/Try2WinDbg\ncd Try2WinDbg\n\n# cl.exeを利用できるように、事前に開発者用コマンドプロンプトを設定しておく\ncl /c ./build/c/base64.c\nlink /DEBUG /PDB:./build/symbol/base64.pdb ./base64.obj /OUT:./build/bin/base64.exe
\n

Even in environments where building is not possible, the TTD trace file inside Try2WinDbg/trace/base64_trace.zip can be used to perform TTD-based analysis.

\n

For information on loading TTD traces, refer to the following article.

\n

/Reference: WinDbg Preview: A New Debugging Approach with Time Travel Debugging

\n

About the Base64 Implementation

\n

What Is Base64?

\n

Base64 is a data encoding method defined in RFC4648.

\n

It converts arbitrary byte sequences into ASCII data, making it useful in many situations such as data storage and transfer.

\n

Base64 splits the binary data to be encoded into 24-bit chunks and then further into 6-bit groups, converting the data to a predefined set of 64 characters.

\n

When the binary data to be encoded is not a multiple of 24 bits in length, padding characters are appended.

\n

The padding character is defined in the RFC as =, while URL-safe Base64 encoding (also defined in the RFC) uses _ instead.

\n

Base64 Source Code

\n

The following is the source code for the Base64 program used in this article.

\n

It is fairly long, so detailed explanation is omitted.

\n

Running the compiled program executes the tests defined in the main function, but individual functions can also be called by linking the module from another program.

\n
#include <assert.h>\n#include <stdlib.h>\n#include <stdio.h>\n#include <string.h>\n#include \"base64.h\"\n\nchar *base64Encode(const char *data, const size_t size, const BASE64_TYPE type)\n{\n    BASE64_SPEC base64_spec;\n    size_t length;\n    char *base64;\n    char *cursor;\n    int lineLength;\n    int i;\n    int j;\n\n    if (data == NULL) {\n        return NULL;\n    }\n\n    // base64_specの初期化\n    base64_spec = BASE64_SPECS[0];\n    for (i = 0; i < (int)BASE64_SPECS_LENGTH; i++) {\n        if (BASE64_SPECS[i].type == type) {\n            base64_spec = BASE64_SPECS[i];\n            break;\n        }\n    }\n\n    // エンコード後の文字列格納領域の確保\n    length = ((size * 4) / 3) + 3;\n\n    // mallocの戻り値は確保したメモリブロックを指すポインタ\n    base64 = malloc(length);\n    if (base64 == NULL) {\n        return NULL;\n    }\n\n    cursor = base64;\n    lineLength = 0;\n\n    // 3文字単位でエンコードを行う(エンコード後は4文字になる)\n    for (i = 0, j = size; j > 0; i += 3, j -= 3) {\n        if (j == 1) {\n            *(cursor++) = base64_spec.table[(data[i + 0] >> 2 & 0x3f)];\n            *(cursor++) = base64_spec.table[(data[i + 0] << 4 & 0x30)];\n            *(cursor++) = base64_spec.pad;\n            *(cursor++) = base64_spec.pad;\n        }\n        else if (j == 2) {\n            *(cursor++) = base64_spec.table[(data[i + 0] >> 2 & 0x3f)];\n            *(cursor++) = base64_spec.table[(data[i + 0] << 4 & 0x30) | (data[i + 1] >> 4 & 0x0f)];\n            *(cursor++) = base64_spec.table[(data[i + 1] << 2 & 0x3c)];\n            *(cursor++) = base64_spec.pad;\n        }\n        else {\n            *(cursor++) = base64_spec.table[(data[i + 0] >> 2 & 0x3f)];\n            *(cursor++) = base64_spec.table[(data[i + 0] << 4 & 0x30) | (data[i + 1] >> 4 & 0x0f)];\n            *(cursor++) = base64_spec.table[(data[i + 1] << 2 & 0x3c) | (data[i + 2] >> 6 & 0x03)];\n            *(cursor++) = base64_spec.table[(data[i + 2] << 0 & 0x3f)];\n        }\n    }\n    *cursor = 0;\n\n    return base64;\n}\n\nchar *base64Decode(const char *base64, size_t *retSize, const BASE64_TYPE type)\n{\n    BASE64_SPEC base64_spec;\n    char table[0x80];\n    size_t length;\n    char *data;\n    char *cursor;\n    int i;\n    int j;\n\n    if (base64 == NULL) {\n        return NULL;\n    }\n\n    // base64_specの初期化\n    base64_spec = BASE64_SPECS[0];\n    for (i = 0; i < (int)BASE64_SPECS_LENGTH; i++) {\n        if (BASE64_SPECS[i].type == type) \n        {\n            base64_spec = BASE64_SPECS[i];\n            break;\n        }\n    }\n\n    // デコードするBase64文字列用のメモリ領域の確保\n    length = strlen(base64);\n    data = malloc(length * 3 / 4 + 3);\n    if (data == NULL) {\n        return NULL;\n    }\n\n    memset(table, 0x80, sizeof(table));\n    for (i = 0; i < BASE64_TABLE_LENGTH; i++) {\n        table[base64_spec.table[i] & 0x7f] = i;\n    }\n\n    cursor = data;\n    for (i = 0, j = 0; i < (int)length; i++, j = i % 4) {\n        char ch;\n        if (base64[i] == base64_spec.pad)\n        {\n            break;\n        }\n        ch = table[base64[i] & 0x7f];\n        if (ch & 0x80) {\n            continue;\n        }\n        if (j == 0) {\n            *cursor = ch << 2 & 0xfc;\n        }\n        else if (j == 1) {\n            *(cursor++) |= ch >> 4 & 0x03;\n            *cursor = ch << 4 & 0xf0;\n        }\n        else if (j == 2) {\n            *(cursor++) |= ch >> 2 & 0x0f;\n            *cursor = ch << 6 & 0xc0;\n        }\n        else {\n            *(cursor++) |= ch & 0x3f;\n        }\n    }\n    *cursor = 0;\n    *retSize = cursor - data;\n\n    return data;\n}\n\nint main(void) {\n    int i;\n    for (i = 0; i < (int)BASE64_TESTS_LENGTH; i++) {\n        BASE64_TEST test;\n        char *data;\n        char *base64;\n        size_t size;\n\n        test = BASE64_TESTS[i];\n\n        base64 = base64Encode(test.data, test.size, test.type);\n        printf(\"BASE64(\\\"%s\\\") = \\\"%s\\\"\\n\", test.data, base64);\n        assert(strcmp(base64, test.base64) == 0);\n\n        data = base64Decode(base64, &size, test.type);\n        printf(\"DATA(\\\"%s\\\") = \\\"%s\\\"\\n\", base64, data);\n        assert(size == test.size);\n        assert(memcmp(data, test.data, size) == 0);\n\n        free(base64);\n        free(data);\n    }\n\n    return 0;\n}
\n

Base64 Program Header File

\n

The following is the header file for the Base64 program.

\n
#ifndef __BASE64_H__\n#define __BASE64_H__\n\n// Data\n\n// Base64 tables\nstatic const char BASE64_TABLE[] = {\n    \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"};\n\nstatic const char BASE64_TABLE_URL[] = {\n    \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\"};\n\nstatic const char BASE64_TABLE_CUSTOM1[] = {\n    \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\"};\n\nstatic const int BASE64_TABLE_LENGTH = {\n    sizeof(BASE64_TABLE) / sizeof(BASE64_TABLE[0]) - 1};\n\n// enum型で使用するBase64Tableの種類を定義\ntypedef enum tagBASE64_TYPE\n{\n    BASE64_TYPE_STANDARD,\n    BASE64_TYPE_URL,\n    BASE64_TYPE_CUSTOM1\n} BASE64_TYPE;\n\ntypedef struct tagBASE64_SPEC\n{\n    BASE64_TYPE type;\n    const char *table;\n    char pad;\n    char *lineSep;\n    int lineSepLength;\n} BASE64_SPEC;\n\nstatic const BASE64_SPEC BASE64_SPECS[] = {\n    {BASE64_TYPE_STANDARD, BASE64_TABLE, '=', NULL, 0},\n    {BASE64_TYPE_URL, BASE64_TABLE_URL, '=', NULL, 0},\n    {BASE64_TYPE_CUSTOM1, BASE64_TABLE_CUSTOM1, '=', NULL, 0}\n};\n\nstatic const size_t BASE64_SPECS_LENGTH = {\n    sizeof(BASE64_SPECS) / sizeof(BASE64_SPECS[0])\n};\n\n// Export function\nchar *base64Encode(const char *data, const size_t size, const BASE64_TYPE type);\nchar *base64Decode(const char *base64, size_t *retSize, const BASE64_TYPE type);\n\n// Test data\ntypedef struct tagBASE64_TEST {\n    BASE64_TYPE type;\n    const char *data;\n    size_t size;\n    const char *base64;\n} BASE64_TEST;\n\nstatic const BASE64_TEST BASE64_TESTS[] = {\n    {BASE64_TYPE_STANDARD, \"this is test\", 12, \"dGhpcyBpcyB0ZXN0\"},\n    {BASE64_TYPE_STANDARD, \"Hello\", 5, \"SGVsbG8=\"},\n    {BASE64_TYPE_STANDARD, \"Fan-Fan-Fun!!\", 13, \"RmFuLUZhbi1GdW4hIQ==\"},\n    {BASE64_TYPE_STANDARD, \"AAA\", 3, \"QUFB\"},\n};\n\nstatic const size_t BASE64_TESTS_LENGTH = {sizeof(BASE64_TESTS) / sizeof(BASE64_TESTS[0])};\n\n#endif // !__BASE64_H__
\n

Capturing a Time Travel Debugging Trace with WinDbg

\n

After building, I captured a TTD trace to make analysis easier.

\n

For the TTD trace capture procedure, refer to the following article.

\n

/Reference: WinDbg Preview: A New Debugging Approach with Time Travel Debugging

\n

Note that even in environments where the program cannot be built, the TTD trace file inside Try2WinDbg/trace/base64_trace.zip can be used for TTD-based analysis.

\n

Decompiling the Base64 Program with Ghidra

\n

Before analyzing the trace file, I first decompiled the Base64 program with Ghidra.

\n

Identifying the main Function from the Entry Point

\n

When executing a PE binary, the entry point runs initialization code before calling main, after which the exit process is called.

\n

Reference: What Happens Before main() | Big Mess o’ Wires

\n
/* 中略 */\nFID_conflict:__get_initial_narrow_environment();\nthunk_FUN_0043c3a2();\nthunk_FUN_0043c39c();\nunaff_ESI = thunk_FUN_004078f0();\nuVar7 = ___scrt_is_managed_app();\nif ((char)uVar7 != '\\0') {\n\tif (!bVar2) {\n    \t__cexit();\n    }\n    ___scrt_uninitialize_crt('\\x01','\\0');\n    *in_FS_OFFSET = local_14;\n    return unaff_ESI;\n}\n/* 中略 */
\n

In other words, from the decompiled output above, thunk_FUN_004078f0() — called on the line immediately before ___scrt_is_managed_app() — is the main function.

\n

Reading the Decompiled Base64Encode Function

\n

Next, I traced from the main function to the Base64Encode function and read its decompiled output.

\n

Naturally, the code looks quite different from the source and is harder to follow.

\n
char * __cdecl base64_encode(int param_1,int param_2,int param_3)\n\n{\n  char *pcVar1;\n  char *local_2c;\n  char local_28;\n  int local_10;\n  int local_c;\n  char *local_8;\n  \n  if (param_1 == 0) {\n    pcVar1 = (char *)0x0;\n  }\n  else {\n    local_2c = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";\n    local_28 = '=';\n    for (local_c = 0; local_c < 3; local_c = local_c + 1) {\n      if ((&DAT_00467f24)[local_c * 5] == param_3) {\n        local_2c = (&PTR_s_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef_00467f28)[local_c * 5];\n        local_28 = (char)(&DAT_00467f2c)[local_c * 5];\n        break;\n      }\n    }\n    pcVar1 = (char *)thunk_FUN_0041973b((uint)(param_2 << 2) / 3 + 3);\n    if (pcVar1 == (char *)0x0) {\n      pcVar1 = (char *)0x0;\n    }\n    else {\n      local_c = 0;\n      local_8 = pcVar1;\n      for (local_10 = param_2; 0 < local_10; local_10 = local_10 + -3) {\n        if (local_10 == 1) {\n          *local_8 = local_2c[(int)*(char *)(param_1 + local_c) >> 2 & 0x3f];\n          local_8[1] = local_2c[((int)*(char *)(param_1 + local_c) & 3U) * 0x10];\n          local_8[2] = local_28;\n          local_8[3] = local_28;\n        }\n        else if (local_10 == 2) {\n          *local_8 = local_2c[(int)*(char *)(param_1 + local_c) >> 2 & 0x3f];\n          local_8[1] = local_2c[((int)*(char *)(param_1 + local_c) & 3U) << 4 |\n                                (int)*(char *)(param_1 + local_c + 1) >> 4 & 0xfU];\n          local_8[2] = local_2c[((int)*(char *)(param_1 + local_c + 1) & 0xfU) * 4];\n          local_8[3] = local_28;\n        }\n        else {\n          *local_8 = local_2c[(int)*(char *)(param_1 + local_c) >> 2 & 0x3f];\n          local_8[1] = local_2c[((int)*(char *)(param_1 + local_c) & 3U) << 4 |\n                                (int)*(char *)(param_1 + local_c + 1) >> 4 & 0xfU];\n          local_8[2] = local_2c[((int)*(char *)(param_1 + local_c + 1) & 0xfU) << 2 |\n                                (int)*(char *)(param_1 + local_c + 2) >> 6 & 3U];\n          local_8[3] = local_2c[(int)*(char *)(param_1 + local_c + 2) & 0x3f];\n        }\n        local_8 = local_8 + 4;\n        local_c = local_c + 3;\n      }\n      *local_8 = '\\0';\n    }\n  }\n  return pcVar1;\n}
\n

One thing that caught my attention is this section:

\n
pcVar1 = (char *)thunk_FUN_0041973b((uint)(param_2 << 2) / 3 + 3);\nif (pcVar1 == (char *)0x0) {\n\tpcVar1 = (char *)0x0;\n}
\n

The corresponding source code is:

\n
// エンコード後の文字列格納領域の確保\nlength = ((size * 4) / 3) + 3;\n\n// mallocの戻り値は確保したメモリブロックを指すポインタ\nbase64 = malloc(length);\nif (base64 == NULL) {\n    return NULL;\n}
\n

First, I traced thunk_FUN_0041973b in Ghidra and found the following:

\n
void FUN_0041973b(size_t param_1)\n{\n  __malloc_base(param_1);\n  return;\n}
\n

From this, thunk_FUN_0041973b turned out to be the malloc function.

\n

Reference: ucrtbase.dll | Microsoft C Runtime Library | STRONTIC

\n

Therefore, (uint)(param_2 << 2) / 3 + 3 passed as the argument to malloc corresponds to the following line in the source code:

\n
// エンコード後の文字列格納領域の確保\nlength = ((size * 4) / 3) + 3;
\n

Interesting observations: the value that was originally stored in the variable length is passed directly to malloc in the decompiled output, and the size * 4 multiplication has been replaced with a shift operation.

\n

When doing reverse engineering, it helps to understand these kinds of compiler transformations.

\n

Reading the Decompiled Base64Decode Function

\n

Next, let’s look at the decompiled output of the Decode function.

\n
void __cdecl base64_decode(char *param_1,int *param_2,int param_3)\n\n{\n  byte bVar1;\n  size_t sVar2;\n  byte *pbVar3;\n  byte *in_EDX;\n  undefined8 uVar4;\n  char *in_stack_ffffff50;\n  char local_ac;\n  uint local_98;\n  byte *local_94;\n  uint local_90;\n  byte local_88 [128];\n  uint local_8;\n  \n  local_8 = DAT_00474224 ^ (uint)&stack0xfffffffc;\n  local_94 = in_EDX;\n  if (param_1 != (char *)0x0) {\n    in_stack_ffffff50 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";\n    local_ac = '=';\n    for (local_90 = 0; (int)local_90 < 3; local_90 = local_90 + 1) {\n      if ((&DAT_00467f24)[local_90 * 5] == param_3) {\n        in_stack_ffffff50 = (&PTR_s_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef_00467f28)[local_90 * 5];\n        local_ac = (char)(&DAT_00467f2c)[local_90 * 5];\n        break;\n      }\n    }\n    sVar2 = _strlen(param_1);\n    uVar4 = thunk_FUN_0041973b((sVar2 * 3 >> 2) + 3);\n    local_94 = (byte *)((ulonglong)uVar4 >> 0x20);\n    pbVar3 = (byte *)uVar4;\n    if (pbVar3 != (byte *)0x0) {\n      _memset(local_88,0x80,0x80);\n      for (local_90 = 0; (int)local_90 < 0x40; local_90 = local_90 + 1) {\n        local_88[(int)in_stack_ffffff50[local_90] & 0x7f] = (byte)local_90;\n      }\n      local_90 = 0;\n      local_98 = 0;\n      local_94 = pbVar3;\n      while (((int)local_90 < (int)sVar2 && (param_1[local_90] != local_ac))) {\n        bVar1 = local_88[(int)param_1[local_90] & 0x7f];\n        if (((int)(char)bVar1 & 0x80U) == 0) {\n          if (local_98 == 0) {\n            *local_94 = (byte)(((int)(char)bVar1 & 0x3fU) << 2);\n          }\n          else if (local_98 == 1) {\n            *local_94 = *local_94 | (char)bVar1 >> 4 & 3U;\n            local_94 = local_94 + 1;\n            *local_94 = (byte)(((int)(char)bVar1 & 0xfU) << 4);\n          }\n          else if (local_98 == 2) {\n            *local_94 = *local_94 | (char)bVar1 >> 2 & 0xfU;\n            local_94 = local_94 + 1;\n            *local_94 = (byte)(((int)(char)bVar1 & 3U) << 6);\n          }\n          else {\n            *local_94 = *local_94 | bVar1 & 0x3f;\n            local_94 = local_94 + 1;\n          }\n        }\n        local_90 = local_90 + 1;\n        local_98 = local_90 & 0x80000003;\n        if ((int)local_98 < 0) {\n          local_98 = (local_98 - 1 | 0xfffffffc) + 1;\n        }\n      }\n      *local_94 = 0;\n      *param_2 = (int)local_94 - (int)pbVar3;\n    }\n  }\n  thunk_FUN_00407ca8(local_8 ^ (uint)&stack0xfffffffc,(char)local_94,(char)in_stack_ffffff50);\n  return;\n}
\n

Nothing particularly notable, but there is one section of the decompiled output that I could not fully understand:

\n
sVar2 = _strlen(param_1);\nuVar4 = thunk_FUN_0041973b((sVar2 * 3 >> 2) + 3);\nlocal_94 = (byte *)((ulonglong)uVar4 >> 0x20);\npbVar3 = (byte *)uVar4;
\n

This corresponds to the following source code:

\n
// デコードするBase64文字列用のメモリ領域の確保\nlength = strlen(base64);\ndata = malloc(length * 3 / 4 + 3);\nif (data == NULL) {\n\treturn NULL;\n}
\n

Since thunk_FUN_0041973b is malloc, uVar4 from uVar4 = thunk_FUN_0041973b((sVar2 * 3 >> 2) + 3); corresponds to data in the source code.

\n

malloc stores the starting address of the allocated memory block in the return value, so uVar4 holds an address.

\n

Right-shifting it by 0x20 shifts the address by 32 bits.

\n

I couldn’t figure out from the decompiled output why this shift is happening, so I planned to investigate further with WinDbg.

\n

Analyzing the TTD Trace

\n

Loading the Symbol File

\n

After launching WinDbg and loading the TTD trace file, load the symbol file.

\n
.sympath+ C:\\Try2WinDbg\\traces\\base64_trace\n.reload
\n

Once the symbol file is loaded, functions can be searched by name.

\n
>  x /D base64!base64*\n002372d0          base64!base64Encode (_base64Encode)\n002375a0          base64!base64Decode (_base64Decod
\n

Using x /D module!function-name, the address of each function was found.

\n

Setting Breakpoints

\n

Next, set breakpoints at the call address of each function.

\n
> bu base64!base64Encode\n> bu base64!base64Decode\n> bl\n0 e Disable Clear  002372d0     0001 (0001)  0:**** base64!base64Encode\n1 e Disable Clear  002375a0     0001 (0001)  0:**** base64!base64Decode
\n

Running the g command now will stop execution at the call site of the first base64Encode function.

\n

Aligning the Image Base Between WinDbg and Ghidra

\n

From the lm output, you can see that the Base64 program is loaded at 0x230000.

\n
> lm\nstart    end        module name\n00230000 002ac000   base64_exe C (private pdb symbols)  C:\\ProgramData\\Dbg\\sym\\base64.pdb\\E82F6C1FD64A46D7AD5845CF4BD1BF431\\base64.pdb
\n

To make it easier to cross-reference Ghidra’s decompiled output with WinDbg’s analysis, change Ghidra’s image base setting to 0x230000.

\n

Ghidra’s base address can be changed during file import via [Options], or afterward by opening [Window] > [Memory Map] and clicking the [Set Image Base] button on the right.

\n

Setting a Breakpoint at the Target Location

\n

Now that Ghidra’s addresses are aligned with WinDbg’s, setting breakpoints becomes straightforward.

\n

Let’s set a breakpoint at local_94 = (byte *)((ulonglong)uVar4 >> 0x20);, the line from the decompiled output whose behavior I could not determine.

\n

\n \n \n \n \n \n \n \n \n

\n

Set a breakpoint at 0x00237696 with the following command:

\n
> bu 0x00237696
\n

Advancing execution with the g command, I reached the target address.

\n

\n \n \n \n \n \n \n \n \n

\n

From here, I traced the execution flow.

\n

Reading the Assembly

\n

I read the assembly at the breakpoint location.

\n
00237691 e8 94 9c        CALL       malloc                                           undefined malloc(size_t param_1)\n        ff ff\n00237696 83 c4 04        ADD        ESP,0x4\n00237699 89 85 68        MOV        dword ptr [EBP + local_9c],EAX\n        ff ff ff\n0023769f 83 bd 68        CMP        dword ptr [EBP + local_9c],0x0\n        ff ff ff 00\n002376a6 75 07           JNZ        LAB_002376af
\n

EAX contains the address returned by malloc.

\n

This address is stored in [EBP + local_9c] and compared against 0.

\n

This corresponds to the following source code:

\n
data = malloc(length * 3 / 4 + 3);\nif (data == NULL) {\n    return NULL;\n}
\n

Unfortunately, I could not find the local_94 = (byte *)((ulonglong)uVar4 >> 0x20); operation from the Ghidra decompiled output in the actual assembly.

\n

I also inspected the memory address contents, but malloc’s return value was simply stored as-is.

\n
> dyd [ebp-0x98]\n           3          2          1          0\n          -------- -------- -------- --------\n0059f800  00000000 11100000 00010110 01101000  00e01668
\n

It’s probably a quirk of Ghidra’s decompiler, but I’m still puzzled about what led it to generate that shift operation.

\n

Summary

\n

I had originally planned to trace through the Base64 processing in the debugger step by step, but since there weren’t many interesting findings, I skipped that part.

\n

Next I want to implement and debug something like RC4 or ROT13 encryption.

","fields":{"slug":"/windows-windbg-009-base64-en","tagSlugs":["/tag/win-dbg-en/","/tag/kernel-en/","/tag/reversing-en/","/tag/c-c-en/","/tag/english/"]},"frontmatter":{"date":"2021-12-30","description":"","tags":["WinDbg (en)","Kernel (en)","Reversing (en)","C/C++ (en)","English"],"title":"Analyzing a Base64 Program Implemented in C with WinDbg Time Travel Debugging","socialImage":{"publicURL":"/static/47f40429328e471f653727539dc8c88e/windows-windbg-009-base64.png"}}}},"pageContext":{"slug":"/windows-windbg-009-base64-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}