I have a bianry that has a lot information inside heap.
How fast can you reverse-engineer this?
The hint talks me that I should check the address "0x403E65". But in my assembled code(by OllyDbg), the address was not exist. So I did what I wanted.
① I found the string "the al~" in "Search for→All referenced text Strings". When I entered, there were related assembly codes.
② There is a consistent pattern. "[EBP-xx]'s value→EAX→CALL 01083FE7". The "CALL 01083FE7" is looks like a print function. Because there is only one address that is called to print the value. Therefore, The "EAX" is likely to have the size of a chunk and also the "ECX" is likely to have the value of a chunk.
③ I set the breakpoint to check my assumption at "01083E67". Slightly above, "[EBP-54]" and "EAX" are compared (by "CMP"). The execution flow is jumped (by "JBE") another place if "EAX" is smaller than the "[EBP-54]".
It was correct.
"EAX(=EBP-54)" is the size of a chunk and "EBX(=EBP-60)" is the value of a chunk. And I collected some values at the breakpoint. It was possible because the location of the breakpoint is inside the loop always getting the biggest chunk value. There were 6 values there(The total number of chunks is 1000).
Finding 2nd and 3rd biggest value of chunks is the quiz. What I found values is incorrect. Because the loop always finds the biggest value, It doesn't mind 2nd and 3rd values. It means If the biggest value had been first discovered, I could have collected just one value.
So I set the conditional breakpoint at the loop entrance for finding values bigger than "000184CF". 4 values were found.
P.S
It looks simple, but I wandered from place to place a lot. Originally to solve, IDA's codemap plugin was supposed to be used.